Bug#317388: logwatch: Unmatched entries in Postfix section
Hi Willi, Willi Mann schrieb: [..] This description suggests that you get the reject_warning and reject because you have two rules, one with warn_if_reject and one without. Can you confirm that? I can confirm this. My main.cf has the following two lines: smtpd_recipient_restrictions = [..] warn_if_reject reject_unknown_sender_domain reject_unknown_sender_domain [..] What confused me was that you said ...is always written together..., which would mean we should ignore reject_warning lines. However, it looks like we need to parse them all, to be fully reliable. Apart from the fact that I should fix my main.cf configuration and only use one of the two rules (sorry, my mistake) wouldn't it still make sense to count the 'reject_warning' lines instead of having them show up in the **Unmatched Entries** section? Thx, Dustin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: [Logwatch-Devel] fwd: Re: Bug#317388: logwatch: Unmatched entries in Postfix section
Willi Mann wrote:
Could anyone who is used to postfix look at this bug please? I'm not
sure what to do with this bug.
http://bugs.debian.org/317388
Willi
I just installed the latest logwatch, and believe the enclosed patch
will correct this issue. I couldn't find any reject_warning in my logs
for verification, but I did verifiy the patch did not break existing
functionality.
The patch includes one additional change to address another unmatched
RBL issue my logs were showing.
The patch is attached as well in case the line wrapping below is fowled up.
*--- postfix.orig 2005-07-23 07:16:26.972833471 -0700*
*+++ postfix2005-07-23 07:35:18.759650895 -0700*
@@ -248,7 +248,7 @@
$UndeliverableMsg{$Reason}++;
} elsif ( (undef,undef,undef,undef) = ($ThisLine =~ /^[a-zA-Z0-9]+: to=([^ ]*),(
orig_to=[^ ]*,)? relay=([^ ]*), delay=\d+, status=deliverable \((.*)\)$/)) {
$Deliverable++;
- #} elsif ( ($Host,undef) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^ ]*\]):
[0-9]+ ([^ ]*): Sender address rejected: Domain not found;/)) {
+ #} elsif ( ($Host,undef) = ($ThisLine =~ /[reject|reject_warning]: RCPT from ([^
]*\[[^ ]*\]): [0-9]+ ([^ ]*): Sender address rejected: Domain not found;/)) {
# $RejectDomain{$Host}++;
# above two lines included in generic reject sender on next condition
} elsif ( ($Host,$Sender,$Reason) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^
]*\]): [0-9]+ (.*): Sender address rejected: (.*);/)) {
@@ -274,6 +274,9 @@
} elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^ ]*\]):
554 Service unavailable; (?:Client host )?\[[^ ]*\] blocked using ([^ ]*);/)) {
$RejectRBL{$Site}{$Host}++;
$RejectedRBL++;
+ } elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^
]*\]): 554 Service unavailable; (?:Sender address )?\[[^ ]*\] blocked using ([^
]*);/)) {
+ $RejectRBL{$Site}{$Host}++;
+ $RejectedRBL++;
} elsif ( ($Host,$Site,$Reason) = ($ThisLine =~ /warning: ([^ ]*): RBL
lookup error: Name service error for \d+\.\d+\.\d+\.\d+\.([^ ]*): (.*)$/)) {
$Temp = $Host : $Reason;
$RBLError{$Site}{$Temp}++;
--- postfix.orig 2005-07-23 07:16:26.972833471 -0700
+++ postfix 2005-07-23 07:35:18.759650895 -0700
@@ -248,7 +248,7 @@
$UndeliverableMsg{$Reason}++;
} elsif ( (undef,undef,undef,undef) = ($ThisLine =~ /^[a-zA-Z0-9]+: to=([^ ]*),( orig_to=[^ ]*,)? relay=([^ ]*), delay=\d+, status=deliverable \((.*)\)$/)) {
$Deliverable++;
- #} elsif ( ($Host,undef) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^ ]*\]): [0-9]+ ([^ ]*): Sender address rejected: Domain not found;/)) {
+ #} elsif ( ($Host,undef) = ($ThisLine =~ /[reject|reject_warning]: RCPT from ([^ ]*\[[^ ]*\]): [0-9]+ ([^ ]*): Sender address rejected: Domain not found;/)) {
# $RejectDomain{$Host}++;
# above two lines included in generic reject sender on next condition
} elsif ( ($Host,$Sender,$Reason) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^ ]*\]): [0-9]+ (.*): Sender address rejected: (.*);/)) {
@@ -274,6 +274,9 @@
} elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^ ]*\]): 554 Service unavailable; (?:Client host )?\[[^ ]*\] blocked using ([^ ]*);/)) {
$RejectRBL{$Site}{$Host}++;
$RejectedRBL++;
+ } elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^ ]*\]): 554 Service unavailable; (?:Sender address )?\[[^ ]*\] blocked using ([^ ]*);/)) {
+ $RejectRBL{$Site}{$Host}++;
+ $RejectedRBL++;
} elsif ( ($Host,$Site,$Reason) = ($ThisLine =~ /warning: ([^ ]*): RBL lookup error: Name service error for \d+\.\d+\.\d+\.\d+\.([^ ]*): (.*)$/)) {
$Temp = $Host : $Reason;
$RBLError{$Site}{$Temp}++;
Bug#317388: [Logwatch-Devel] fwd: Re: Bug#317388: logwatch: Unmatched entries in Postfix section
apply the patch, we need to know that. Of course, from the original report, it's very likely that it's another line which would be what you intended in your patch, because of the big difference in the two reporting dates (33 secs), but I don't know that for sure. Forget that statement, it's not very likely because the original reporter says: You are absolutely right, the reject_warning log line is always written together with the reject log line. So it's possible that it should just be ignored. Willi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: [Logwatch-Devel] fwd: Re: Bug#317388: logwatch: Unmatched entries in Postfix section
Who Knows schrieb:
Willi Mann wrote:
Could anyone who is used to postfix look at this bug please? I'm not
sure what to do with this bug.
http://bugs.debian.org/317388
Willi
I just installed the latest logwatch, and believe the enclosed patch
will correct this issue. I couldn't find any reject_warning in my logs
for verification, but I did verifiy the patch did not break existing
functionality.
But you didn't find out out whether the reject_warning line is redundant and
what's the difference between the two. Before anyone can seriously apply the
patch, we need to know that. Of course, from the original report, it's very
likely that it's another line which would be what you intended in your
patch, because of the big difference in the two reporting dates (33 secs),
but I don't know that for sure.
- #} elsif ( ($Host,undef) = ($ThisLine =~ /reject: RCPT from ([^
]*\[[^ ]*\]): [0-9]+ ([^ ]*): Sender address rejected: Domain not
found;/)) {
+ #} elsif ( ($Host,undef) = ($ThisLine =~ /[reject|reject_warning]:
RCPT from ([^ ]*\[[^ ]*\]): [0-9]+ ([^ ]*): Sender address rejected:
Domain not found;/)) {
And that shows the problem of not really testing the patch: You are matching
t: RCPT from
not
reject: RCPT from
(cf. this small perl script:
my $line = reject: RCPT;
print matches\n if $line =~ /[reject|reject_warning]: RCPT/;
print $.\n;
)
Of course it works, but it confuses everyone. (Maybe it's even slower, but
I'm no regex guru.)
The right expression is:
/(?:reject|reject_warning) ./
} elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^
]*\]): 554 Service unavailable; (?:Client host )?\[[^ ]*\] blocked using ([^
]*);/)) {
$RejectRBL{$Site}{$Host}++;
$RejectedRBL++;
+ } elsif ( ($Host,$Site) = ($ThisLine =~ /reject: RCPT from ([^ ]*\[[^
]*\]): 554 Service unavailable; (?:Sender address )?\[[^ ]*\] blocked using
([^ ]*);/)) {
+ $RejectRBL{$Site}{$Host}++;
+ $RejectedRBL++;
And there's another issue: If you just add it to %RejectRBL, you should use
one regex for that because it's only (Sender address |Client host ) what
makes the difference.
... (?:Sender address |Client host )? should do it.
Willi
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: [Logwatch-Devel] fwd: Re: Bug#317388: logwatch: Unmatched entries in Postfix section
Willi Mann wrote: But you didn't find out out whether the reject_warning line is redundant and what's the difference between the two. Before anyone can seriously apply the patch, we need to know that. Of course, from the original report, it's very likely that it's another line which would be what you intended in your patch, because of the big difference in the two reporting dates (33 secs), but I don't know that for sure. Okay, I accept my chastisement graciously. From the latest postfix manpage for postconf.5 warn_if_reject Change the meaning of the next restriction, so that it logs a warning instead of rejecting a request (look for logfile records that contain reject_warning). This is useful for testing new restrictions in a live environment without risking unnecessary loss of mail. Which basically means the person who configured postfix, didn't want to REALLY reject a message for some specific reason, however they did want to be warned that a message would have matched the rejection criteria. Therefore as far as logwatch is concerned there seems to be 3 options: 1. ignore reject_warning 2. add additional logic in every instance a reject_warning might appear and differentiate between rejects and warnings 3. leave it as is to print in the unmatched section, leaving it up to the configurator to remove the warn_if_reject qualifier if they don't want to see the warnings. And my vote is for # 3 simply due to the amount of effort required to implement #2 which would be in my opinion the best choice. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: logwatch: Unmatched entries in Postfix section
Dustin Huptas schrieb: Hi Willi, sorry for the late feedback, here are the corresponding log lines: Jul 4 13:04:04 saturn postfix/smtpd[22767]: NOQUEUE: reject_warning:RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=mail.example3.com Jul 4 13:04:37 saturn postfix/smtpd[22767]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=mail.example3.com You are absolutely right, the reject_warning log line is always written together with the reject log line. Hi Dustin! The manpage of says: postconf.5 warn_if_reject Change the meaning of the next restriction, so that it logs a warning instead of rejecting a request (look for logfile records that contain reject_warning). This is useful for testing new restrictions in a live environment without risking unnecessary loss of mail. This description suggests that you get the reject_warning and reject because you have two rules, one with warn_if_reject and one without. Can you confirm that? What confused me was that you said ...is always written together..., which would mean we should ignore reject_warning lines. However, it looks like we need to parse them all, to be fully reliable. Willi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: fwd: Re: Bug#317388: logwatch: Unmatched entries in Postfix section
forwarded 317388 [EMAIL PROTECTED] thanks Hi! Could anyone who is used to postfix look at this bug please? I'm not sure what to do with this bug. http://bugs.debian.org/317388 Willi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: logwatch: Unmatched entries in Postfix section
Hi Willi, sorry for the late feedback, here are the corresponding log lines: Jul 4 13:04:04 saturn postfix/smtpd[22767]: NOQUEUE: reject_warning:RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=mail.example3.com Jul 4 13:04:37 saturn postfix/smtpd[22767]: NOQUEUE: reject: RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=mail.example3.com You are absolutely right, the reject_warning log line is always written together with the reject log line. -Dustin On 10.07.2005|13:54, Willi Mann wrote: Dustin Huptas schrieb: Package: logwatch Version: 6.1.2-1 Severity: normal In the Postfix section I am having the following unmatched entries: - postfix Begin Messages rejected: Domain not found 1 Time(s) host[x.x.x.x] 1 Time(s) **Unmatched Entries** NOQUEUE: reject_warning: RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to= [EMAIL PROTECTED] proto=ESMTP helo=mail.example.com -- postfix End - Still the reject_warning from the Unmatched Entries list is properly being added to the Messages rejected list. From what I see, this must be different loglines. It's impossible for the script to match a line and then jump to the block of pushing Unknown Loglines. Can you go to the logfiles and send me the relevant (anomymized) loglines? There must be some reject: Logline in addition to the reject_warning: line. Willi signature.asc Description: Digital signature
Bug#317388: logwatch: Unmatched entries in Postfix section
Dustin Huptas schrieb: Package: logwatch Version: 6.1.2-1 Severity: normal In the Postfix section I am having the following unmatched entries: - postfix Begin Messages rejected: Domain not found 1 Time(s) host[x.x.x.x] 1 Time(s) **Unmatched Entries** NOQUEUE: reject_warning: RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to= [EMAIL PROTECTED] proto=ESMTP helo=mail.example.com -- postfix End - Still the reject_warning from the Unmatched Entries list is properly being added to the Messages rejected list. From what I see, this must be different loglines. It's impossible for the script to match a line and then jump to the block of pushing Unknown Loglines. Can you go to the logfiles and send me the relevant (anomymized) loglines? There must be some reject: Logline in addition to the reject_warning: line. Willi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#317388: logwatch: Unmatched entries in Postfix section
Package: logwatch Version: 6.1.2-1 Severity: normal In the Postfix section I am having the following unmatched entries: - postfix Begin Messages rejected: Domain not found 1 Time(s) host[x.x.x.x] 1 Time(s) **Unmatched Entries** NOQUEUE: reject_warning: RCPT from host[x.x.x.x]: 450 [EMAIL PROTECTED]: Sender address rejected: Domain not found; from=[EMAIL PROTECTED] to= [EMAIL PROTECTED] proto=ESMTP helo=mail.example.com -- postfix End - Still the reject_warning from the Unmatched Entries list is properly being added to the Messages rejected list. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages logwatch depends on: ii mailx1:8.1.2-0.20040524cvs-4 A simple mail user agent ii perl 5.8.7-3 Larry Wall's Practical Extraction logwatch recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
