Re: Another Logging Query
On Wed, Mar 23, 2022 at 11:55:16PM +0200, Reio Remma wrote: > On 23.03.2022 23:41, Pete Long wrote: > > Hi all, > > > > When I run the following command, I see lots of useful information about > > what's happening with OpenSMTPD; particularly with filters. > > > > smtpd -dv -Tlookup > > > > However, I can't seem to find a way to capture the output to a file. I've > > tried 'tee' but my syntax is probably wrong. > > > > Does the command above log events on a different level or are they > > ephemeral? > > > iirc you can also force the running daemon to log to maillog or whatever > it's logging to using 'smtpctl trace lookup' ('smtpctl untrace' to stop), > also 'smtpctl log verbose' and 'smtpctl log brief' might come handy. Thanks again Reio, I'll give that command a try. Pete. smime.p7s Description: S/MIME cryptographic signature
Re: Filter Logging
Sent via the Samsung Galaxy A10e, an AT 4G LTE smartphone Original message From: Pete Long Date: 3/21/22 9:08 AM (GMT-06:00) To: misc@opensmtpd.org Subject: Re: Filter Logging On Mon, Mar 21, 2022 at 03:58:23PM +0200, Reio Remma wrote:> On 21.03.2022 15:54, Pete Long wrote:> > Hi all,> > > > I have a filter defined in smtpd.conf which looks like the following:> > > > filter rejects phase data match mail-from \> > disconnect "550 Policy enforcement."> > > > The referenced table contains a list of addresses in the following> > formats:> > > > @dailynuisance.tld> > bigmarketing.tld> > @weneverunsubsribeanyone.tld> > > > First of all, are these valid formats for the filter?> > I see I've set up blacklists with a table like this:> > match \> from any \> for any \> mail-from \> rejectI'm currently doing the same as Reio with no complaints. Edgar Thanks Reio, that's nice and simple. I'll give that a try.For some reason, I've always placed reject lists in a filter which areare referenced in a 'listen on' line.Perhaps its time for a change :)Pete.
Re: Filter Logging
On Mon, Mar 21, 2022 at 03:58:23PM +0200, Reio Remma wrote: > On 21.03.2022 15:54, Pete Long wrote: > > Hi all, > > > > I have a filter defined in smtpd.conf which looks like the following: > > > > filter rejects phase data match mail-from \ > > disconnect "550 Policy enforcement." > > > > The referenced table contains a list of addresses in the following > > formats: > > > > @dailynuisance.tld > > bigmarketing.tld > > @weneverunsubsribeanyone.tld > > > > First of all, are these valid formats for the filter? > > I see I've set up blacklists with a table like this: > > match \ > from any \ > for any \ > mail-from \ > reject Thanks Reio, that's nice and simple. I'll give that a try. For some reason, I've always placed reject lists in a filter which are are referenced in a 'listen on' line. Perhaps its time for a change :) Pete. smime.p7s Description: S/MIME cryptographic signature
Re: Filter Logging
On 21.03.2022 15:54, Pete Long wrote: Hi all, I have a filter defined in smtpd.conf which looks like the following: filter rejects phase data match mail-from \ disconnect "550 Policy enforcement." The referenced table contains a list of addresses in the following formats: @dailynuisance.tld bigmarketing.tld @weneverunsubsribeanyone.tld First of all, are these valid formats for the filter? I see I've set up blacklists with a table like this: match \ from any \ for any \ mail-from \ reject Good luck Reio
Filter Logging
Hi all, I have a filter defined in smtpd.conf which looks like the following: filter rejects phase data match mail-from \ disconnect "550 Policy enforcement." The referenced table contains a list of addresses in the following formats: @dailynuisance.tld bigmarketing.tld @weneverunsubsribeanyone.tld First of all, are these valid formats for the filter? Secondly, this filter seems to be working well but I don't see any other information in the logs except the 550 and whatever rejection message I've used. I chose the data phase as I previously had a similar filter which acted earlier on in the SMTP transaction but which didn't seem reject all required addresses. I've since stupidly deleted this filter so I cannot be more precise. So to summarise, how can I see more information from my current filter and am I using the correct syntax in the first place for the referenced table? Thanks for your time. Pete. smime.p7s Description: S/MIME cryptographic signature
Re: syslog logging changed ?
I'm going to investigate this, I don't recall anything change in there but there's been tons of portable specific cleanup so it might just have introduced a regression. Gilles June 26, 2020 8:33 PM, "Reio Remma" wrote: > On 26.06.2020 18:03, Harald Dunkel wrote: > >> Hi folks, >> >> before 6.7 the smtpd log file entries were easy to find: Just >> look for "smtpd" in /var/log/mail.log. >> >> With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd" >> as expected, so I wonder wth? >> >> Regards >> Harri > > Unfortunately something has broken since last release. > > I was unable to track it down myself: > > https://github.com/OpenSMTPD/OpenSMTPD/issues/1059 > > Good luck! > Reio
Re: syslog logging changed ?
On 26.06.2020 18:03, Harald Dunkel wrote: Hi folks, before 6.7 the smtpd log file entries were easy to find: Just look for "smtpd" in /var/log/mail.log. With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd" as expected, so I wonder wth? Regards Harri Unfortunately something has broken since last release. I was unable to track it down myself: https://github.com/OpenSMTPD/OpenSMTPD/issues/1059 Good luck! Reio
syslog logging changed ?
Hi folks, before 6.7 the smtpd log file entries were easy to find: Just look for "smtpd" in /var/log/mail.log. With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd" as expected, so I wonder wth? Regards Harri
logging
I'm curious with the advent of the `report/filter' interface. Will there be the possibility of disabling syslog logging in the future? I was thinking of writing a script to "log" in xml for easy parsing/pretty printing the logs. The only drawback I see is doubling the disk usage. I suppose I could use tmux and do a `smtpd -d >/dev/null 2>&1' Just not sure if there would be any side effects. Thanks, Edgar
Re: more detailed logging from filter-spamassassin
> Am 15.06.2016 um 19:55 schrieb Andrew Ruscica: > > This behaviour has been the same since I started using filter-spamassassin > which was before the May 23 snapshot. Currently on the June 6 snapshot of > opensmtpd & opensmtpd-extras. > > Using filter-spamassassin like this > > filter filter-spamassassin spamassassin "-s reject" > When an email is rejected, the log entry looks like this: > > Jun 15 13:28:04 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=connected > address=60.167.113.80 host=60.167.113.80 > Jun 15 13:28:11 mxgw3 filter-spamassassin[10058]: warn: session > 94725446b2523387: on_eom: REJECT spam > Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp > event=failed-command command=DATA result=554 5.7.1 Message considered spam > Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=closed > reason=quit > > > I also use an IP whitelist - actually the nospamd table used for spamd. PF > redirects whitelisted connections to a listener at opensmtpd which doesn't do > filter-spamassassin. > > The problem is troubleshooting false positives so I can improve my whitelist. > Unless I obtain a sample NDR from the sender, it's difficult to match up the > source MTA with a sending domain. > > The ideal solution is to display the from and to address in the rejection log > line just like clamsmtp does it: > Makes sense to me and should be easy to implement. > Jun 15 13:14:48 mxgw3 clamsmtpd: 102B1B: from=bou...@bizmailtoday.com, > to=u...@mydomain.com, status=VIRUS:Heuristics.Phishing.Email.SSL-Spoof > > Incidentally, I've tried adding the -v option to the filter-spamassassin > directive at smtpd.conf. This in fact breaks smtpd such that it accepts no > connections at all. I believe I'll need to file a separate bug report for > that. > Yes, please do.
more detailed logging from filter-spamassassin
This behaviour has been the same since I started using filter-spamassassin which was before the May 23 snapshot. Currently on the June 6 snapshot of opensmtpd & opensmtpd-extras. Using filter-spamassassin like this filter filter-spamassassin spamassassin "-s reject" When an email is rejected, the log entry looks like this: Jun 15 13:28:04 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=connected address=60.167.113.80 host=60.167.113.80 Jun 15 13:28:11 mxgw3 filter-spamassassin[10058]: warn: session 94725446b2523387: on_eom: REJECT spam Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=failed-command command=DATA result=554 5.7.1 Message considered spam Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=closed reason=quit I also use an IP whitelist - actually the nospamd table used for spamd. PF redirects whitelisted connections to a listener at opensmtpd which doesn't do filter-spamassassin. The problem is troubleshooting false positives so I can improve my whitelist. Unless I obtain a sample NDR from the sender, it's difficult to match up the source MTA with a sending domain. The ideal solution is to display the from and to address in the rejection log line just like clamsmtp does it: Jun 15 13:14:48 mxgw3 clamsmtpd: 102B1B: from=bou...@bizmailtoday.com, to= u...@mydomain.com, status=VIRUS:Heuristics.Phishing.Email.SSL-Spoof Incidentally, I've tried adding the -v option to the filter-spamassassin directive at smtpd.conf. This in fact breaks smtpd such that it accepts no connections at all. I believe I'll need to file a separate bug report for that. Thanks, Andrew
Re: logging filters
On Fri, Jul 10, 2015 at 08:01:52AM BST, Pete wrote: But i can't get any logging from it in syslog. Is that by design, or am i missing something obvious? Yes, you are :^) man 5 syslog.conf Hint: facility, level and prog. Well, probably not something _that_ obvious. ;) Even with below config nothing turns up. But when looking at the code, even mail.info should display it. How so? Nowhere does it state that it uses 'mail' facility. filter_clamav.c: [...] log_info(info: filter-clamav: result %s, l); I need a bigger cluestick. The example above only mentions the 'info' *level*. What you're after is the 'prog'. /etc/syslog.conf: *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon ftp.info/var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog mail.* /var/log/maillog.debug #uucp.info /var/log/uucp *.* /var/log/messages.all Obviously, it also depends on how your 'filter-clamav' is configured - if logging is enabled at all then, based on the above '/etc/syslog.conf', your logs should end up in '/var/log/messages.all'. Regards, Raf -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: logging filters
But i can't get any logging from it in syslog. Is that by design, or am i missing something obvious? Yes, you are :^) man 5 syslog.conf Hint: facility, level and prog. Well, probably not something _that_ obvious. ;) Even with below config nothing turns up. But when looking at the code, even mail.info should display it. filter_clamav.c: [...] log_info(info: filter-clamav: result %s, l); I need a bigger cluestick. /etc/syslog.conf: *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon ftp.info/var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog mail.* /var/log/maillog.debug #uucp.info /var/log/uucp *.* /var/log/messages.all -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: logging filters
smtpd -d gives me this: [...] info: filter-clamav: result stream: Eicar-Test-Signature FOUND warn: clamav_filter: on_eom: REJECT virus id=44fa746c81ec2474 [...] But i can't get any logging from it in syslog. Is that by design, or am i missing something obvious? For future reference: It's by design. Since i like having clamav messages in my logs this helped: # diff filter_api.c.orig filter_api.c 767c767 log_init(-1); --- log_init(0); -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
logging filters
Hi, I have filter-clamav (and others) plugged into 5.7.1 (OpenBSD 5.7) and it's working fine so far. Thanks for that, it's awesome. smtpd -d gives me this: [...] info: filter-clamav: result stream: Eicar-Test-Signature FOUND warn: clamav_filter: on_eom: REJECT virus id=44fa746c81ec2474 [...] But i can't get any logging from it in syslog. Is that by design, or am i missing something obvious? syslog.conf [...] mail.info/var/log/maillog [...] -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org