Exim SMTPAUTH and AUTHRELAY regex outdated

[ken_hk]

Hello,

I found that with csf v5.14 we never receive failed SMTP AUTH and SMTP AUTH relay alerts. (Our server use Exim)

I checked the file regex.pm and found the related regexes are outdated. Would you please update them?

For your reference, this is a patch we are using:

Code: Select all

--- regex.pm.orig       2010-12-10 18:20:19.000000000 +0800
+++ regex.pm    2011-01-07 18:12:53.000000000 +0800
@@ -188,7 +188,7 @@
        }

 #Exim SMTP AUTH
-       if (($config{LF_SMTPAUTH}) and ($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s+\S+\s+fixed_login authenticator failed for \S+ (\S+ )?\[(\S+)\]: 535 Incorrect authentication data \(set_id=(\S+)\)/)) {
+       if (($config{LF_SMTPAUTH}) and ($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s+\S+\s+login authenticator failed for (\S+ )?\(\S+\) \[(\S+)\]: 535 Incorrect authentication data \(set_id=(\S+)\)/)) {
         $ip = $2; $acc = $3; $ip =~ s/^::ffff://;
                if (&checkip($ip)) {return ("Failed SMTP AUTH login from","$ip|$acc","smtpauth")} else {return}
        }
@@ -310,7 +310,7 @@
                return;
        }

-       if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|fixed_login|fixed_plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
+       if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|login|plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
                return ($ip, "AUTHRELAY");
        }

Ken

[chirpy]

These have now been updated with the latest release of csf.

[ken_hk]

Hi Chirpy,

Sorry but I forgot to check with the exim log selectors. If administrators want to play with it the regex will fail! For example, I just tested with "+incoming_interface" and it failed to detect any exim events.

You may want to adjust the regex that can handle any cases, i.e. do not rely on the order of the log data. If you can test you may try using the "+all" selector.

Ken