Package: logcheck-database Version: 1.3.13 Severity: normal Tags: patch Hey
I'm getting reports of log lines like: Mar 5 22:06:54 xyz postfix/smtpd[20492]: some.host.name[88.166.229.232]: Trusted: subject_CN=some.host.name, issuer=Some Signing Authority, fingerprint=12:34:56:78:90:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67 reported; this is with postfix 2.7.0-1. Only src/tls/tls_server.c in recent Postfix versions uses fingerprint= in logs; I've looked at the source history, and the upstream log message was changed from: msg_info("fingerprint=%s", TLScontext->peer_fingerprint); to: msg_info("%s: %s: subject_CN=%s, issuer=%s, fingerprint=%s", props->namaddr, TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", TLScontext->peer_CN, TLScontext->issuer_CN, TLScontext->peer_fingerprint); between 2.4.6 and 2.5.1-RC1. I don't know what policy you follow for logcheck for older version of logged strings, but this seems to have happened a long time ago, hence I suggest just updating the regexp rather than keeping both versions: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?: Trusted: subject_CN=.*, issuer=.*, fingerprint=([[:digit:]A-F]{2}:){15,19}[[:digit:]A-F]{2}$ For props->namaddr, I used the same snippet as for the "setting up TLS connection" message which uses the same var; then I added Trusted; this could also be Untrusted, but I decided this should be logged; then for subject_CN= and issuer= I wasn't too sure what to allow as this could be anything really, but I saw other places which had subject_CN=.*, issuer=.*; finally, fingerprint= can be different types of fingerprints, in my case it's SHA1 so 20 pairs of hex digits. Cheers, -- Loïc Minier _______________________________________________ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel