On 03-06-2025 21:33, Jim Seymour via Postfix-users wrote:
Hi All,
First of all: Thanks, Viktor and Wietse, for your earlier responses.
They were very helpful.
Ok, I've got experimental expanded postscreen reporting added to
pflogsumm, it works as-follows:
The option --pscrn-stats produces the following additional
information, directly below the smtpd connections summaries at the
top:
postscreen
520 connections
168 IP addresses
4 avg. connect time (seconds)
0:32:17 total connect time
and enables the collection and display of postscreen actions details,
as-follows:
Postscreen Actions
------------------
BLACKLISTED (4)
2 80.86.94.11
2 182.18.20.165
COMMAND COUNT LIMIT (2)
1 175.181.205.203
1 203.156.230.48
COMMAND PIPELINING (7)
1 112.90.37.193
1 113.247.145.91
1 118.249.219.141
...
The postscreen detail stuff is listed after the smtp/smtpd detail
stuff and before the "Fatal Errors," "Panics," and "Master daemon
messages" stuff.
(I'm calling them "postscreen actions" for now. If there's a word
or phrase for these, please let me know.)
The above detail does not break out connects, disconnects, and
hangups, but it does break out PASS NEW and PASS OLD. (I *could*
break those others out easily enough, but it seems redundant.)
The option --pscrn-detail <cnt> can be used, as with the other
reporting detail <cnt> options, to limit the detail to the "top N" in
each postscreen action sub-heading or suppress them entirely (if you
want the summary stats at the top, only).
In any event: Postscreen rejects will continue to be reported along
with smtpd rejects under "message reject detail".
Questions:
First of all: Opinions on these approaches are welcome.
Secondly: I'm currently breaking-out "DNSBL rank N"s under separate
sub-headings. E.g.:
DNSBL rank 2 (212)
76 64.60.13.82
61 187.87.59.243
42 85.52.227.215
...
DNSBL rank 22 (4)
4 66.78.40.196
DNSBL rank 3 (92)
38 82.144.240.226
4 113.160.161.115
3 14.98.127.72
etc.
Keep them broken-out that way, or condense into a single sub-heading
of simply "DNSBL rank"?
Lastly: I'm asking again for log samples. I've been unable to test
the following RE's:
(BARE NEWLINE) from \[(.+)\]:(\d+) after .+
(BDAT without valid RCPT) from \[(.+)\]:(\d+)
(COMMAND LENGTH LIMIT) from \[(.+)\]:(\d+) after .+
(DATA without valid RCPT) from \[(.+)\]:(\d+)
(NOQUEUE: reject: CONNECT) from \[(.+)\]:(\d+): all server ports busy
(reject: connect) from \[(.+)\]:(\d+): all screening ports busy
In the project I maintain with Logstash grok patterns for Postfix, there
are also a number of log message examples, including postscreen ones.
See https://github.com/whyscream/postfix-grok-patterns, all files in
test/postscreen_*
Kind regards,
Tom
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
