On Tue, Dec 11, 2012 at 5:03 PM, Scott Nelson <wa6...@gmail.com> wrote: > > On Dec 11, 2012, at 3:55 PM, dan (ddp) wrote: > >> On Mon, Dec 10, 2012 at 12:53 PM, Scott <wa6...@gmail.com> wrote: >>> I'm having trouble making a rule to eliminate this false positive, rule 1002 >>> is kicking in: >>> >>> sendmail[24167]: qBAHj1gY023631: to=<fatal-err...@example.com>, >>> delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705, >>> relay=xyz.example.com. [1.2.3.4], dsn=2.0.0, stat=Sent (Ok: queued as >>> 4D47E343E84D) >>> >>> This e-mail was successful, even though it is sent to a mailbox for errors. >>> >> >> <rule id="100103" level="1"> >> <if_sid>1002</if_sid> >> <match>fatal-err...@example.com</match> >> <description>Not an error</description> >> </rule> > > I would have tried that, but doesn't that mean I'd have to add in additional > rules to catch failed messages?
Only if they contain that email address. Chnge the match to: <match>Ok: queued as </match> And you won't 1002 on any messages that are supposed to be queued. You could match on the fatal-errors@blahblah as above, but set the level higher. Then create a child rule matching the Ok: queued bit.