LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 04-11-2006, 03:12 PM   #1
vrillusions
Member
 
Registered: Feb 2003
Location: Ohio, USA
Distribution: Ubuntu, Debian, CentOS
Posts: 99

Rep: Reputation: 15
Question logcheck not filtering out postfix/policy-spf lines


I'm really stumped on this. I've set up plenty of other custom rules for logcheck and they are all working fine, but for some reason it will not filter out 'postfix/policy-spf' lines. Even if I add ^.*$ to match everything. Here are some sample lines (I Xd out some of the info):
Code:
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXX@ktpmail.every1.net)
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXXXX@ktpmail.every1.net)
And the rules I currently have setup:
Code:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from: PREPEND Received-SPF: (none|pass|neutral) \(.*\)( is decisive\.|)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: decided action=PREPEND Received-SPF: (none|pass|neutral) \(.*\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler testing: DUNNO$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF (pass|neutral):.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : testing: stripped sender=.*, stripped rcpt=.*$
I have all my custom rules in a /etc/logcheck/ignore.d.server/local and all the other filters work fine. I ran logcheck in debugging mode and didn't see any errors. This on Debian 3.1 stable. Logcheck is v1.2.39.

I did some searching on google and there was a bug report on it (keep going to the next in thread to see it) that the person solved by reinstalling logcheck. I tried that doing both a regular remove and remove --purge and that didn't fix it. I've even tried simply ^.*postfix/policy-spf.*$ which works if I use egrep but logcheck doesn't filter them out. Does anyone know how to display all characters in a file (carriage returns, spaces, line breaks, etc). Maybe there's some weird line ending or something that logcheck doesn't understand
 
Old 04-12-2006, 11:33 AM   #2
vrillusions
Member
 
Registered: Feb 2003
Location: Ohio, USA
Distribution: Ubuntu, Debian, CentOS
Posts: 99

Original Poster
Rep: Reputation: 15
d'oh figured it out. Those were showing up in logcheck as security events. So a quick look at the man page revealed that there is violations.d/ directory. If something matches that list (view the logcheck file and you'll notice it's rather vague) it will show up unless it's filtered in the violations.ignore.d/ directory somewhere. One of the lines in violations.d/logcheck is 'permitted'. Notice how those lines have sender_permitted_from? So logcheck saw the permitted and flagged it as a security log message. So I just copied the rules over to a file called /etc/logcheck/violations.ignore.d/local and it works fine now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix Email Address Filtering... CRCool75 Linux - Software 8 04-14-2006 10:08 AM
external filtering function in postfix simon_qwl Linux - Software 0 10-11-2005 09:04 AM
postfix spam filtering problems pyu7 Linux - Software 0 09-17-2004 10:26 AM
Postfix mail filtering pembo13 Linux - Networking 0 09-02-2004 01:11 PM
Mail filtering with Postfix bentman78 Linux - Software 1 07-19-2004 09:12 PM


All times are GMT -5. The time now is 11:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration