[Logcheck-devel] Bug#816685: logcheck-database: Patch to fix postfix logcheck
CJ Fearnley
cjf at LinuxForce.net
Sun Mar 4 19:42:47 UTC 2018
Package: logcheck-database
Version: 1.3.18
Followup-For: Bug #816685
Dear Maintainer,
Logcheck was sending postfix disconnects which should not be flagged
as issues. Investigation shows (as previous reporters have confirmed)
that the log output has changed.
This patch for /etc/logcheck/ignore.d.server/postfix appears to fix
the problem. Though I cannot be sure that I missed one of the obscure
SMTP commands that postfix supports. Perhaps someone can look into the
postfix code to determine if more commands need to be added to this
improved regex.
--- postfix 2018-03-04 13:50:44.877543168 -0500
+++ /etc/logcheck/ignore.d.server/postfix 2018-03-04 14:35:24.378710297 -0500
@@ -97,7 +97,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: (HE|EH)LO from [^[:space:]]+\[[[:digit:].]{7,15}\]: [45][[:digit:]]{2}( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 550( 5\.1\.[01])? <[^[:space:]]*>: (Sender|Recipient) address rejected: User unknown in ((local|relay) recipient|virtual alias) table;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 450( 4\.1\.8)? <[^>]*>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+(|( ((eh|he)lo|mail|rcpt|data|rset|noop|etrn|auth|starttls|unknown|quit)=[0-9]+(/[0-9]+)?)* commands=[0-9]+(/[0-9]+)?)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: discard: RCPT from [^[:space:]]+: <[^[:space:]]*>: .+; from=[^[:space:]]+ to=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: milter-reject: MAIL from [-._[:alnum:]]+\[[.[:digit:]]+\]: 451 4\.(7\.1 Service unavailable|3\.2 AV system temporarily overloaded) - (please )?try (again )?later; proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: milter-reject: MAIL from [^[:space:]]+: .+; from=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Logcheck-devel
mailing list