From 514cca9adeca3f24c6854859d793d26a583329f8 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Mon, 1 Aug 2022 09:20:28 +0200
Subject: filter.d/sendmail-auth.conf: detect failures without user part

---
 config/filter.d/sendmail-auth.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'config')

diff --git a/config/filter.d/sendmail-auth.conf b/config/filter.d/sendmail-auth.conf
index de1f8e36..3fa3c701 100644
--- a/config/filter.d/sendmail-auth.conf
+++ b/config/filter.d/sendmail-auth.conf
@@ -15,7 +15,7 @@ addr = (?:IPv6:<IP6>|<IP4>)
 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
 
 failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
-            ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
+            ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=<F-USER>(?:\S+|.*?)</F-USER>, )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
 ignoreregex =
 
 journalmatch = _SYSTEMD_UNIT=sendmail.service
-- 
cgit v1.2.1