logcheck and SPF
Since I’m trying out logcheck an logcheck-database (the etch packages) and SPF I had to add some lines for logcheck to ignore. However some of them are not really SPF related.
In particular that was:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_policy_framework: is decisive\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: none \([^[:space:]]+: No applicable sender policy available\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=550 Please see [^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: softfail \([^[:space:]]+: Sender is not authorized by default to use [^[:space:]]+ in .?mfrom.? identity, however domain is not currently prepared for false failures \(mechanism .?~all.? matched\)\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: pass \([^[:space:]]+: Sender is authorized by default to use .?[^[:space:]]+.? in .?mfrom.? identity \(mechanism .?[^[:space:]]+.? matched\)\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=DEFER_IF_PERMIT SPF-Result=[^[:space:]]+: .?SERVFAIL.? error on DNS .?SPF.? lookup of [^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: neutral \([^[:space:]]+: Domain does not state whether sender is authorized to use [^[:space:]]+ in .?mfrom.? identity \(mechanism .?\?all.? matched\)\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin doing query select password from mail_users where username=[^[:space:]]+;$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=DUNNO$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: couriertls: accept: Connection reset by peer$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: Disconnected, ip=\[[^[:space:]]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: neutral \([^[:space:]]+: Default neutral result due to no mechanism matches\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: permerror \([^[:space:]]+: Junk encountered in mechanism [^[:space:]]+\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: LOGOUT, ip=[^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: valid_hostname: empty hostname$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: malformed domain name in resource data of MX record for [^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received.SPF: permerror \([^[:space:]]+: Maximum DNS-interactive terms limit \([[:digit:]]+\) exceeded\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received.SPF: permerror \([^[:space:]]+: Included domain [^[:space:]]+ has no applicable sender policy\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: auth-worker\(default\): mysql: Connected to 127.0.0.1 \([^[:space:]]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ blockhosts\[[[:digit:]]+\]: Notice: removing expired host:[[:space:]]* [.[:digit:]]+[[:space:]]* HostData\([[:digit:]]+, [.[:digit:]]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ blockhosts\[[[:digit:]]+\]: Notice: count=[[:digit:]]+, blocking host:[[:space:]]+[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]: [^[:space:]]+ [^[:space:]]+ – FTP login timed out, disconnected$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: none \([^[:space:]]+: No applicable sender policy available\) receiver=[^[:space:]]+; identity=helo; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: pass \([._- [:alnum:]]+: [.[:digit:]]* is authorized to use .?[^[:space:]]+.? in .?mfrom.? identity \(mechanism .?[^[:space:]]+.? matched\)\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[[:digit:]]+\]: : Policy action=PREPEND Received-SPF: pass \([._- [:alnum:]]+: Sender is authorized to use .?[^[:space:]]+.? in .?mfrom.? identity \(mechanism .?[^[:space:]]+.? matched\)\) receiver=[^[:space:]]+; identity=mfrom; envelope-from=[^[:space:]]+; helo=[^[:space:]]+; client-ip=[.[:digit:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [^[:space:]]+: [ .[:digit:]]* Service unavailable; Client host \[[.[:digit:]]+\] blocked using [^[:space:]]+; [^[:space:]]+; from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$
So if any posix ‘geek’ would like to comment on that or correct me, I’d apreciate that.
Last updated: Jan 20 2008
Kommentar von adlerweb — 10. Dezember 2007 at 22:12
.o(For some people its regex, for others its the longest smiley on earth…)
Kommentar von Max1 — 10. Dezember 2007 at 22:13
:D
den kannte ich noch garnich :D