thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#486440: logcheck-database: postfix false positives: hostname verification and anonymous TLS [Jun 2008]

If this information is useful, please help other people find it:
Share via:

Justin Larue

2008-Jun-16 05:07 UTC

[Logcheck-devel] Bug#486440: logcheck-database: postfix false positives: hostname verification and anonymous TLS

Package: logcheck-database
Version: 1.2.64
Severity: wishlist
Tags: patch

Logcheck provides false negatives against the postfix package for lines
such as the following:

Jun 15 20:11:15 gamma postfix/smtpd[28071]: Anonymous TLS connection established
from fractal.kaosol.net[216.150.215.72]: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA
(168/168 bits)

(This one would be caught without the word "Anonymous")

and

Jun 15 20:19:10 gamma postfix/smtpd[28321]: warning: 122.3.215.225: hostname
122.3.215.225.pldt.net verification failed: Name or service not known

(There does not appear to be an existing line related to this message.)

A patch to properly ignore both of these lines is attached.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (300, 'unstable'), (200,
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

-- debconf information:
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:
  logcheck-database/conffile-cleanup: false
-------------- next part --------------
--- ignore.d.server/postfix.old	2008-06-15 23:02:49.000000000 -0600
+++ ignore.d.server/postfix	2008-06-15 22:55:20.000000000 -0600
@@ -19,7 +19,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: cert has expired$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Peer|Server)
certificate could not be verified$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:
smtpd_peer_init: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: address not listed for hostname
[._[:alnum:]-]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection
established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+
\([/0-9]+ bits\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Anonymous )?TLS
connection established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher
[^[:space:]]+ \([/0-9]+ bits\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS
connection (to|from) [._[:alnum:]-]+(\[[0-9a-f.:]{3,39}\])?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]:
fingerprint=([0-9A-F]{2}:){15}[0-9A-F]{2}$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: Verified:
subject_CN=.*, issuer=.*$
@@ -126,3 +126,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
gethostby\*\.getanswer: asked for "([-_.[:alnum:]]+)", got
"\1"$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: discarding
EHLO keywords:( [[:upper:]]+)+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+:
milter-discard: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: milter
triggers DISCARD action; from=<[^[:space:]]*> to=<[^[:space:]]*>
proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:
[0-9.]{7,15}: hostname [^[:space:]]+ verification failed: Name or service not
known$

Debian Bug Tracking System

2008-Jun-25 13:21 UTC

head link

[Logcheck-devel] Bug#486440: marked as done (logcheck-database: postfix false positives: hostname verification and anonymous TLS)

Your message dated Wed, 25 Jun 2008 13:02:07 +0000
with message-id <E1KBUdT-0003ox-4q at ries.debian.org>
and subject line Bug#486440: fixed in logcheck 1.2.65
has caused the Debian Bug report #486440,
regarding logcheck-database: postfix false positives: hostname verification and
anonymous TLS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
486440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486440
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Justin Larue <debbugs at ziz.org>
Subject: logcheck-database: postfix false positives: hostname verification and
 anonymous TLS
Date: Sun, 15 Jun 2008 23:07:34 -0600
Size: 4698
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080625/b5471542/attachment.eml
-------------- next part --------------
An embedded message was scrubbed...
From: madduck at debian.org (martin f. krafft)
Subject: Bug#486440: fixed in logcheck 1.2.65
Date: Wed, 25 Jun 2008 13:02:07 +0000
Size: 7009
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080625/b5471542/attachment-0001.eml

Logcheck devel - Jun 2008 - Bug#486440: logcheck-database: postfix false positives: hostname verification and anonymous TLS

[Logcheck-devel] Bug#486440: logcheck-database: postfix false positives: hostname verification and anonymous TLS

[Logcheck-devel] Bug#486440: marked as done (logcheck-database: postfix false positives: hostname verification and anonymous TLS)