Package: logcheck-database
Version: 1.2.49
Severity: normal
Tags: patch
This report is against 1.2.49, but looking at the changelog for 1.2.50,
I don't think these are already fixed.
I use sender and recipient tables to reject mail at RCPT TO time and I
have one system for which I serve as an MX record that is frequently down
and has frequent network problems. The current rules return a lot of
security violation and system event false positives for those cases.
Attached are two patches, one to the violations.ignore.d file and one to
the ignore.d.server file, that clear up all of my false positives. Note,
though, that the current rule matching the Ok part of a forwarded message
didn't make much sense to me; the parentheses seemed oddly doubled and in
a way that didn't match the messages that I see. I took a stab at fixing
it but I'm not sure that I captured the cases correctly.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.5.8 Debian configuration management sy
logcheck-database recommends no packages.
-- debconf information:
logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
--- /tmp/logcheck-postfix 2006-11-03 18:11:58.000000000 -0800
+++ violations.ignore.d/logcheck-postfix 2006-11-03 22:07:34.000000000
-0800
@@ -26,7 +26,9 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+:
reject: RCPT from [^[:space:]]+: [45][0-9][0-9] <[^[:space:]]+>: Client host
rejected: Greylisted for [0-9]+ (seconds|minutes)( \(see
http://isg.ee.ethz.ch/tools/postgrey/help/[.[:alnum:]-]+.html\))?;
from=<[^[:space:]]+> to=<[^[:space:]]+> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+:
from=<[^[:space:]]*>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)*
relay=local, delay=[0-9]+, status=sent \(delivered to command:
/var/lib/mailman/mail/mailman admin [._[:alnum:]-]+\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject:
[[:upper:]]+ from [^[:space:]]+: 554 <[^[:space:]]+>: Client host rejected:
Access denied;( from=<[^[:space:]]+> to=<[^[:space:]]+>)? proto=E?SMTP(
helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject:
[[:upper:]]+ from [^[:space:]]+: 554 <[^[:space:]]+>: Client host rejected:
Access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP(
helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject:
[[:upper:]]+ from [^[:space:]]+: 554( 5\.7\.1)? <[^[:space:]]+>: Relay access
denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP(
helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]:
(NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 550(
5\.1\.[01])? <[^[:space:]]+>: (Sender|Recipient) address rejected: User unknown
in (local|relay) recipient table;( from=<[^[:space:]]*> to=<[^[:space:]]+>)?
proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)*
relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+,
dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((, id=[-0-9]+, from
MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok: queued as [0-9A-F]+|, discarded,
UBE, id=[-0-9]+))*\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL
(LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed:?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
warning: SASL authentication failure: Password verification failed$
--- /tmp/postfix 2006-11-03 18:14:02.000000000 -0800
+++ ignore.d.server/postfix 2006-11-04 11:45:38.000000000 -0800
@@ -4,6 +4,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
removed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>, relay=none, delay=[0-9]+, status=deferred \(delivery
temporarily suspended: connect to [^[:space:]]+: (Connection timed out|read
timeout|Connection refused)\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>, relay=none, delay=[0-9]+, status=deferred \(delivery
temporarily suspended: Host or domain name not found. Name service error for
name=[^[:space:]]+ type=MX: Host not found, try again\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,( conn_use=[0-9]+,)?
delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred
\(delivery temporarily suspended: lost connection with [^[:space:]]+ while
sending [[:alnum:]]+( [[:alnum:]]+)?\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,( conn_use=[0-9]+,)?
delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred
\(delivery temporarily suspended: conversation with [^[:space:]]+ timed out
while sending end of data -- message may be sent more than once\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open
Berkeley db /etc/sasldb: No such file or directory$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify
error:num=10:certificate has expired$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify
error:num=18:self signed certificate$
@@ -68,7 +70,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal
address syntax from
[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] in MAIL
command: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept error
from [._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]: -1$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:
smtpd_spf_result: unknown SPF result 4 \(unknown\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)*
relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+,
dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((, id=[-0-9]+, from
MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok: queued as [0-9A-F]+|, discarded,
UBE, id=[-0-9]+))*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)*
relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+,
dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((, id=[-0-9]+, from
MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok)?: queued as [0-9A-F]+|, discarded,
UBE, id=[-0-9]+)*\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)*
relay=local, delay=[0-9]+, status=sent \(delivered to command: exec
/usr/bin/procmail\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF pass:
smtp_comment=.*: [.[:alnum:]]+ MX [.[:alnum:]]+ A [0-9a-f.:]+,
header_comment=[.[:alnum:]+: domain of [%[:punct:][:alnum:[EMAIL
PROTECTED]:alnum:]]+ designates [0-9a-f.:]{3,39} as permitted sender$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/anvil\[[0-9]+\]: statistics: max
(message|recipient|connection) (count|rate) [/[:digit:]s]+ for
\(([.[:digit:]]{1,16}:)?(smtp(s)?|25|587):[.[:digit:]]+\) at \w{3} [ :0-9]{11}$
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
