Bug 812883 - dovecot spam (as mail-proxy)
dovecot spam (as mail-proxy)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Synacek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-16 09:28 EDT by Harald Reindl
Modified: 2012-06-20 04:46 EDT (History)
5 users (show)

See Also:
Fixed In Version: logwatch-7.4.0-12.20120229svn100.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-19 02:58:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
imporoved patch (2.88 KB, patch)
2012-05-18 20:41 EDT, Harald Reindl
no flags Details | Diff

  None (edit)
Description Harald Reindl 2012-04-16 09:28:13 EDT
since years now we get thousands of such messages each day for "imap-login" and "pop3-login" - the problem is taht logwatch creates for each client-ip and user a own line and if your clients are using mobile devices they are changing their ip multiple times each hour

in other words: logwatch is useless for dovecot

_____________________

 **Unmatched Entries**

    dovecot: imap-login: proxy(h.reindl@thelounge.net): started proxying to 127.0.0.1:143: user=<h.reindl@thelounge.net>, method=CRAM-MD5, rip=10.0.0.241, lip=10.0.0.15, TLS: 30 Time(s)
    dovecot: imap-login: proxy(h.reindl@thelounge.net): started proxying to 127.0.0.1:143: user=<h.reindl@thelounge.net>, method=PLAIN, rip=10.0.0.241, lip=10.0.0.15, TLS: 177 Time(s)
Comment 1 Fedora Update System 2012-05-04 04:03:51 EDT
logwatch-7.4.0-11.20120229svn100.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/logwatch-7.4.0-11.20120229svn100.fc17
Comment 2 Harald Reindl 2012-05-04 07:30:52 EDT
wonderful - this looks so much better
i rolled out "logwatch-7.4.0-12.20120229svn100.fc16.20120504.rh.noarch"

"attempts in X secs" should possibly be a summary counter

the one unmatched could be interesting - usually it is a sign that the 
backend server had a problem and no need to see in logwatch for waht user, this can be better done with grep on the maillog after get the warning in logwatch

it made me crazy since 2009 (my first mailserver) get practically the whole dovecot log per mail what is not really a summary and not helpful :-)

--------------------- Dovecot Begin ------------------------ 

 Dovecot disconnects:
    Inactivity (internal failure, 1 succesful auths): 1 Time(s)
    Inactivity (no auth attempts in 180 secs): 2 Time(s)
    Inactivity during authentication (client didn't finish SASL auth, waited 178 secs): 1 Time(s)
    Too many invalid commands (no auth attempts in 0 secs): 1 Time(s)
    auth failed, 1 attempts in 2 secs: 16 Time(s)
    auth failed, 1 attempts in 3 secs: 1 Time(s)
    auth failed, 1 attempts in 5 secs: 1 Time(s)
    auth failed, 1 attempts in 9 secs: 1 Time(s)
    client didn't finish SASL auth, waited 0 secs: 3 Time(s)
    client didn't finish SASL auth, waited 1 secs: 5 Time(s)
    no auth attempts in 0 secs: 20 Time(s)
    no auth attempts in 1 secs: 3 Time(s)
    no auth attempts in 28 secs: 1 Time(s)
    no auth attempts in 29 secs: 1 Time(s)
    no auth attempts in 40 secs: 8 Time(s)
    no auth attempts in 41 secs: 2 Time(s)
    no auth attempts in 44 secs: 1 Time(s)
    no auth attempts in 46 secs: 4 Time(s)
    no auth attempts in 5 secs: 3 Time(s)
    no auth attempts in 59 secs: 2 Time(s)
    no auth attempts in 6 secs: 1 Time(s)
    no auth attempts in 60 secs: 1 Time(s)
    no auth attempts in 61 secs: 2 Time(s)
    no auth attempts in 78 secs: 1 Time(s)
    no auth attempts in 9 secs: 1 Time(s)
 
 **Unmatched Entries**
    dovecot: imap-login: Error: proxy(*****@thelounge.net): connect(127.0.0.1, 143) failed: Connection refused (after 0 secs): 1 Time(s)
 
 ---------------------- Dovecot End -------------------------
Comment 3 Fedora Update System 2012-05-09 04:26:21 EDT
logwatch-7.4.0-12.20120229svn100.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/logwatch-7.4.0-12.20120229svn100.fc16
Comment 4 Fedora Update System 2012-05-10 10:16:20 EDT
Package logwatch-7.4.0-12.20120229svn100.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing logwatch-7.4.0-12.20120229svn100.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7541/logwatch-7.4.0-12.20120229svn100.fc16
then log in and leave karma (feedback).
Comment 5 Harald Reindl 2012-05-18 20:41:40 EDT
Created attachment 585518 [details]
imporoved patch

can you please replace with the attached patch

removed "lip" because even without it is "unique enough" and
in dovecot 2.1.6 a new column "session" was added resulting
even on 23" screens in lineabreak while "tail -f"

so i configured "login_log_format_elements = user=<%u> method=%m rip=%r %c" to get also rid of the local-ip which will never change and spam came back
Comment 6 Fedora Update System 2012-05-19 02:58:48 EDT
logwatch-7.4.0-12.20120229svn100.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-05-26 03:03:14 EDT
logwatch-7.4.0-11.20120229svn100.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Harald Reindl 2012-06-20 04:46:01 EDT
oh no, svn110 remves the dovecot-proxy patch and does not 
fix the wrong behavior in my comment 5 
_____________


logwatch-7.4.0-13.20120619svn110.fc17.noarch

dovecot: imap-login: proxy(rhsoft@test.rh): started proxying to 127.0.0.1:20143: user=<rhsoft@test.rh>, method=CRAM-MD5, rip=192.168.2.2, TLS: 8 Time(s)

this means nearly the complete logfile on prouction servers with mobile-clients

Note You need to log in before you can comment on or make changes to this bug.