[EMAIL PROTECTED](maximilian attems) 23.07.05 17:48 >On Sat, 23 Jul 2005, Rainer Zocholl wrote:
>>>from time to time i get such (false) "Security Event". >> >> Seems to become common practice :-( >> >> Again an "security event", i assume "promiscuous" in msgid >> triggered. >> >> Jul 23 14:46:26 host sm-mta[25759]: j6NCkQTS025759: >> from=<[EMAIL PROTECTED]>, size=16186, class=0, >> nrcpts=1, msgid=<[EMAIL PROTECTED]>, >> proto=ESMTP, daemon=MTA, relay=... >what's that strange sm-mta thing? That's a normal sendmail... sm-mta: "Send Mail - Mail Transport Agent" /etc/logcheck/ignore.d.server/sendmail: ... (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*: from= ... (rule not truncated!) >it doesn't appear to be a debian package: >apt-cache search sm-mta doesn't return anything nor >packages.debian.org it's part of sendmail. Package: sendmail Version: 8.13.4-3 >sorry in that case you have to craft your own rules in local-sm-mta >inside of violations.ignore.d. >guess we can close that "bug" unless other evidence appears. No, most other such message are suppressed(see rule above) Only if the addresse, message IDs etc. contians "violation trigger words" a -false- security event is generated. That would allow a third party to generate any amount of false security events or annoy the postmaster with false positives. I assume that will be a possible problem with exim, postfix MTA too, as long as logcheck scan these logs. Maybe it should be assigned as a sendmail bug? The current (local) sendmail rules :/etc/logcheck/violations.ignore.d# cat sendmail (sendmail|sm-(mta|msp|que))\[[0-9]+\]: could not find auxprop plugin, was searching for 'saslauthd' (sendmail|sm-(mta|msp|que))\[[0-9]+\]: could not find auxprop plugin, was searching for 'sasldb' (sendmail|sm-(mta|msp|que))\[[0-9]+\]: could not find auxprop plugin, was searching for sasldb (sendmail|sm-(mta|msp|que))\[[0-9]+\]: alias database .* rebuilt (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*stat=(Refused|Deferred) (sendmail|sm-(mta|msp|que))\[[0-9]+\]: gethostbyaddr\(.*\) failed: (sendmail|sm-(mta|msp|que))\[[0-9]+\]: rejecting connections on daemon (sendmail|sm-(mta|msp|que))\[[0-9]+\]: DIGEST-MD5: failed .* later in exchange (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=450 4\.7\.1 <[^>]+>... Relaying temporarily denied. Cannot resolve PTR record for [0-9\.]+$ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=451 4\.1\.8 Domain of sender address [^]+ does not resolve$ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 Access denied$ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 <[^>]+>... Relaying denied. Proper authentication required.$ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 <[^>]+>... Relaying denied. IP name lookup failed \[[0-9\.]+\]$ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=550 5\.7\.1 <[^>]+>... Relaying denied. IP name lookup possibly forged \[[0-9\.]+\]$ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .*reject=553 5\.1\.8 <[^>]+>... Relaying temporarily denied. Cannot resolve PTR record for [0-9\.]+$ Rainer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
