Re: Including remote addresses in smtpd syslog output

2020-05-26 Thread Kevin Zheng 
Hi Gilles,

On 5/26/20 12:04 AM, gil...@poolp.org wrote:
> We now provide a reporting API which is basically a stream of events that can
> be consumed by tools. It is a line-based format which is not meant to be read
> by humans but meant to be easily parsed by tools and that provides all of the
> information necessary to replicate the session states. Using this stream, one
> can write a tiny filter which aggregates info and outputs logs tailored for a
> specific third-party application with a guarantee that it won't break when we
> make a subtle change to the maillog format. If I were working on SSHGuard for
> example, I'd write an sshguard-exporter script that reads the stream and that
> outputs to syslog a format SSHguard recognizes. This way, an smtpd user would
> simply:
> 
> filter sshguard proc-exec "sshguard-exporter"
> listen on all filter sshguard
> action "foobar" relay filter sshguard
> 
> SSHguard itself would never need to be altered to follow changes in logs.

Thanks makes sense to me. I was vaguely aware that actions and filters
became available, but I didn't know that they could do this. I think
this is exactly what I was looking for.

Thanks,
Kevin

-- 
Kevin Zheng
kevinz5...@gmail.com | kev...@berkeley.edu
XMPP: kev...@eecs.berkeley.edu

Including remote addresses in smtpd syslog output

2020-05-25 Thread Kevin Zheng 
Hi folks,

I'm new around here. I'm a happy OpenSMTPD user (on FreeBSD), and I
maintain SSHGuard (https://www.sshguard.net/), a program that reads
system logs and adds temporary firewall rules.

Some SSHGuard users want to use SSHGuard with OpenSMTPD. OpenSMTPD 6.6.0
appears to log SMTP sessions:

May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp connected
address=a.b.c.d host=a.b.c.d

Subsequent things that happen during that session look like:

May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command
command="AUTH LOGIN (password)" result="535 Authentication failed"

Chasing changes in syslog output is a part of maintaining software like
SSHGuard. Unfortunately, my parser (which recently learned how to
pledge!) is a bit dull and would require some re-education to remember
SMTP sessions and their associated IP addresses. So, my questions are:

Why did OpenSMTPD stop reporting IP addresses on every line?

Is there any chance that OpenSMTPD can put IP addresses back on every line?

Regards,
Kevin

-- 
Kevin Zheng
kevinz5...@gmail.com | kev...@berkeley.edu
XMPP: kev...@eecs.berkeley.edu