Russ Allbery
2006-Nov-05 06:15 UTC
[Logcheck-devel] Bug#397097: logcheck-database: more Postfix false positives
Package: logcheck-database
Version: 1.2.49
Severity: normal
Tags: patch
This report is against 1.2.49, but looking at the changelog for 1.2.50,
I don't think these are already fixed.
I use sender and recipient tables to reject mail at RCPT TO time and I
have one system for which I serve as an MX record that is frequently down
and has frequent network problems. The current rules return a lot of
security violation and system event false positives for those cases.
Attached are two patches, one to the violations.ignore.d file and one to
the ignore.d.server file, that clear up all of my false positives. Note,
though, that the current rule matching the Ok part of a forwarded message
didn't make much sense to me; the parentheses seemed oddly doubled and in
a way that didn't match the messages that I see. I took a stab at fixing
it but I'm not sure that I captured the cases correctly.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.5.8 Debian configuration management sy
logcheck-database recommends no packages.
-- debconf information:
logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
-------------- next part --------------
--- /tmp/logcheck-postfix 2006-11-03 18:11:58.000000000 -0800
+++ violations.ignore.d/logcheck-postfix 2006-11-03 22:07:34.000000000 -0800
@@ -26,7 +26,9 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+:
reject: RCPT from [^[:space:]]+: [45][0-9][0-9] <[^[:space:]]+>: Client
host rejected: Greylisted for [0-9]+ (seconds|minutes)( \(see
http://isg.ee.ethz.ch/tools/postgrey/help/[.[:alnum:]-]+.html\))?;
from=<[^[:space:]]+> to=<[^[:space:]]+> proto=(ESMTP|SMTP)
helo=<[^[:space:]]+>$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+:
from=<[^[:space:]]*>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,(
orig_to=<[^[:space:]]+>,)* relay=local, delay=[0-9]+, status=sent
\(delivered to command: /var/lib/mailman/mail/mailman admin [._[:alnum:]-]+\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject:
[[:upper:]]+ from [^[:space:]]+: 554 <[^[:space:]]+>: Client host
rejected: Access denied;( from=<[^[:space:]]+> to=<[^[:space:]]+>)?
proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject:
[[:upper:]]+ from [^[:space:]]+: 554 <[^[:space:]]+>: Client host
rejected: Access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)?
proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject:
[[:upper:]]+ from [^[:space:]]+: 554( 5\.7\.1)? <[^[:space:]]+>: Relay
access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)?
proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]:
(NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 550(
5\.1\.[01])? <[^[:space:]]+>: (Sender|Recipient) address rejected: User
unknown in (local|relay) recipient table;( from=<[^[:space:]]*>
to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,(
orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)?
delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((,
id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok: queued as
[0-9A-F]+|, discarded, UBE, id=[-0-9]+))*\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL
(LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed:?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
warning: SASL authentication failure: Password verification failed$
-------------- next part --------------
--- /tmp/postfix 2006-11-03 18:14:02.000000000 -0800
+++ ignore.d.server/postfix 2006-11-04 11:45:38.000000000 -0800
@@ -4,6 +4,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
removed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>, relay=none, delay=[0-9]+, status=deferred \(delivery
temporarily suspended: connect to [^[:space:]]+: (Connection timed out|read
timeout|Connection refused)\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>, relay=none, delay=[0-9]+, status=deferred \(delivery
temporarily suspended: Host or domain name not found. Name service error for
name=[^[:space:]]+ type=MX: Host not found, try again\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,(
conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)?
status=deferred \(delivery temporarily suspended: lost connection with
[^[:space:]]+ while sending [[:alnum:]]+( [[:alnum:]]+)?\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+:
to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,(
conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)?
status=deferred \(delivery temporarily suspended: conversation with
[^[:space:]]+ timed out while sending end of data -- message may be sent more
than once\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open
Berkeley db /etc/sasldb: No such file or directory$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify
error:num=10:certificate has expired$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify
error:num=18:self signed certificate$
@@ -68,7 +70,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal
address syntax from
[._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] in MAIL
command: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept error
from [._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]: -1$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:
smtpd_spf_result: unknown SPF result 4 \(unknown\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,(
orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)?
delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((,
id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok: queued as
[0-9A-F]+|, discarded, UBE, id=[-0-9]+))*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,(
orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)?
delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((,
id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok)?: queued as
[0-9A-F]+|, discarded, UBE, id=[-0-9]+)*\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]:
[[:upper:][:digit:]]+: to=<[^[:space:]]+>,(
orig_to=<[^[:space:]]+>,)* relay=local, delay=[0-9]+, status=sent
\(delivered to command: exec /usr/bin/procmail\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF pass:
smtp_comment=.*: [.[:alnum:]]+ MX [.[:alnum:]]+ A [0-9a-f.:]+,
header_comment=[.[:alnum:]+: domain of [%[:punct:][:alnum:]]+@[.[:alnum:]]+
designates [0-9a-f.:]{3,39} as permitted sender$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/anvil\[[0-9]+\]: statistics: max
(message|recipient|connection) (count|rate) [/[:digit:]s]+ for
\(([.[:digit:]]{1,16}:)?(smtp(s)?|25|587):[.[:digit:]]+\) at \w{3} [ :0-9]{11}$