[Logcheck-commits] r1525 - in logcheck/trunk: debian rulefiles/linux/ignore.d.server rulefiles/linux/violations.ignore.d

Wed Feb 28 21:15:06 CET 2007

Author: madduck
Date: 2007-02-28 21:15:06 +0100 (Wed, 28 Feb 2007)
New Revision: 1525

Modified:
   logcheck/trunk/debian/changelog
   logcheck/trunk/rulefiles/linux/ignore.d.server/postfix
   logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-postfix
   logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-ssh
Log:
* ignore.d.server/postfix: (closes: #404852)
  - ignore more timeout and connection refused messages.
  - allow more logging information in connection failure messages.
  - allow any message ID for cleanup; there are too many possibilities.
  - make the DSN optional in remote accept messages.
  - ignore numeric hostname and DNS lookup failures.
  - ignore invalid octet count errors from trivial-rewrite.
* violations.ignore.d/logcheck-postfix:
  - smtpd_peer_init is optional before DNS failure messages.
  - allow conn_use information in smtp failure messages.
  - add another variation on remote message acceptance.
  - allow more message IDs in cleanup log messages.
* violations.ignore.d/logcheck-ssh:
  - ignore host/address mismatch messages from TCP wrappers.

Modified: logcheck/trunk/debian/changelog
===================================================================

--- logcheck/trunk/debian/changelog	2007-02-28 19:15:14 UTC (rev 1524)
+++ logcheck/trunk/debian/changelog	2007-02-28 20:15:06 UTC (rev 1525)
@@ -1,10 +1,29 @@
 logcheck (1.2.56~unreleased.1) unstable; urgency=low
 
+  [ martin f. krafft ]
   * ignore.d.server/dovecot:
     - ignore additional, non-conventional comment to msgid on deliver message.
 
- -- martin f. krafft <madduck at debian.org>  Wed, 28 Feb 2007 20:15:00 +0100
+  [ Russ Allbery ]
+  * ignore.d.server/postfix: (closes: #404852)
+    - ignore more timeout and connection refused messages.
+    - allow more logging information in connection failure messages.
+    - allow any message ID for cleanup; there are too many possibilities.
+    - make the DSN optional in remote accept messages.
+    - ignore numeric hostname and DNS lookup failures.
+    - ignore invalid octet count errors from trivial-rewrite.
 
+  * violations.ignore.d/logcheck-postfix:
+    - smtpd_peer_init is optional before DNS failure messages.
+    - allow conn_use information in smtp failure messages.
+    - add another variation on remote message acceptance.
+    - allow more message IDs in cleanup log messages.
+
+  * violations.ignore.d/logcheck-ssh:
+    - ignore host/address mismatch messages from TCP wrappers.
+
+ -- martin f. krafft <madduck at debian.org>  Wed, 28 Feb 2007 21:14:44 +0100
+
 logcheck (1.2.55) unstable; urgency=low
 
   * Actually install README.backports.gz to /usr/share/doc/logcheck

Modified: logcheck/trunk/rulefiles/linux/ignore.d.server/postfix
===================================================================
--- logcheck/trunk/rulefiles/linux/ignore.d.server/postfix	2007-02-28 19:15:14 UTC (rev 1524)
+++ logcheck/trunk/rulefiles/linux/ignore.d.server/postfix	2007-02-28 20:15:06 UTC (rev 1525)
@@ -3,7 +3,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: removed$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred \(delivery temporarily suspended: (lost connection with [^[:space:]]+ while sending [[:alnum:]]+( [[:alnum:]]+)?|conversation with [^[:space:]]+ timed out while (receiving the initial server greeting|sending end of data -- message may be sent more than once)|connect to [^[:space:]]+: (Connection timed out|read timeout|Connection refused)|Host or domain name not found. Name service error for name=[^[:space:]]+ type=MX: Host not found, try again)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred \(delivery temporarily suspended: (lost connection with [^[:space:]]+ while (sending [[:alnum:]]+( [[:alnum:]]+)?|perfoming the HELO handshake)|conversation with [^[:space:]]+ timed out while (receiving the initial server greeting|sending [[:alnum:]]+( [[:alnum:]]+)?|sending end of data -- message may be sent more than once)|connect to [^[:space:]]+: (Connection timed out|read timeout|Connection refused)|Host or domain name not found. Name service error for name=[^[:space:]]+ type=MX: Host not found, try again)\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=[45]\.[0-9]\.[0-9],)? status=bounced \(bad address syntax\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=10:certificate has expired$
@@ -26,7 +26,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: issuer=[[:space:]]*/O=.*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: OTP unavailable because can't read/write key database /etc/opiekeys: No such file or directory$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: (RCPT|MAIL) from [._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]: [45][0-9][0-9] .*$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ Connection refused \(port [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ Connection (refused|timed out) \(port [0-9]+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ No route to host \(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ Network is unreachable \(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ server refused mail service \(port 25\)$
@@ -49,11 +49,12 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: decided action=DUNNO$
 # Postfix < 2.1
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: server dropped connection without sending the initial greeting \(port 25\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=\<.*\>, relay=[^[:space:]]+\], status=deferred \(host [^[:space:]]+\] said: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=<.*>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+\](:[0-9]+)?,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred \(host [^[:space:]]+\] said: .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced|undeliverable) \(host [._[:alnum:]-]+\[[0-9.]{7,15}\] said: [45][0-9][0-9] .+ \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+\](:[0-9]+)?,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred \((delivery temporarily suspended: )?conversation with [^[:space:]]+ timed out while (receiving the initial server greeting|sending [[:alnum:]]+( [[:alnum:]]+)?|sending end of data -- message may be sent more than once)\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=2(\.[0-9]+){2})?, status=sent \(2[0-9][0-9] .+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: ([0-9a-f.:]{3,39})+: address not listed for hostname [^[:space:]]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: too many errors after [[:upper:]]{4} from [._[:alnum:]-]+\[[.[:digit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: too many errors after ([[:upper:]]{4}|UNKNOWN) from [._[:alnum:]-]+\[[.[:digit:]]+\]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: valid_hostname: invalid character [0-9]+\(decimal\): .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: valid_hostname: misplaced delimiter: .$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: valid_hostname: empty hostname$
@@ -62,12 +63,13 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: mailer loop: best MX for [^[:space:]]+ is local$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: malformed domain name in resource data of CNAME record for [^[:space:]]+: .*$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: timeout after (HELO|EHLO|MAIL|RCPT|DATA|RSET|CONNECT|END-OF-MESSAGE) from [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: timeout after (HELO|EHLO|MAIL|RCPT|DATA|RSET|CONNECT|END-OF-MESSAGE|NOOP) from [^[:space:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_sender=.*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-)?message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-)?message-id=.*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: numeric result [[0-9a-f.:]{3,39}]+ in address->name lookup for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: numeric hostname: [0-9a-f.:]{3,39}$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]]+ in (MAIL|RCPT) command: .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] sent non-SMTP command: .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] in MAIL command: .*$
@@ -90,6 +92,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: peer certificate has no subject CN$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: non-SMTP command from [^[:space:]]+\[[0-9a-f.:]{3,39}\]: .+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: warning: perhaps you need to create the maildirs in advance$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/trivial-rewrite\[[[:digit:]]+\]: warning: valid_ipv4_hostaddr: invalid octet count: ?$
 # postfix 2.3
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/error\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, relay=none, delay=[.0-9]+,( delays=[.0-9/]+,)? dsn=[45]\.0\.0, status=bounced \(User unknown in virtual alias table\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: network_biopair_interop: error reading [[:digit:]]+ bytes from the network: Connection reset by peer$

Modified: logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-postfix
===================================================================
--- logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-postfix	2007-02-28 19:15:14 UTC (rev 1524)
+++ logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-postfix	2007-02-28 20:15:06 UTC (rev 1525)
@@ -7,10 +7,10 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+: [45][0-9][0-9]( [45](\.[[:digit:]]){2})? Service unavailable; Client host \[([0-9.]{7,15}|[-._[:alnum:]]+)\] blocked using [._[:alnum:]-]+;( .+;)? from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+\[[0-9.]{7,14}\]: [45][0-9][0-9] <.+>: User unknown in local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (NOQUEUE|[[:xdigit:]]+): reject: HELO from [^[:space:]]+\[[0-9.]{7,15}\]: [45][0-9]{2}( [45](\.[0-9]){2})? <[^[:space:]]+>: Helo command rejected: .+; proto=E?SMTP helo=<[^[:space:]]+>$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: hostname [^[:space:]]+ verification failed: (Temporary failure in name resolution|Name or service not known|No address associated with hostname)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:( smtpd_peer_init:)? [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: hostname [^[:space:]]+ verification failed: (Temporary failure in name resolution|Name or service not known|No address associated with hostname)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [._*[:alnum:]-]+ != [._[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: host [^[:space:]]+ said: [45][0-9][0-9][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|(end of )?DATA) command\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>(, orig_to=<[^[:space:]]+>)?, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced|undeliverable) \(host [._[:alnum:]-]+\[[0-9.]{7,15}\] said: [45][0-9][0-9][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>(, orig_to=<[^[:space:]]+>)?, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?,( conn_use=[0-9]+,)? delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced|undeliverable) \(host [._[:alnum:]-]+\[[0-9.]{7,15}\] said: [45][0-9][0-9][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=2(\.[0-9]+){2})?, status=deliverable \(2[0-9][0-9] .*\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^[:space:]]+>, relay=[^[:space:]]+, delay=[0-9]+, status=deferred \(host [^[:space:]]+ refused to talk to me: [^[:space:]]+ 554 Access denied\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,) relay=[^[:space:]]+, delay=[0-9]+, status=deferred \(host [^[:space:]]+ said: [45][0-9]{2} <[^[:space:]]+>: Recipient address rejected: Greylisted for [0-9]+ (seconds|minutes)( \(see http://isg.ee.ethz.ch/tools/postgrey/help/[.[:alnum:]-]+.html\))? \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
@@ -34,10 +34,11 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.7\.1)? <[^[:space:]]+>: Relay access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 550( 5\.1\.[01])? <[^[:space:]]+>: (Sender|Recipient) address rejected: User unknown in ((local|relay) recipient|virtual alias) table;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((, id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok)?: queued as [0-9A-F]+|, discarded, UBE, id=[-0-9]+)*|, DSN muted \([45][0-9][0-9] [45](\.[0-9]){2} .+\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 Ok: queued as [0-9A-F]+\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed:?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: SASL authentication failure: Password verification failed$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: warning: maildir access problem for UID/GID=[[:digit:]]+/[[:digit:]]+: create [/.[:alnum:]]+: Permission denied$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[0-9.]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced) \(.+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:upper:]0-9]+: reject: header [^[:space:]]+:.+ from=<[^[:space:]]*>( to=<[^[:space:]]+>)? proto=E?SMTP helo=<[^[:space:]]+>: .+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-)?message-id=(<?[^[:space:]]+>?)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pickup\[[0-9]+\]: [[:alnum:]]+: uid=[[:digit:]]+ from=<[^[:space:]]+>$

Modified: logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-ssh
===================================================================
--- logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-ssh	2007-02-28 19:15:14 UTC (rev 1524)
+++ logcheck/trunk/rulefiles/linux/violations.ignore.d/logcheck-ssh	2007-02-28 20:15:06 UTC (rev 1525)
@@ -1,5 +1,5 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts\.(allow|deny), line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts\.(allow|deny), line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts\.(allow|deny), line [0-9]+: host name/(name|address) mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe$


