Re: [Exim] Exim 4.3x, FreeBSD 4.9, daily mails & rejectlogs

Pàgina inicial
Delete this message
Reply to this message
Autor: Jez Hancock
Data:  
A: exim-users
Assumpte: Re: [Exim] Exim 4.3x, FreeBSD 4.9, daily mails & rejectlogs
Hi Sander,

On Fri, Apr 09, 2004 at 10:09:27AM +0200, Sander Smeenk wrote:
>
> Each day, FreeBSD mails me the daily checkup mails, which unfortunately
> contains the complete Exim reject-log. And there's my problem. I'd like
> to filter out the tons of rejects on that specific domain. But I can't
> find the place to do just that.


Not precisely what you're after, but I run this script on a daily basis to
have rejection details mailed daily. It's a _very_ rough hack but it
suffices for me.

I seem to remember though that the now exim FreeBSD port maintainer
Oliver Eikemeier produced a daily periodic script for exim - exactly
what it did or where you can find it I don't remember now, perhaps he
will contribute to the thread. This search turns a few results up:

http://marc.theaimsgroup.com/?l=exim-users&w=2&r=1&s=freebsd+periodic&q=b

Anyway my script is below, as I say it's very personalized and very
rough, just food for thought really. I've added some comments as
well... If you come up with anything else I'd be interested to know
about it.

-snip-
#!/bin/sh

LOG_DIR=/var/log/exim
DATE=`date "+%Y%m%d"`

paniclog="$LOG_DIR/panic.$DATE.log"
mainlog="$LOG_DIR/main.$DATE.log"
rejectlog="$LOG_DIR/reject.$DATE.log"

tmpfile=/tmp/$$.mailreport

# I don't use this any more, this was a very dodgy hack!
virus_senders=/usr/local/etc/exim/virus_senders.$DATE

# I don't use this any more, this was a very dodgy hack!
searchlist="
sender verify
rbl
rejected after DATA
rejected HELO
This message contains an unwanted file extension
Bad EHLO/HELO detected
"

# Gives a list of rejected hosts and num times the host was rejected,
# woefully slow and inefficient!
uniq_rejects(){
    echo "Rejected messages by host:"
    grep "rejected after" $rejectlog | sed -e 's,.*H=\([^ ]*\).*,\1,' | sort | uniq -c | sort -n
}


# just to check if anything hit the panic log for the day in question:
check_paniclog(){
    # check if a paniclog exists:
    if [ -f $paniclog ]; then
        echo "Found panic log $paniclog:"
        cat $paniclog
        echo ""
    fi
}


# I don't use this any more, this was a very dodgy hack!
check_searchlist(){
    old_ifs=$IFS
    IFS="
    "


    for search in $searchlist
    do
        grep "$search" $mainlog > $tmpfile


        if [ -s "$tmpfile" ]; then
            echo "$search:"
            cat $tmpfile
            echo
        fi
    done


    rm $tmpfile
}


# I don't use this any more, this was a very dodgy hack!
check_viriisenders(){
    if [ -f $virus_senders ]; then
        echo "Virus senders:"
        cat $virus_senders
    fi
}


# this is the mainstay of the script now, gives a quick overview of what
# number of messages were rejected on what basis - modify the /patterns/
# to suit your ACL rejection messages:
eximstats(){
    /usr/local/sbin/eximstats \
        -ne -nr -nt -nvr -tnl -t0 -h0 -q0  \
        -pattern Malware /malware/ \
        -pattern Unrouteable /:.*Unrouteable.*address/ \
        -pattern HELO /HELO.*MISMATCH.*Forged.*HELO.*for/ \
        -pattern RBL /rbl:/  \
        -pattern Spamassassin /Spam.*score/ \
        -pattern BadAttachment \
            /This.*message.*contains.*an.*unwanted.*file.*extension/ \
        $mainlog
}


# this gives a short summary of what kind of malware we're rejecting:
virus_sort(){
    echo "Malware:"
    grep malware $mainlog | awk '{print $NF}' | sort | uniq -c
}


check_paniclog
check_viriisenders
uniq_rejects
eximstats
virus_sort
-snip-

--
Jez Hancock
- System Administrator / PHP Developer

http://munk.nu/
http://jez.hancock-family.com/  - Another FreeBSD Diary
http://ipfwstats.sf.net/        - ipfw peruser traffic logging