Re: Another Logging Query

2022-03-24 Thread Pete Long 
On Wed, Mar 23, 2022 at 11:55:16PM +0200, Reio Remma wrote:
> On 23.03.2022 23:41, Pete Long wrote:
> > Hi all,
> > 
> > When I run the following command, I see lots of useful information about
> > what's happening with OpenSMTPD; particularly with filters.
> > 
> > smtpd -dv -Tlookup
> > 
> > However, I can't seem to find a way to capture the output to a file. I've
> > tried 'tee' but my syntax is probably wrong.
> > 
> > Does the command above log events on a different level or are they
> > ephemeral?
> > 
> iirc you can also force the running daemon to log to maillog or whatever
> it's logging to using 'smtpctl trace lookup' ('smtpctl untrace' to stop),
> also 'smtpctl log verbose' and 'smtpctl log brief' might come handy.

Thanks again Reio, I'll give that command a try.

Pete.



smime.p7s
Description: S/MIME cryptographic signature

Re: Filter Logging

2022-03-21 Thread edgar 
Sent via the Samsung Galaxy A10e, an AT 4G LTE smartphone
 Original message From: Pete Long  Date: 
3/21/22  9:08 AM  (GMT-06:00) To: misc@opensmtpd.org Subject: Re: Filter 
Logging On Mon, Mar 21, 2022 at 03:58:23PM +0200, Reio Remma wrote:> On 
21.03.2022 15:54, Pete Long wrote:> > Hi all,> > > > I have a filter defined in 
smtpd.conf which looks like the following:> > > > filter rejects phase data 
match mail-from  \> > disconnect "550 Policy enforcement."> > > 
> The referenced table contains a list of addresses in the following> > 
formats:> > > > @dailynuisance.tld> > bigmarketing.tld> > 
@weneverunsubsribeanyone.tld> > > > First of all, are these valid formats for 
the filter?> > I see I've set up blacklists with a table like this:> > match \> 
  from any \>   for any \>   mail-from  \>   rejectI'm currently 
doing the same as Reio with no complaints. Edgar Thanks Reio, that's nice and 
simple. I'll give that a try.For some reason, I've always placed reject lists 
in a filter which areare referenced in a 'listen on' line.Perhaps its time for 
a change :)Pete.

Re: Filter Logging

2022-03-21 Thread Pete Long 
On Mon, Mar 21, 2022 at 03:58:23PM +0200, Reio Remma wrote:
> On 21.03.2022 15:54, Pete Long wrote:
> > Hi all,
> > 
> > I have a filter defined in smtpd.conf which looks like the following:
> > 
> > filter rejects phase data match mail-from  \
> > disconnect "550 Policy enforcement."
> > 
> > The referenced table contains a list of addresses in the following
> > formats:
> > 
> > @dailynuisance.tld
> > bigmarketing.tld
> > @weneverunsubsribeanyone.tld
> > 
> > First of all, are these valid formats for the filter?
> 
> I see I've set up blacklists with a table like this:
> 
> match \
>   from any \
>   for any \
>   mail-from  \
>   reject

Thanks Reio, that's nice and simple. I'll give that a try.

For some reason, I've always placed reject lists in a filter which are
are referenced in a 'listen on' line.

Perhaps its time for a change :)

Pete.



smime.p7s
Description: S/MIME cryptographic signature

Re: Filter Logging

2022-03-21 Thread Reio Remma 

On 21.03.2022 15:54, Pete Long wrote:

Hi all,

I have a filter defined in smtpd.conf which looks like the following:

filter rejects phase data match mail-from  \
disconnect "550 Policy enforcement."

The referenced table contains a list of addresses in the following
formats:

@dailynuisance.tld
bigmarketing.tld
@weneverunsubsribeanyone.tld

First of all, are these valid formats for the filter?


I see I've set up blacklists with a table like this:

match \
  from any \
  for any \
  mail-from  \
  reject

Good luck
Reio

Filter Logging

2022-03-21 Thread Pete Long 
Hi all,

I have a filter defined in smtpd.conf which looks like the following:

filter rejects phase data match mail-from  \
disconnect "550 Policy enforcement."

The referenced table contains a list of addresses in the following
formats:

@dailynuisance.tld
bigmarketing.tld
@weneverunsubsribeanyone.tld

First of all, are these valid formats for the filter?

Secondly, this filter seems to be working well but I don't see any other
information in the logs except the 550 and whatever rejection message
I've used.

I chose the data phase as I previously had a similar filter which acted
earlier on in the SMTP transaction but which didn't seem reject all
required addresses. I've since stupidly deleted this filter so I cannot
be more precise.

So to summarise, how can I see more information from my current filter
and am I using the correct syntax in the first place for the referenced
table?

Thanks for your time.


Pete.


smime.p7s
Description: S/MIME cryptographic signature

Re: syslog logging changed ?

2020-06-30 Thread gilles 
I'm going to investigate this, I don't recall anything change in there but 
there's been tons of portable specific cleanup so it might just have introduced 
a regression.

Gilles


June 26, 2020 8:33 PM, "Reio Remma"  wrote:

> On 26.06.2020 18:03, Harald Dunkel wrote:
> 
>> Hi folks,
>> 
>> before 6.7 the smtpd log file entries were easy to find: Just
>> look for "smtpd" in /var/log/mail.log.
>> 
>> With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd"
>> as expected, so I wonder wth?
>> 
>> Regards
>> Harri
> 
> Unfortunately something has broken since last release.
> 
> I was unable to track it down myself:
> 
> https://github.com/OpenSMTPD/OpenSMTPD/issues/1059
> 
> Good luck!
> Reio

Re: syslog logging changed ?

2020-06-26 Thread Reio Remma 

On 26.06.2020 18:03, Harald Dunkel wrote:

Hi folks,

before 6.7 the smtpd log file entries were easy to find: Just
look for "smtpd" in /var/log/mail.log.

With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd"
as expected, so I wonder wth?


Regards
Harri



Unfortunately something has broken since last release.

I was unable to track it down myself:

https://github.com/OpenSMTPD/OpenSMTPD/issues/1059

Good luck!
Reio

syslog logging changed ?

2020-06-26 Thread Harald Dunkel 

Hi folks,

before 6.7 the smtpd log file entries were easy to find: Just
look for "smtpd" in /var/log/mail.log.

With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd"
as expected, so I wonder wth?


Regards
Harri

logging

2020-02-07 Thread Edgar Pettijohn 
I'm curious with the advent of the `report/filter' interface. Will there 
be the possibility of disabling syslog logging in the future? I was 
thinking of writing a script to "log" in xml for easy parsing/pretty 
printing the logs. The only drawback I see is doubling the disk usage.


I suppose I could use tmux and do a `smtpd -d >/dev/null 2>&1' Just not 
sure if there would be any side effects.


Thanks,


Edgar

Re: more detailed logging from filter-spamassassin

2016-06-16 Thread Joerg Jung 

> Am 15.06.2016 um 19:55 schrieb Andrew Ruscica :
> 
> This behaviour has been the same since I started using filter-spamassassin 
> which was before the May 23 snapshot.  Currently on the June 6 snapshot of 
> opensmtpd & opensmtpd-extras.
> 
> Using filter-spamassassin like this
> 
> filter filter-spamassassin spamassassin "-s reject"
> When an email is rejected, the log entry looks like this:
> 
> Jun 15 13:28:04 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=connected 
> address=60.167.113.80 host=60.167.113.80
> Jun 15 13:28:11 mxgw3 filter-spamassassin[10058]: warn: session 
> 94725446b2523387: on_eom: REJECT spam
> Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp 
> event=failed-command command=DATA result=554 5.7.1 Message considered spam
> Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=closed 
> reason=quit
> 
> 
> I also use an IP whitelist - actually the nospamd table used for spamd. PF 
> redirects whitelisted connections to a listener at opensmtpd which doesn't do 
> filter-spamassassin.
> 
> The problem is troubleshooting false positives so I can improve my whitelist. 
>  Unless I obtain a sample NDR from the sender, it's difficult to match up the 
> source MTA with a sending domain. 
> 
> The ideal solution is to display the from and to address in the rejection log 
> line just like clamsmtp does it:
> 
Makes sense to me and should be easy to implement.
> Jun 15 13:14:48 mxgw3 clamsmtpd: 102B1B: from=bou...@bizmailtoday.com, 
> to=u...@mydomain.com, status=VIRUS:Heuristics.Phishing.Email.SSL-Spoof
> 
> Incidentally, I've tried adding the -v option to the filter-spamassassin 
> directive at smtpd.conf.  This in fact breaks smtpd such that it accepts no 
> connections at all.  I believe I'll need to file a separate bug report for 
> that.
> 
Yes, please do.

more detailed logging from filter-spamassassin

2016-06-15 Thread Andrew Ruscica 
This behaviour has been the same since I started using filter-spamassassin
which was before the May 23 snapshot.  Currently on the June 6 snapshot of
opensmtpd & opensmtpd-extras.

Using filter-spamassassin like this

filter filter-spamassassin spamassassin "-s reject"

When an email is rejected, the log entry looks like this:

Jun 15 13:28:04 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=connected
address=60.167.113.80 host=60.167.113.80
Jun 15 13:28:11 mxgw3 filter-spamassassin[10058]: warn: session
94725446b2523387: on_eom: REJECT spam
Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp
event=failed-command command=DATA result=554 5.7.1 Message considered spam
Jun 15 13:28:11 mxgw3 smtpd[23583]: 94725446b2523387 smtp event=closed
reason=quit


I also use an IP whitelist - actually the nospamd table used for spamd. PF
redirects whitelisted connections to a listener at opensmtpd which doesn't
do filter-spamassassin.

The problem is troubleshooting false positives so I can improve my
whitelist.  Unless I obtain a sample NDR from the sender, it's difficult to
match up the source MTA with a sending domain.

The ideal solution is to display the from and to address in the rejection
log line just like clamsmtp does it:

Jun 15 13:14:48 mxgw3 clamsmtpd: 102B1B: from=bou...@bizmailtoday.com, to=
u...@mydomain.com, status=VIRUS:Heuristics.Phishing.Email.SSL-Spoof

Incidentally, I've tried adding the -v option to the filter-spamassassin
directive at smtpd.conf.  This in fact breaks smtpd such that it accepts no
connections at all.  I believe I'll need to file a separate bug report for
that.

Thanks,
Andrew

Re: logging filters

2015-07-10 Thread Raf Czlonka 
On Fri, Jul 10, 2015 at 08:01:52AM BST, Pete wrote:
  But i can't get any logging from it in syslog. Is that by design, or
  am i missing something obvious?
 
  Yes, you are :^)
 
  man 5 syslog.conf
 
  Hint: facility, level and prog.
 
 Well, probably not something _that_ obvious. ;)
 Even with below config nothing turns up.
 But when looking at the code, even mail.info should display it.

How so? Nowhere does it state that it uses 'mail' facility.

 filter_clamav.c:
 [...]
 log_info(info: filter-clamav: result %s, l);
 
 I need a bigger cluestick.

The example above only mentions the 'info' *level*. What you're after is
the 'prog'.

 /etc/syslog.conf:
 *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
 kern.debug;syslog,user.info /var/log/messages
 auth.info   /var/log/authlog
 authpriv.debug  /var/log/secure
 cron.info   /var/cron/log
 daemon.info /var/log/daemon
 ftp.info/var/log/xferlog
 lpr.debug   /var/log/lpd-errs
 mail.info   /var/log/maillog
 mail.*  /var/log/maillog.debug
 #uucp.info  /var/log/uucp
 *.* /var/log/messages.all

Obviously, it also depends on how your 'filter-clamav' is
configured - if logging is enabled at all then, based on the above
'/etc/syslog.conf', your logs should end up in '/var/log/messages.all'.

Regards,

Raf

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: logging filters

2015-07-10 Thread Pete 
 But i can't get any logging from it in syslog. Is that by design, or
 am i missing something obvious?

 Yes, you are :^)

 man 5 syslog.conf

 Hint: facility, level and prog.

Well, probably not something _that_ obvious. ;)
Even with below config nothing turns up.
But when looking at the code, even mail.info should display it.
filter_clamav.c:
[...]
log_info(info: filter-clamav: result %s, l);

I need a bigger cluestick.


/etc/syslog.conf:
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info   /var/log/authlog
authpriv.debug  /var/log/secure
cron.info   /var/cron/log
daemon.info /var/log/daemon
ftp.info/var/log/xferlog
lpr.debug   /var/log/lpd-errs
mail.info   /var/log/maillog
mail.*  /var/log/maillog.debug
#uucp.info  /var/log/uucp
*.* /var/log/messages.all



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: logging filters

2015-07-10 Thread Pete 

 smtpd -d gives me this:
   [...]
   info: filter-clamav: result stream: Eicar-Test-Signature FOUND
   warn: clamav_filter: on_eom: REJECT virus id=44fa746c81ec2474
   [...]
 But i can't get any logging from it in syslog. Is that by design, or
 am i missing something obvious?

For future reference: It's by design.
Since i like having clamav messages in my logs this helped:

# diff filter_api.c.orig filter_api.c
767c767
   log_init(-1);
---
   log_init(0);


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

logging filters

2015-07-09 Thread zzd 
Hi,

I have filter-clamav (and others) plugged into 5.7.1 (OpenBSD 5.7) and it's 
working fine so
far. Thanks for that, it's awesome.

smtpd -d gives me this:
  [...]
  info: filter-clamav: result stream: Eicar-Test-Signature FOUND
  warn: clamav_filter: on_eom: REJECT virus id=44fa746c81ec2474
  [...]

But i can't get any logging from it in syslog. Is that by design, or
am i missing something obvious?


syslog.conf
[...]
mail.info/var/log/maillog
[...]







-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org