Don't process failed EXTERNAL authentication by mod_fail2ban

This will only lead to confusion because it's not considered
possible to brute force client certificates.

diff --git a/src/mod_fail2ban.erl b/src/mod_fail2ban.erl
index 7c59fefcb8ec60f560d92d5cae5503f1a10bae89..29247a0d12d1c08b3bdfdcbc968370c6c38f7d02 100644 (file)
--- a/src/mod_fail2ban.erl
+++ b/src/mod_fail2ban.erl
@@ -53,6 +53,9 @@
 %%%===================================================================
 -spec c2s_auth_result(ejabberd_c2s:state(), true | {false, binary()}, binary())
       -> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
+c2s_auth_result(#{sasl_mech := Mech} = State, {false, _}, _User)
+  when Mech == <<"EXTERNAL">> ->
+    State;
 c2s_auth_result(#{ip := {Addr, _}, lserver := LServer} = State, {false, _}, _User) ->
     case is_whitelisted(LServer, Addr) of
        true ->