I think a "+" does a greedy match, so matches as many characters as it can. Try changing it to a "*" or restricting it further with an "[A-Z]*".
FWIW I have postfix set up to reject improper command pipelining so you then get something "lost connection after HELO from whatever" and I match on that. Also to help postfix, I added "smtpd_client_restrictions = reject_unknown_reverse_client_hostname" which stops anyone whose IP does not have a reverse DNS record. It does not test the validity and it is not recommended to, just that one exists. It is a mandatory requirement for SMTP servers to have a reverse DNS record (but it does not need to match the sending FQDN). This stops all mail from "unknown" which you can then pick up in f2b with "lost connection from unknown" or something like it. You can test the restriction by using warn_if_reject like "smtpd_client_restrictions = warn_if_reject reject_unknown_reverse_client_hostname" so postfix only warns and not rejects Nick On 2016-08-11 12:58, Jacques Lav!gnotte. wrote: > Hello, > > I tried a whole bunch of minutes ( more than 60 ) > > but I can't get this rule to match : > > fail2ban-regex \ > > "Aug 10 23:56:35 emf postfix/smtpd[26006]: improper command pipelining > after HELO from unknown[113.57.97.103]: QUIT\r\n" \ > > "^%(__prefix_line)simproper command pipelining after \S+ from > [^[]*\[<HOST>\]:.*$" > > Can anyone help ? > > TIA, Jacques ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
