Exim SMTPAUTH and AUTHRELAY regex outdated
Posted: 07 Jan 2011, 10:29
Hello,
I found that with csf v5.14 we never receive failed SMTP AUTH and SMTP AUTH relay alerts. (Our server use Exim)
I checked the file regex.pm and found the related regexes are outdated. Would you please update them?
For your reference, this is a patch we are using:
Ken
I found that with csf v5.14 we never receive failed SMTP AUTH and SMTP AUTH relay alerts. (Our server use Exim)
I checked the file regex.pm and found the related regexes are outdated. Would you please update them?
For your reference, this is a patch we are using:
Code: Select all
--- regex.pm.orig 2010-12-10 18:20:19.000000000 +0800
+++ regex.pm 2011-01-07 18:12:53.000000000 +0800
@@ -188,7 +188,7 @@
}
#Exim SMTP AUTH
- if (($config{LF_SMTPAUTH}) and ($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s+\S+\s+fixed_login authenticator failed for \S+ (\S+ )?\[(\S+)\]: 535 Incorrect authentication data \(set_id=(\S+)\)/)) {
+ if (($config{LF_SMTPAUTH}) and ($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s+\S+\s+login authenticator failed for (\S+ )?\(\S+\) \[(\S+)\]: 535 Incorrect authentication data \(set_id=(\S+)\)/)) {
$ip = $2; $acc = $3; $ip =~ s/^::ffff://;
if (&checkip($ip)) {return ("Failed SMTP AUTH login from","$ip|$acc","smtpauth")} else {return}
}
@@ -310,7 +310,7 @@
return;
}
- if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|fixed_login|fixed_plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
+ if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|login|plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
return ($ip, "AUTHRELAY");
}