2 - Official postfix rules for OSSEC.
4 - Author: Daniel B. Cid
5 - License: http://www.ossec.net/en/licensing.html
8 <var name="POSTFIX_FREQ">6</var>
10 <group name="syslog,postfix,">
11 <rule id="3300" level="0">
12 <decoded_as>postfix-reject</decoded_as>
13 <description>Grouping of the postfix reject rules.</description>
16 <rule id="3301" level="6">
19 <description>Attempt to use mail server as relay </description>
20 <description>(client host rejected).</description>
24 <rule id="3302" level="6">
27 <description>Rejected by access list </description>
28 <description>(Requested action not taken).</description>
32 <rule id="3303" level="5">
35 <description>Sender domain is not found </description>
36 <description>(450: Requested mail action not taken).</description>
40 <rule id="3304" level="5">
43 <description>Improper use of SMTP command pipelining </description>
44 <description>(503: Bad sequence of commands).</description>
48 <rule id="3305" level="5">
51 <description>Receipent address must contain FQDN </description>
52 <description>(504: Command parameter not implemented).</description>
56 <rule id="3306" level="6">
57 <if_sid>3301, 3302</if_sid>
58 <match> blocked using </match>
59 <description>IP Address black-listed by anti-spam (blocked).</description>
63 <rule id="3320" level="0">
64 <decoded_as>postfix</decoded_as>
65 <description>Grouping of the postfix rules.</description>
68 <rule id="3330" level="10" ignore="240">
70 <match>defer service failure|Resource temporarily unavailable|</match>
71 <match>^fatal: the Postfix mail system is not running</match>
72 <description>Postfix process error.</description>
73 <group>service_availability,</group>
76 <rule id="3332" level="5">
78 <match> authentication failed</match>
79 <description>Postfix SASL authentication failure.</description>
80 <group>authentication_failed,</group>
83 <rule id="3331" level="10" ignore="120">
86 <description>Postfix insufficient disk space error.</description>
87 <group>service_availability,</group>
90 <rule id="3334" level="3">
92 <match>^daemon started </match>
93 <description>Postfix started.</description>
96 <rule id="3333" level="7">
98 <match>^terminating on signal</match>
99 <description>Postfix stopped.</description>
100 <group>service_availability,</group>
103 <rule id="3351" level="6" frequency="$POSTFIX_FREQ" timeframe="90">
104 <if_matched_sid>3301</if_matched_sid>
106 <description>Multiple relaying attempts of spam.</description>
107 <group>multiple_spam,</group>
110 <rule id="3352" level="6" frequency="$POSTFIX_FREQ" timeframe="120">
111 <if_matched_sid>3302</if_matched_sid>
113 <description>Multiple attempts to send e-mail from a </description>
114 <description>rejected sender IP (access).</description>
115 <group>multiple_spam,</group>
118 <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
119 <if_matched_sid>3303</if_matched_sid>
121 <description>Multiple attempts to send e-mail from </description>
122 <description>invalid/unknown sender domain.</description>
123 <group>multiple_spam,</group>
126 <rule id="3354" level="12" frequency="$POSTFIX_FREQ" timeframe="120">
127 <if_matched_sid>3304</if_matched_sid>
129 <description>Multiple misuse of SMTP service </description>
130 <description>(bad sequence of commands).</description>
131 <group>multiple_spam,</group>
134 <rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
135 <if_matched_sid>3305</if_matched_sid>
137 <description>Multiple attempts to send e-mail to </description>
138 <description>invalid recipient or from unknown sender domain.</description>
139 <group>multiple_spam,</group>
142 <rule id="3356" level="10" frequency="$POSTFIX_FREQ" timeframe="120" ignore="30">
143 <if_matched_sid>3306</if_matched_sid>
145 <description>Multiple attempts to send e-mail from </description>
146 <description>black-listed IP address (blocked).</description>
147 <group>multiple_spam,</group>
150 <rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
151 <if_matched_sid>3332</if_matched_sid>
153 <description>Multiple SASL authentication failures.</description>
154 <group>authentication_failures,</group>
157 <rule id="3390" level="0">
158 <match>^clamsmtpd: </match>
159 <description>Grouping of the clamsmtpd rules.</description>
161 </group> <!-- SYSLOG,POSTFIX -->