Problem with authenticated user, sendmail auth and rule '\[<HOST>\] \(may be forged\)'

[jobst]

Hi

Overall my fail2ban and sendmail-auth works as expected.

However, I have a problem with SOME of my users, they authenticate, can send the email and then are put in jail.
The rule that is triggered is the "(may be forged)" as some of the ISP's cannot set their lookups properly.

failregex = \[<HOST>\] \(may be forged\)
            \[<HOST>\] .*to MTA
            \[<HOST>\], reject.*\.\.\. Relaying denied
            authentication failure: checkpass failed, relay=\[<HOST>\]

Below are the ones that show up when sending ONE email (I killed many lines that arent needed here):

Jul 16 16:17:48 MYSERVER sendmail[26706]: STARTTLS=server, relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged), version=TLSv1, verify=NO, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Jul 16 16:17:48 MYSERVER sendmail[26706]: AUTH=server, relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged), authid=USERNAME 
Jul 16 16:17:48 MYSERVER sendmail[26706]: AUTH=server, relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged), authid=USERNAME

If my users send one mail, then send another mail a few minutes later they are put in jail as I have "maxretry=5".

I know I can set

ignoreregex = .*tpgi.com.au \[<HOST>\] \(may be forged\).*

but I also read that "ignoreregex" takes a performance hit.
The rule(s) are NOT quite working yet, I am still trying to fine tune this.

Now my questions:
Is there a way to set something like "if they are authenticated don't bother to check other rules"?
Is there another way I can prevent the "(may be forged)" from triggering for certain situations?

[sebres]

if they are authenticated don't bother to check other rules

An how one would detect it? From your log excerpt it is not obvious, or else you removed such lines since "killed many lines that arent needed here".
Anyway there is indeed a way to do that, there are tags <F-MLFFORGET> and <F-MLFGAINED> which allow to forget previous pending failures by multi-line parsing with <F-MLFID> with same session ID, see an example in sshd-filter:

fail2ban/config/filter.d/sshd.conf

Line 61 in 10cd815

^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)

Just you must also ensure to capture the user name (tag <F-USER>) to avoid situation that a user with an account (able to authenticate) firstly trying to brute force another account of other users (see #2102 (comment) for details). If fail2ban sees different users in attempts it would not ignore/forget such failures.

Or better use more precise expression which would produce no match on those lines, e. g. like in mode extra/aggressive in sendmail-reject filter, for instance

fail2ban/config/filter.d/sendmail-reject.conf

Line 37 in 10cd815

mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection

You would need to find differences by such messages from attempts of legitimate users and the bots, if there is no such difference it is impossible to use this RE without to consider false positives. Another way is to increase maxretry (and probably findtime), but it could nevertheless generate a fails for legitimate users later, once they sends more mails.

[jobst]

Question:
Are the "ignoreregex=" really that costly if I keep this to a limit of just a few?

[sebres]

The ignoreregex will be executed for every matched line, so yes it costs time (especially by such an unanchored regex). How costly it is depends on many factors inclusive the log traffic etc, so better try to avoid it if possible, also note wiki :: Best practice for more information.