[AusNOG] Data Retention - are you kidding me??

David Beveridge dave at bevhost.com
Mon Nov 28 14:16:37 EST 2016


I recommend that instead of using the optional header "Subject", that you
use a header that will always exist.
e.g.

/^Received:/ WARN

On Tue, Nov 22, 2016 at 1:31 PM, <russell at central-data.net> wrote:

> Another option in my case postfix you can modify the config to you get one
> nice line in the logs which makes it very easy to search and pull out
> reports
>
> In postfix.conf add
> header_checks = regexp:/etc/postfix/header_checks
>
> in header_checks add
> /^Subject:/      WARN
>
> This will put a single line in your logs like the following
>
> warning: header Subject: "Subject line"[src ip addr]; from=<
> src at address.com> to=<dst at address.com> proto=ESMTP helo=<src server>
>
>
>
>
> Kind Regards,
>
> Russell Brooks
>
>
> Central Data Systems Pty Ltd
> 88 Havelock Street, West Perth, WA 6005
> Phone: 08 9481 4010
>
> www.central-data.net
>
> ----- Original Message -----
> From: "Ross Wheeler" <ausnog at rossw.net>
> To: "Mike O'Connor" <mike at pineview.net>
> Cc: "<ausnog at lists.ausnog.net>" <ausnog at lists.ausnog.net>
> Sent: Tuesday, November 22, 2016 10:46:41 AM
> Subject: Re: [AusNOG] Data Retention - are you kidding me??
>
>
>
> On Tue, 22 Nov 2016, Mike O'Connor wrote:
>
> > On 17/11/2016 10:28 AM, Ross Wheeler wrote:
>
> > My problem is I have no idea how I would filter the results to just one
> > customer say in the case of mail logs. I was looking at the output of our
> > mail server and the details are split over a number of lines and in most
> > cases the information is not there.
>
> Certainly in the case of sendmail (and I suspect most MTAs), it would
> require a small amount of scripting - but still easy enough to achieve.
>
> An example:
>
> # grep mike at pineview.net /var/log/maillog
>
> Nov 22 12:55:45 ali-syd-1 sm-mta[76593]: uAM1tibu076593:
>     from=<mike at pineview.net>, size=1534, class=0, nrcpts=1,
>     msgid=<dccb7790-48e1-fccd-0b44-776623461f1e at pineview.net>,
>     bodytype=8BITMIME, proto=ESMTP, daemon=IPv4, relay=mail.pineview.net
>     [203.33.246.11]
>
> The "uAM1tibu076593" identifier is unique for this transaction.
> A second pass will find all the lines for this transaction, including
> lines that didn't contain the original search term (mike@)
>
>
> # grep uAM1tibu076593 /var/log/maillog
>
> Nov 22 12:55:45 ali-syd-1 milter-greylist: uAM1tibu076593: skipping
>     greylist because recipient <ausnog at rossw.net> is whitelisted,
>     (from=<mike at pineview.net>, rcpt=<ausnog at rossw.net>,
>     addr=mail.pineview.net[203.33.246.11])
>
> Nov 22 12:55:45 ali-syd-1 sm-mta[76593]: uAM1tibu076593:
>     from=<mike at pineview.net>, size=1534, class=0, nrcpts=1,
>     msgid=<dccb7790-48e1-fccd-0b44-776623461f1e at pineview.net>,
>     bodytype=8BITMIME, proto=ESMTP, daemon=IPv4, relay=mail.pineview.net
>     [203.33.246.11]
>
> Nov 22 12:55:45 ali-syd-1 sm-mta[76593]: uAM1tibu076593: Milter add:
>     header: X-Greylist: Recipient e-mail whitelisted, not delayed by
>     milter-greylist-3.0 (mail.albury.net.au [202.3.36.15]); Tue, 22 Nov
>     2016 12:55:45 +1100 (EST)
>
> Nov 22 12:55:45 ali-syd-1 sm-mta[76724]: uAM1tibu076593:
>     to=*******,*******, delay=00:00:00, xdelay=00:00:00, mailer=local,
>     pri=61930, relay=local, dsn=2.0.0, stat=Sent
>
>
>
> The process of finding all the unique IDs for mail to or from a given user
> is quite straightforward using CLI tools available on every system I know
> of that you're likely to be running a mail server on :)
>
> Eg, a totally brute-force and ugly version:
>
> for id in `grep "whoever at example.com" /var/log/maillog|awk '{print
> $6}'|sort|uniq`; do grep $id /var/log/maillog; done
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161128/79478f1e/attachment.html>


More information about the AusNOG mailing list