Exim SMTPAUTH and AUTHRELAY regex outdated

Post Reply
ken_hk
Junior Member
Posts: 15
Joined: 25 Sep 2009, 06:02

Exim SMTPAUTH and AUTHRELAY regex outdated

Post by ken_hk »

Hello,

I found that with csf v5.14 we never receive failed SMTP AUTH and SMTP AUTH relay alerts. (Our server use Exim)

I checked the file regex.pm and found the related regexes are outdated. Would you please update them?

For your reference, this is a patch we are using:

Code: Select all

--- regex.pm.orig       2010-12-10 18:20:19.000000000 +0800
+++ regex.pm    2011-01-07 18:12:53.000000000 +0800
@@ -188,7 +188,7 @@
        }

 #Exim SMTP AUTH
-       if (($config{LF_SMTPAUTH}) and ($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s+\S+\s+fixed_login authenticator failed for \S+ (\S+ )?\[(\S+)\]: 535 Incorrect authentication data \(set_id=(\S+)\)/)) {
+       if (($config{LF_SMTPAUTH}) and ($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s+\S+\s+login authenticator failed for (\S+ )?\(\S+\) \[(\S+)\]: 535 Incorrect authentication data \(set_id=(\S+)\)/)) {
         $ip = $2; $acc = $3; $ip =~ s/^::ffff://;
                if (&checkip($ip)) {return ("Failed SMTP AUTH login from","$ip|$acc","smtpauth")} else {return}
        }
@@ -310,7 +310,7 @@
                return;
        }

-       if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|fixed_login|fixed_plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
+       if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|login|plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
                return ($ip, "AUTHRELAY");
        }
Ken
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Exim SMTPAUTH and AUTHRELAY regex outdated

Post by chirpy »

These have now been updated with the latest release of csf.
ken_hk
Junior Member
Posts: 15
Joined: 25 Sep 2009, 06:02

Re: Exim SMTPAUTH and AUTHRELAY regex outdated

Post by ken_hk »

Hi Chirpy,

Sorry but I forgot to check with the exim log selectors. If administrators want to play with it the regex will fail! For example, I just tested with "+incoming_interface" and it failed to detect any exim events.

You may want to adjust the regex that can handle any cases, i.e. do not rely on the order of the log data. If you can test you may try using the "+all" selector.

Ken
Post Reply