Package: logcheck-database
Version: 1.3.13
Severity: normal
Tags: patch
Hey
I'm getting reports of log lines like:
Mar 5 22:06:54 xyz postfix/smtpd[20492]: some.host.name[88.166.229.232]:
Trusted: subject_CN=some.host.name, issuer=Some Signing Authority,
fingerprint=12:34:56:78:90:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67
reported; this is with postfix 2.7.0-1.
Only src/tls/tls_server.c in recent Postfix versions uses fingerprint=
in logs; I've looked at the source history, and the upstream log
message was changed from:
msg_info("fingerprint=%s", TLScontext->peer_fingerprint);
to:
msg_info("%s: %s: subject_CN=%s, issuer=%s, fingerprint=%s",
props->namaddr,
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint);
between 2.4.6 and 2.5.1-RC1.
I don't know what policy you follow for logcheck for older version of
logged strings, but this seems to have happened a long time ago, hence
I suggest just updating the regexp rather than keeping both versions:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
[._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?: Trusted:
subject_CN=.*, issuer=.*,
fingerprint=([[:digit:]A-F]{2}:){15,19}[[:digit:]A-F]{2}$
For props->namaddr, I used the same snippet as for the "setting up TLS
connection" message which uses the same var; then I added Trusted; this
could also be Untrusted, but I decided this should be logged; then for
subject_CN= and issuer= I wasn't too sure what to allow as this could
be anything really, but I saw other places which had subject_CN=.*,
issuer=.*; finally, fingerprint= can be different types of
fingerprints, in my case it's SHA1 so 20 pairs of hex digits.
Cheers,
--
Loïc Minier
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
