Am 21.05.2011 01:50, schrieb Jeroen Geilman: > On 05/21/2011 01:47 AM, Reindl Harald wrote: >> >> Am 21.05.2011 01:32, schrieb Jeroen Geilman: >>> On 05/21/2011 01:00 AM, Reindl Harald wrote: >>>> Hm? >>>> >>>>> This message was sent by a program, not by a human person. >>>>> Your submission to the postfix-users mailing list was rejected for >>>>> the following reason: >>>>> BOUNCE [email protected]: Admin request: /^subject:\s*help\b/i >>>> -------- Original-Nachricht -------- >>>> Betreff: help with rsyslog-filter >>>> Datum: Sat, 21 May 2011 00:57:23 +0200 >>>> Von: Reindl Harald<[email protected]> >>>> Organisation: the lounge interactive design >>>> An: Mailing-List postfix<[email protected]> >>>> >>>> i need a little help >>>> >>>> the following line should filter spam to ivalid rcpt works fine, see >>>> first log-message, but is there any way to exclude lines that also >>>> contains "too large" to see them in the messagelog (2nd line)? >>>> >>>> :msg, contains, "RCPT from unknown[10.0.0.20]" ~ >>> No, it matches mail from a specific local IP without fcrdns hostname. >>> It says nothing about spam. >> It does because this is a spam-firewall-appliance with FQRDNS delivering >> to an explicit port without dns lookups, i search a way to filter only >> "unknown in local recipient table" with rsyslog BUT ONLY if the sender >> is 10.0.0.20 because it spams the log in a way you see no real problems >> >> but if have no idea if and how a logical and here is possible >> >>>> May 21 00:47:23 mail postfix/smtpd[2005]: >>>> NOQUEUE: reject: RCPT from unknown[10.0.0.20]: >>>> 550 5.1.1<[email protected]>: Recipient address rejected: >>>> User unknown in local recipient table; >>>> >>>> from=<[email protected]> to=<[email protected]> >>>> May 21 00:42:20 mail postfix/smtpd[2005]: >>>> NOQUEUE: reject: RCPT from unknown[10.0.0.20]: >>>> 552 5.7.1<[email protected]>: Recipient address rejected: >>>> Message too large, recipient [email protected] would exceed size limits at >>>> this time; >>>> from=<[email protected]> to=<[email protected]
> If all your incoming mail is scanned by the machine on that IP, > why does it matter that it comes from that IP? i want them away, see above but only "unkonw rcpt"-lines > All mail comes from that IP, so there is no reason to check for it i would like to see "Message too large, recipient [email protected] would exceed size" in the maillog because this are full-mailboxes (dbmail-quota with dbmail-postfix-policyd) and no junk because they are only in the log if the mail passed all filters the VFY if the rcpt exists happens with every deliver attempt from outside because the appliance is creating quarantine-accounts automatic and detect new users on the target-servers this way
signature.asc
Description: OpenPGP digital signature
