[Logcheck-devel] Bug#259094: logcheck-database: correction to cyrus rules

Tue Jul 13 20:42:18 UTC 2004

On Tue, 2004-07-13 at 13:43, maks attems wrote:
> >  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: hostname [^[:space:]]+ verification failed: (Temporary failure in name resolution|Name or service not known|No address associated with hostname)$
> >  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [._[:alnum:]-]+ != [._[:alnum:]-]+$
> >  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: host [^[:space:]]+ said: [45][0-9][0-9] .* $in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command$$
> > +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from: DUNNO$
> > +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF none: smtp_comment=SPF: domain of sender [^[:space:]]+ does not designate mailers, header_comment=[a-z\.]+: domain of [^[:space:]]+ does not designate permitted sender hosts$
> 
> hmm are these really need inside of violations.ignore.d/logcheck-postfix?
> shouldn't they go to ignore.d.server/postfix?
> could you post some offending messages and which layer they were
> shown from logcheck ("Security Events" or "System Events")?

Security Events
=-=-=-=-=-=-=-=
[...]
Jul 12 07:01:43 lorien postfix/policy-spf[20032]: : SPF none:
smtp_comment=SPF: domain of sender
bounce-debian-laptop=devnull=silverdream.org at lists.debian.org does not
designate mailers, header_comment=lorien.silverdream.org: domain of
bounce-debian-laptop=devnull=silverdream.org at lists.debian.org does not
designate permitted sender hosts
Jul 12 07:01:43 lorien postfix/policy-spf[20032]: handler
sender_permitted_from: DUNNO

I just noticed that this isn't covered yet:

System Events
=-=-=-=-=-=-=
<snip>
Jul 13 20:04:43 lorien postfix/policy-spf[8343]: decided action=DUNNO

...and this fixes that:

--- /etc/logcheck/ignore.d.server/postfix.orig  2004-07-13
21:39:34.000000000 +0100
+++ /etc/logcheck/ignore.d.server/postfix       2004-07-13
21:39:26.000000000 +0100
@@ -36,6 +36,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no
MX host for [^[:space:]]+ has a valid A record$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning:
host [^[:space:]]+ greeted me with my own hostname [._[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning:
host [^[:space:]]+ replied to HELO/EHLO with my own hostname
[._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]:
decided action=DUNNO$
 # Postfix < 2.1
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to
[^[:space:]]+: server dropped connection without sending the initial
greeting \(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]:
[[:alnum:]]+: to=\<.*\>, relay=[^[:space:]]+\], status=deferred \(host
[^[:space:]]+\] said: .*$

Thanks, keep up the good work :)

-- 
-jamie <jamie at silverdream.org> | spamtrap: spam at silverdream.org
 w: http://www.silverdream.org | p: sms at silverdream.org
 pgp key @ http://silverdream.org/~jps/pub.key
 20:30:01 up 13 days, 22:46, 13 users,  load average: 0.46, 0.21, 0.13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040713/130f62cb/attachment.pgp 
