filter.d/sendmail-auth.conf: detect failures without user part

author: Sergey G. Brester <serg.brester@sebres.de> 2022-08-01 09:20:28 +0200
committer: GitHub <noreply@github.com> 2022-08-01 09:20:28 +0200
commit: 514cca9adeca3f24c6854859d793d26a583329f8 (patch)
tree: cea6cbe73058561752aa501387087a3044420f5c /config
parent: 3a8ab0c70aa7a04cae374b8afb7251fc540bc5bf (diff)
download: fail2ban-514cca9adeca3f24c6854859d793d26a583329f8.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/config/filter.d/sendmail-auth.conf b/config/filter.d/sendmail-auth.conf
index de1f8e36..3fa3c701 100644
--- a/config/filter.d/sendmail-auth.conf
+++ b/config/filter.d/sendmail-auth.conf
@@ -15,7 +15,7 @@ addr = (?:IPv6:<IP6>|<IP4>)
 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
 
 failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
-            ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
+            ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=<F-USER>(?:\S+|.*?)</F-USER>, )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
 ignoreregex =
 
 journalmatch = _SYSTEMD_UNIT=sendmail.service
author	Sergey G. Brester <serg.brester@sebres.de>	2022-08-01 09:20:28 +0200
committer	GitHub <noreply@github.com>	2022-08-01 09:20:28 +0200
commit	514cca9adeca3f24c6854859d793d26a583329f8 (patch)
tree	cea6cbe73058561752aa501387087a3044420f5c /config
parent	3a8ab0c70aa7a04cae374b8afb7251fc540bc5bf (diff)
download	fail2ban-514cca9adeca3f24c6854859d793d26a583329f8.tar.gz