Your message dated Sat, 16 Aug 2025 13:12:37 +0100 with message-id <caj3buot3jachiohs9pk1nz3ean6jpesyqv556zeuzjn6vyb...@mail.gmail.com> and subject line Re: bad rule in ignore for saslauthd (patch included) has caused the Debian Bug report #690145, regarding saslauthd rules - pam fix to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 690145: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690145 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: logcheck-database Version: 1.3.13 Severity: normal File: /etc/logcheck/ignore.d.server/saslauthd The following patch fixes a bug in the regex for ignoring useless lines from saslauthd authentication failures (/etc/logcheck/ignore.d.server/saslauthd) on this Squeeze system: --- saslauthd.orig 2012-10-10 08:37:50.000000000 -0400 +++ saslauthd 2012-10-10 08:38:10.000000000 -0400 @@ -4,7 +4,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_unix\(:auth\): check pass; user unknown$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:space:]]*: auth failure: \[user=[._[:alnum:]-]+\] \[service=smtp\] \[realm=[._[:alnum:]-]+\] \[mech=pam\] \[reason=PAM auth error\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_request[[:space:]]*: NULL password received$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_unix\([[:alnum:]]+:[[:alnum:]]+\): check pass; user unknown$ -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Configuration Files: /etc/logcheck/violations.d/logcheck changed [not included] /etc/logcheck/violations.ignore.d/logcheck-sudo [Errno 2] No such file or directory: u'/etc/logcheck/violations.ignore.d/logcheck-sudo' -- no debconf information
--- End Message ---
--- Begin Message ---On Tue, 28 May 2024 00:24:21 +0100 Richard Lewis <[email protected]> wrote: > On Wed, 10 Oct 2012 09:24:26 -0400 CJ Fearnley <[email protected]> wrote: > > > File: /etc/logcheck/ignore.d.server/saslauthd > > > The following patch fixes a bug in the regex for ignoring > > useless lines from saslauthd authentication failures > > (/etc/logcheck/ignore.d.server/saslauthd) on this Squeeze system: > > > > > -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: > > \(pam_unix\) check pass; user unknown$ > > +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: > > pam_unix\(:auth\): check pass; user unknown$ > > This looks to still apply some 12 years later, in the sense that the rules > have > > <usual prefix with saslauthd +PID>: \(pam_unix\) check pass; user unknown$ > > But im unclear that the new line ' pam_unix\(:auth\): check pass; user > unknown' is the right solution in 2024 - I'd expect something like: > pam_unix\(????:auth\): check pass; user unknown$ > > but i dont know what the ???? would be. > > Think we need an update before this can be applied. A year later, closing as the suggested rules do not look valid. If there some issue with rules for saslauthd, please reopen with updated suggestion. (Im not sure we should even be hiding messages about unknown users logging in at all?)
--- End Message ---

