Debian Bug report logs - #816685
postfix rules - multiple

version graph

Package: logcheck-database; Maintainer for logcheck-database is Debian logcheck Team <[email protected]>; Source for logcheck-database is src:logcheck (PTS, buildd, popcon).

Reported by: Cristian Ionescu-Idbohrn <[email protected]>

Date: Thu, 3 Mar 2016 21:42:06 UTC

Severity: normal

Found in version logcheck/1.3.18

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], LaMont Jones <[email protected]>:
Bug#816685; Package postfix. (Thu, 03 Mar 2016 21:42:09 GMT) (full text, mbox, link).

Acknowledgement sent to Cristian Ionescu-Idbohrn <[email protected]>:
New Bug report received and forwarded. Copy sent to LaMont Jones <[email protected]>. (Thu, 03 Mar 2016 21:42:09 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Cristian Ionescu-Idbohrn <[email protected]>
To: [email protected]
Subject: postfix: logcheck (maybe something else)
Date: Thu, 3 Mar 2016 22:40:15 +0100 (CET)
Package: postfix
Version: 3.0.4-5
Severity: normal

I see these logcheck reports:

Mar  3 20:09:05 <host> postfix/smtpd[<pid>]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=3 data=1 quit=1 commands=7

endlessly, after upgrading :(

Syslog scenaio is:

Mar  3 21:19:20 <hostname> fetchmail[11625]: 1 message for <user> at <imap-server>.
Mar  3 21:19:20 <hostname> postfix/smtpd[30207]: connect from localhost[127.0.0.1]
Mar  3 21:19:20 <hostname> postfix/smtpd[30207]: E453D6C0C1: client=localhost[127.0.0.1]
Mar  3 21:19:20 <hostname> postfix/cleanup[30210]: E453D6C0C1: message-id=<[email protected]>
Mar  3 21:19:20 <hostname> postfix/cleanup[30210]: E453D6C0C1: resent-message-id=<bar-baz@bendel>
Mar  3 21:19:21 <hostname> fetchmail[11625]: reading message <user>@some-smtp-server:1 of 1 (5760 header octets) (2476 body octets) flushed
Mar  3 21:19:21 <hostname> postfix/qmgr[380]: E453D6C0C1: from=<bounce-debian-devel-changes=email-address=axis.com@lists.debian.org>, size=8510, nrcpt=1 (queue active)
Mar  3 21:19:21 <hostname> postfix/smtpd[30207]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Mar  3 21:19:21 <hostname> postfix/local[30211]: E453D6C0C1: to=<<user>@<hostname>.se.axis.com>, relay=local, delay=0.53, delays=0.15/0.01/0/0.38, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Mar  3 21:19:21 <hostname> postfix/qmgr[380]: E453D6C0C1: removed

Messages like:

Mar  3 21:19:21 <hostname> postfix/smtpd[30207]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

show up in my in my logcheck mails.  No others.  My recipe is to add
something like this:

/etc/logcheck//ignore.d.workstation/local-postfix:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]:[[:blank:]]+disconnect from localhost\[127\.0\.0\.1\] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

logcheck filter.  Comments?


Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (99, 'unstable'), (59, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages postfix depends on:
ii  adduser                3.113+nmu3
ii  cpio                   2.11+dfsg-5
ii  debconf [debconf-2.0]  1.5.58
ii  dpkg                   1.18.4
ii  libc6                  2.21-9
ii  libdb5.3               5.3.28-11
ii  libicu55               55.1-7
ii  libsasl2-2             2.1.26.dfsg1-14+b1
ii  libsqlite3-0           3.10.2-1
ii  libssl1.0.2            1.0.2f-2
ii  lsb-base               9.20160110
ii  netbase                5.3
ii  ssl-cert               1.0.37

Versions of packages postfix recommends:
ii  python3  3.5.1-2

Versions of packages postfix suggests:
pn  dovecot-common               <none>
ii  emacs23-lucid [mail-reader]  23.4+1-4.1+b1
ii  emacs24-lucid [mail-reader]  24.5+1-6+b1
ii  icedove [mail-reader]        38.6.0-1
ii  kmail [mail-reader]          4:4.14.10-2
ii  libsasl2-modules             2.1.26.dfsg1-14+b1
ii  mutt [mail-reader]           1.5.24-1+b1
pn  postfix-cdb                  <none>
ii  postfix-doc                  3.0.4-5
pn  postfix-ldap                 <none>
pn  postfix-mysql                <none>
ii  postfix-pcre                 3.0.4-5
pn  postfix-pgsql                <none>
ii  procmail                     3.22-25
pn  resolvconf                   <none>
ii  s-nail [mail-reader]         14.8.6-1
pn  sasl2-bin                    <none>
pn  ufw                          <none>

-- debconf information:
  postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  postfix/main_cf_conversion_warning: true
  postfix/kernel_version_warning:
  postfix/retry_upgrade_warning:
* postfix/dynamicmaps_conversion_warning: true
  postfix/root_address:
  postfix/chattr: false
  postfix/sqlite_warning:
* postfix/main_mailer_type: No configuration
  postfix/procmail:
  postfix/recipient_delim: +
  postfix/not_configured:
  postfix/destinations:
  postfix/rfc1035_violation: false
  postfix/relayhost:
  postfix/tlsmgr_upgrade_warning:
  postfix/relay_restrictions_warning:
  postfix/mailname: /etc/mailname
  postfix/bad_recipient_delimiter:
  postfix/mydomain_warning:
  postfix/protocols:
  postfix/mailbox_limit: 0


Cheers,

--
Cristian

Bug reassigned from package 'postfix' to 'logcheck-database'. Request was from LaMont Jones <[email protected]> to [email protected]. (Fri, 04 Mar 2016 18:54:15 GMT) (full text, mbox, link).

No longer marked as found in versions postfix/3.0.4-5. Request was from LaMont Jones <[email protected]> to [email protected]. (Fri, 04 Mar 2016 18:54:16 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian logcheck Team <[email protected]>:
Bug#816685; Package logcheck-database. (Thu, 09 Nov 2017 10:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Václav Ovsík <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian logcheck Team <[email protected]>. (Thu, 09 Nov 2017 10:00:03 GMT) (full text, mbox, link).

Message #14 received at [email protected] (full text, mbox, reply):

From: Václav Ovsík <[email protected]>
To: [email protected]
Cc: Cristian Ionescu-Idbohrn <[email protected]>
Subject: postfix disconnect matching rule
Date: Thu, 9 Nov 2017 10:57:50 +0100
Hi,
I just solved this, because my servers have received disconnect messages
too.

  rt:/etc/logcheck/ignore.d.server# cat postfix-local
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from

It is simple modification of an original rule of postfix rules file.

  rt:/etc/logcheck/ignore.d.server# fgrep 'connect from' postfix*
  postfix:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
  postfix-local:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from

Simple removing
    [^[:space:]]+$
from the end of the original rule solves the problem with spaces.
Maybe logcheck practise is to match the whole line every time, then
    .*$
can be appropriate. But I thing it is needless.
-- 
Zito

Information forwarded to [email protected], Debian logcheck Team <[email protected]>:
Bug#816685; Package logcheck-database. (Sun, 04 Mar 2018 19:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to CJ Fearnley <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian logcheck Team <[email protected]>. (Sun, 04 Mar 2018 19:51:03 GMT) (full text, mbox, link).

Message #19 received at [email protected] (full text, mbox, reply):

From: CJ Fearnley <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: logcheck-database: Patch to fix postfix logcheck
Date: Sun, 04 Mar 2018 14:42:47 -0500
Package: logcheck-database
Version: 1.3.18
Followup-For: Bug #816685

Dear Maintainer,

Logcheck was sending postfix disconnects which should not be flagged
as issues. Investigation shows (as previous reporters have confirmed)
that the log output has changed.

This patch for /etc/logcheck/ignore.d.server/postfix appears to fix
the problem. Though I cannot be sure that I missed one of the obscure
SMTP commands that postfix supports. Perhaps someone can look into the
postfix code to determine if more commands need to be added to this
improved regex.

--- postfix	2018-03-04 13:50:44.877543168 -0500
+++ /etc/logcheck/ignore.d.server/postfix	2018-03-04 14:35:24.378710297 -0500
@@ -97,7 +97,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: (HE|EH)LO from [^[:space:]]+\[[[:digit:].]{7,15}\]: [45][[:digit:]]{2}( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; proto=E?SMTP helo=<[^[:space:]]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 550( 5\.1\.[01])? <[^[:space:]]*>: (Sender|Recipient) address rejected: User unknown in ((local|relay) recipient|virtual alias) table;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 450( 4\.1\.8)? <[^>]*>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+(|( ((eh|he)lo|mail|rcpt|data|rset|noop|etrn|auth|starttls|unknown|quit)=[0-9]+(/[0-9]+)?)* commands=[0-9]+(/[0-9]+)?)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: discard: RCPT from [^[:space:]]+: <[^[:space:]]*>: .+; from=[^[:space:]]+ to=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: milter-reject: MAIL from [-._[:alnum:]]+\[[.[:digit:]]+\]: 451 4\.(7\.1 Service unavailable|3\.2 AV system temporarily overloaded) - (please )?try (again )?later; proto=E?SMTP helo=<[^[:space:]]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: NOQUEUE: milter-reject: MAIL from [^[:space:]]+: .+; from=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Changed Bug title to 'postfix rules - multiple' from 'postfix: logcheck (maybe something else)'. Request was from Richard Lewis <[email protected]> to [email protected]. (Tue, 28 May 2024 23:06:12 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 09:13:09 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.