logcheck ignore and violation rules are not matching on alternate policy banks

Bug #862416 reported by Simon Déziel on 2011-09-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
amavisd-new (Ubuntu)
Low
Unassigned

Bug Description

The logcheck ignore and violation rules works well when using only the default policy bank but they fail to match alternate policy banks log messages. Here is an example of one log that should have match (but didn't) :

Sep 29 00:02:10 www amavis[25415]: (25415-05) Passed CLEAN, DKIM LOCAL [172.16.22.1] [172.16.22.1] <email address hidden> -> <email address hidden>, Message-ID: <email address hidden>, mail_id: izycyafCDlfx, Hits: -8.404, size: 1648, queued_as: 8C34C5EDC, 3942 ms

Here the problematic fields are the "DKIM" and the "LOCAL" that indicates the message was handled by the "DKIM" policy bank and originated from a local network.

This at least affects Lucid's and Natty's amavisd-new packages.

Revision history for this message
Simon Déziel (sdeziel) wrote :

What I would suggest is to replace this ignore rules (and all other similar) :

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed CLEAN,( \[[.:[:xdigit:]]+\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*, Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$

with :

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed CLEAN,( [-[:alnum:]]+)?( LOCAL)?( \[[.:[:xdigit:]]+\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*, Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: (-[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$

Revision history for this message
Dave Walker (davewalker) wrote :

@Simon, thanks for the bug report. Please could you expand on the impact of this bug, what issues it causes?

Thanks.

Changed in amavisd-new (Ubuntu):
status: New → Incomplete
importance: Undecided → Low
Revision history for this message
Simon Déziel (sdeziel) wrote :

@Dave

I just noticed that my diff in comment #1 does not match all cases as it does not catch IPv6 addresses.

There are more problems than simply the policy bank name appearing in the logs. Here are all the cases that make logcheck report noise (fail to silence the log messages as they no longer match the ignore rules) :

* properly configured trusted/internal networks in spamassassin: this is responsible for the "LOCAL" string in the logs
* alternate policy banks in amavis : this is responsible for the "DKIM" in m example but that can be any string
* IPv6 delivery : add the "IPv6:" prefix in front of the addresses

I agree with you that the importance is low as this simply implies more noise in logcheck reports. I'd like to see this fixed though so I've attached 2 diffs that should take care of all the above.

Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "logcheck ignore.d.server diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for amavisd-new (Ubuntu) because there has been no activity for 60 days.]

Changed in amavisd-new (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Simon Déziel (sdeziel) wrote :

Setting back to "New" as I think that my comment #3 addresses the request of Dave in comment #2.

Changed in amavisd-new (Ubuntu):
status: Expired → New
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers