1 <!-- @(#) $Id: ./etc/rules/postfix_rules.xml, 2011/09/08 dcid Exp $
3 - Official postfix rules for OSSEC.
5 - Author: Daniel B. Cid
6 - License: http://www.ossec.net/en/licensing.html
9 <var name="POSTFIX_FREQ">6</var>
11 <group name="syslog,postfix,">
12 <rule id="3300" level="0">
13 <decoded_as>postfix-reject</decoded_as>
14 <description>Grouping of the postfix reject rules.</description>
17 <rule id="3301" level="6">
20 <description>Attempt to use mail server as relay </description>
21 <description>(client host rejected).</description>
25 <rule id="3302" level="6">
28 <description>Rejected by access list </description>
29 <description>(Requested action not taken).</description>
33 <rule id="3303" level="5">
36 <description>Sender domain is not found </description>
37 <description>(450: Requested mail action not taken).</description>
41 <rule id="3304" level="5">
44 <description>Improper use of SMTP command pipelining </description>
45 <description>(503: Bad sequence of commands).</description>
49 <rule id="3305" level="5">
52 <description>Recipient address must contain FQDN </description>
53 <description>(504: Command parameter not implemented).</description>
57 <rule id="3306" level="6">
58 <if_sid>3301, 3302</if_sid>
59 <match> blocked using </match>
60 <description>IP Address deny-listed by anti-spam (blocked).</description>
64 <rule id="3320" level="0">
65 <decoded_as>postfix</decoded_as>
66 <description>Grouping of the postfix rules.</description>
69 <rule id="3330" level="10" ignore="240">
71 <match>defer service failure|Resource temporarily unavailable|</match>
72 <match>^fatal: the Postfix mail system is not running</match>
73 <description>Postfix process error.</description>
74 <group>service_availability,</group>
77 <rule id="3332" level="5">
79 <match> authentication failed</match>
80 <description>Postfix SASL authentication failure.</description>
81 <group>authentication_failed,</group>
84 <rule id="3331" level="10" ignore="120">
87 <description>Postfix insufficient disk space error.</description>
88 <group>service_availability,</group>
91 <rule id="3334" level="3">
93 <match>^daemon started </match>
94 <description>Postfix started.</description>
97 <rule id="3333" level="7">
99 <match>^terminating on signal</match>
100 <description>Postfix stopped.</description>
101 <group>service_availability,</group>
104 <rule id="3351" level="6" frequency="$POSTFIX_FREQ" timeframe="90">
105 <if_matched_sid>3301</if_matched_sid>
107 <description>Multiple relaying attempts of spam.</description>
108 <group>multiple_spam,</group>
111 <rule id="3352" level="6" frequency="$POSTFIX_FREQ" timeframe="120">
112 <if_matched_sid>3302</if_matched_sid>
114 <description>Multiple attempts to send e-mail from a </description>
115 <description>rejected sender IP (access).</description>
116 <group>multiple_spam,</group>
119 <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
120 <if_matched_sid>3303</if_matched_sid>
122 <description>Multiple attempts to send e-mail from </description>
123 <description>invalid/unknown sender domain.</description>
124 <group>multiple_spam,</group>
127 <rule id="3354" level="12" frequency="$POSTFIX_FREQ" timeframe="120">
128 <if_matched_sid>3304</if_matched_sid>
130 <description>Multiple misuse of SMTP service </description>
131 <description>(bad sequence of commands).</description>
132 <group>multiple_spam,</group>
135 <rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
136 <if_matched_sid>3305</if_matched_sid>
138 <description>Multiple attempts to send e-mail to </description>
139 <description>invalid recipient or from unknown sender domain.</description>
140 <group>multiple_spam,</group>
143 <rule id="3356" level="10" frequency="$POSTFIX_FREQ" timeframe="120" ignore="30">
144 <if_matched_sid>3306</if_matched_sid>
146 <description>Multiple attempts to send e-mail from </description>
147 <description>deny-listed IP address (blocked).</description>
148 <group>multiple_spam,</group>
151 <rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
152 <if_matched_sid>3332</if_matched_sid>
154 <description>Multiple SASL authentication failures.</description>
155 <group>authentication_failures,</group>
158 <rule id="3390" level="0">
159 <match>^clamsmtpd: </match>
160 <description>Grouping of the clamsmtpd rules.</description>
162 </group> <!-- SYSLOG,POSTFIX -->