[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: Postfix rules

To: ossec-dev@xxxxxxxxxxxxxxxx, "Trey Valenta" <t@xxxxxxxx>
Subject: [ossec-dev] Re: Postfix rules
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Sun, 16 Sep 2007 23:57:28 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of dcid@xxxxxxxxx designates 64.233.182.188 as permitted sender) smtp.mail=dcid@xxxxxxxxx

Hi Trey,

I was looking for logs on how postfix handles internal lack of space
and it seems that
the following samples apply:

Sep  4 01:14:35 vector postfix/smtpd[15337]: NOQUEUE: reject: MAIL
from 89.pool85-60-78.dynamic.orange.es[85.60.78.89]: 452 4.3.1
Insufficient system storage; proto=ESMTP
helo=<89.pool85-60-78.dynamic.orange.es>
Sep  4 02:24:39 vector postfix/smtpd[16863]: NOQUEUE: reject: MAIL
from 217-133-56-239.b2b.tiscali.it[217.133.56.239]: 452 4.3.1
Insufficient system storage; proto=ESMTP
helo=<217-133-56-239.b2b.tiscali.it>
Jun 29 17:28:38 linuxserver postfix/smtpd[27712]: NOQUEUE: reject:
MAIL from localhost[127.0.0.1]: 452 Insufficient system storage;
proto=ESMTP helo=<localhost>

Maybe changing the rule to:

  <rule id="3331" level="10" ignore="120">
    <if_sid>3300</if_sid>
    <id>^452</id>
    <description>Postfix insufficient disk space error.</description>
    <group>service_availability,</group>
  </rule>

And the decoder to:

<decoder name="postfix-reject">
  <use_own_name>true</use_own_name>
  <parent>postfix</parent>
  <prematch>^NOQUEUE: reject: \w\w\w\w from </prematch>
  <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]: (\d+) </regex>
  <order>srcip,id</order>
</decoder>


Should fix it. I will run some more tests later to verify...


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 9/14/07, Trey Valenta <t@xxxxxxxx> wrote:
>
> I'm running ossec with postfix_rules.xml,v 1.15
> 2007/07/19 23:49:56 dcid Exp $. Rule 3331 (insufficient system storage)
> triggers when the destination relay reports a deferred error. I'd like
> modify this rule and alert only if my server is out of space. Can anyone
> suggest how to make this change? Does anyone have a sample error message
> from a managed mail server with insufficient space?
>
> Thanks,
> Trey Valenta
>
>
> Received From: smtp1.foo.com->/var/log/mail.info
> Rule: 3331 fired (level 10) -> "Postfix disk space error."
> Portion of the log(s):
>
> Sep 14 00:47:41 smtp1.foo.com postfix/smtp[83540]: 885B927AS2:
> to=<user@xxxxxxxx>, relay=smtp.foo.jp[123.123.123.123],
> delay=10674, status=deferred (host smtp.foo.jp[123.123.123.123]
> said: 452 insufficient system storage)
>
>
>
> --
> <t(Trey)@(Valenta)trey.net> Seattle, Wash.
> Are you pondering what I'm pondering?
> Well, I think so Brain, but what if we stick to the seat covers?
>

References:
- [ossec-dev] Postfix rules
  - From: Trey Valenta

Prev by Date: [ossec-dev] Ossec as a prelude analyzer patch
Next by Date: [ossec-dev] [Bug 74] New: Deal with help option
Previous by thread: [ossec-dev] Postfix rules
Next by thread: [ossec-dev] Ossec as a prelude analyzer patch
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.