[Logcheck-devel] [PATCH] Added more versions of "SASL authentication failure" postfix rule

Frédéric Brière fbriere at fbriere.net
Fri Jan 25 01:42:24 UTC 2008 

Here are two more error messages that can occur with a screwed-up
DIGEST-MD5 authentication.  (And I'm sure there are many more.)

(BTW, just for the record, the preceding SASL rule should ideally be
case-insensitive.)


Signed-off-by: Frédéric Brière <fbriere at fbriere.net>
---
 .../linux/violations.ignore.d/logcheck-postfix     |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/rulefiles/linux/violations.ignore.d/logcheck-postfix b/rulefiles/linux/violations.ignore.d/logcheck-postfix
index 926f1ee..6f827ad 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-postfix
+++ b/rulefiles/linux/violations.ignore.d/logcheck-postfix
@@ -39,7 +39,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((, id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok)?: queued as [0-9A-F]+|, discarded, UBE, id=[-0-9]+)*|, DSN muted \([45][0-9][0-9] [45](\.[0-9]){2} .+\)\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 Ok: queued as [0-9A-F]+\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: SASL authentication failure: Password verification failed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: SASL authentication failure: (Password verification failed|required parameters missing|realm changed: authentication aborted)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: warning: maildir access problem for UID/GID=[[:digit:]]+/[[:digit:]]+: create [/.[:alnum:]]+: Permission denied$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[0-9.]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced) \(.+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:upper:]0-9]+: reject: header [^[:space:]]+:.+ from=<[^[:space:]]*>( to=<[^[:space:]]+>)? proto=E?SMTP helo=<[^[:space:]]+>: .+$
-- 
1.5.3.8

More information about the Logcheck-devel mailing list