Package: logcheck
Version: 1.3.14
Severity: wishlist
Tags: patch
Hi there
I use postfix with smtpd_client_port_logging = yes and I also
configured it to provide SMTPS/SSMTP with smtpd_tls_wrappermode=yes.
Concerning smtpd_client_port_logging, some regexps in logcheck have
optional port information while others don't.
Concerning smtpd_tls_wrappermode, this doesn't change anything except
that it's more common that postfix misses remote IP and port
information (and obviously reverse DNS) for clients, typically after a
port scan. Again, some log messages allow for "unknown" in the place
of the IP address but some miss this.
I recently got this:
Oct 7 03:11:43 host postfix/smtpd[27300]: setting up TLS connection from
unknown[unknown]:unknown
Oct 7 03:11:43 host postfix/smtpd[27300]: SSL_accept error from
unknown[unknown]:unknown: -1
Oct 7 03:11:43 host postfix/smtpd[27300]: lost connection after CONNECT from
unknown[unknown]:unknown
Attaching a patch which allows for an optional port and allows some IP
and ports to be unknown for the above messages.
Cheers,
--
Loïc Minier
>From c4e0e7478bc3227aa2d05daf4bc7b86592380c40 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Minier?= <[email protected]>
Date: Fri, 7 Oct 2011 09:19:44 +0200
Subject: [PATCH] postfix: more "unknown" IP and optional port
---
rulefiles/linux/ignore.d.server/postfix | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/postfix b/rulefiles/linux/ignore.d.server/postfix
index ce72d11..d41ca4b 100644
--- a/rulefiles/linux/ignore.d.server/postfix
+++ b/rulefiles/linux/ignore.d.server/postfix
@@ -77,7 +77,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: certificate verification failed for [^[:space:]]+: untrusted issuer /.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: initializing the server-side TLS engine$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: issuer=[[:space:]]*/O=.*$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: setting up TLS connection (to|from) [._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: setting up TLS connection (to|from) [._[:alnum:]-]+(\[(unknown|[[:xdigit:].:]{3,39})\](:(unknown|[[:digit:]]+))?)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: verify error:num=10:certificate has expired$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: verify error:num=18:self signed certificate$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: verify error:num=19:self signed certificate in certificate chain$
@@ -105,7 +105,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: [[:upper:]]+ from [^[:space:]]+: 554( [[:digit:]]\.[[:digit:]]\.[[:digit:]])? <[^[:space:]]*>: Client host rejected: Access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: [[:upper:]]+ from [^[:space:]]+\[[[:digit:].]{7,15}\]: 503 5\.5\.0 <[^[:space:]]*>: Client host rejected: Improper use of SMTP command pipelining; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: OTP unavailable because can't read/write key database /etc/opiekeys: No such file or directory$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: -?[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [._[:alnum:]-]+\[(unknown|[[:xdigit:].:]{3,39})\](:(unknown|[[:digit:]]+))?: -?[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_sender=.*$
@@ -119,7 +119,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: RCPT from [^[:space:]]+\[[[:digit:].]{7,15}\]: [45][[:digit:]][[:digit:]] <.+>: User unknown in local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: [[:upper:]]+ from [^[:space:]]+\[[[:digit:].]{7,15}\]: 503 5\.5\.0 <[[:upper:]]+>: [[:alnum:]]+ command rejected: Improper use of SMTP command pipelining; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?: Trusted: subject_CN=[._[:alnum:]-]+, issuer=[ ._[:alnum:]-]+, fingerprint=([[:xdigit:]]{2}:){15,19}[[:xdigit:]]{2}$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: lost connection after [[:upper:]]+( \([[:digit:]]+ bytes\))? from [._[:alnum:]-]+\[(unknown|[[:xdigit:].:]{3,39})\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: lost connection after [[:upper:]]+( \([[:digit:]]+ bytes\))? from [._[:alnum:]-]+\[(unknown|[[:xdigit:].:]{3,39})\](:(unknown|[[:digit:]]+))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: timeout after [-[:upper:]]+( \([[:digit:]]+ bytes\))? from [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory$
--
1.7.5.4
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/logcheck-devel
