-
Notifications
You must be signed in to change notification settings - Fork 9
/mail
Copy path80 lines (68 loc) · 6.24 KB
/mail
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Milter
HELO (?:\[%{IP:helo}\]|%{HOST:helo}|%{DATA:helo})
MILTERCONNECT %{QUEUEID:qid}: milter-reject: CONNECT from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTERUNKNOWN %{QUEUEID:qid}: milter-reject: UNKNOWN from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTEREHLO %{QUEUEID:qid}: milter-reject: EHLO from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
MILTERMAIL %{QUEUEID:qid}: milter-reject: MAIL from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> proto=%{WORD:proto} helo=<%{HELO}>
MILTERHELO %{QUEUEID:qid}: milter-reject: HELO from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
MILTERRCPT %{QUEUEID:qid}: milter-reject: RCPT from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>
MILTERENDOFMESSAGE %{QUEUEID:qid}: milter-reject: END-OF-MESSAGE from %{CLIENT:client}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>
# Postfix stuff
QUEUEID (?:[A-F0-9]+|NOQUEUE)
EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:domain}
SASLUSERNAME (%{EMAILADDRESSPART:username}@%{EMAILADDRESSPART:domain}|%{GREEDYDATA:username})
RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
CLIENT (?:%{HOSTNAME:clienthost}(?:\[%{IP:clientip}\](?::[0-9]+(.[0-9]+)?)?)?)
POSREAL (%{BASE16FLOAT}|%{BASE16NUM})
DELAYS %{POSREAL:a}/%{POSREAL:b}/%{POSREAL:c}/%{POSREAL:d}
DELAY %{POSREAL}
DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}
STATUS sent|deferred|bounced|expired
PERMERROR 5[0-9]{2}
MESSAGELEVEL reject|warning|error|fatal|panic
SYSLOGNOPROG (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}
THROTTLE %{WORD}\(%{WORD}\)
POSTFIXSMTPMESSAGE %{MESSAGELEVEL}: %{GREEDYDATA:reason}
POSTFIXACTION discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn
# postfix/smtp and postfix/lmtp, postfix/local and postfix/error
POSTFIXSMTP %{SYSLOGNOPROG} postfix/smtp\[%{POSINT:pid}\]: %{POSTFIXSMTPCONNECT}|%{POSTFIXSMTP5XX}|%{POSTFIXSMTPREFUSAL}|%{POSTFIXSMTPLOSTCONNECTION}|%{POSTFIXSMTPTIMEOUT}
POSTFIXSMTPCONNECT connect to %{RELAY}: %{GREEDYDATA:reason}
POSTFIXSMTP5XX %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY}, (%{WORD}=%{DATA},)+ dsn=%{DSN:dsn}, status=%{STATUS:status} \(host %{HOSTNAME}\[%{IP}\] said: %{PERMERROR:responsecode} %{DATA:smtp_response} \(in reply to %{DATA:command} command\)\)
POSTFIXSMTPREFUSAL %{QUEUEID:qid}: host %{RELAY} refused to talk to me: %{GREEDYDATA:reason}
POSTFIXSMTPLOSTCONNECTION %{QUEUEID:qid}: lost connection with %{RELAY} while %{GREEDYDATA:reason}
POSTFIXSMTPTIMEOUT %{QUEUEID:qid}: conversation with %{RELAY} timed out while %{GREEDYDATA:reason}
# postfix/smtpd
POSTFIXSMTPD %{SYSLOGNOPROG} postfix/smtpd\[%{POSINT:pid}\]: %{POSTFIXSMTPDCONNECTS}|%{POSTFIXSMTPDMILTER}|%{POSTFIXSMTPDACTIONS}|%{POSTFIXSMTPDTIMEOUTS}|%{POSTFIXSMTPDLOGIN}|%{POSTFIXSMTPDCLIENT}|%{POSTFIXSMTPDNOQUEUE}|%{POSTFIXSMTPDWARNING}|%{POSTFIXSMTPDLOSTCONNECTION}
POSTFIXSMTPDCONNECTS (?:dis)?connect from %{CLIENT}
POSTFIXSMTPDMILTER %{MILTERCONNECT}|%{MILTERUNKNOWN}|%{MILTEREHLO}|%{MILTERMAIL}|%{MILTERHELO}|%{MILTERRCPT}
POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{CLIENT}: %{PERMERROR:responsecode} %{DSN:dsn} %{DATA}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
#POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{CLIENT}: %{DATA:smtp_response}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
POSTFIXSMTPDTIMEOUTS timeout after %{DATA:command} from %{CLIENT}
POSTFIXSMTPDLOGIN %{QUEUEID:qid}: client=%{CLIENT}, sasl_method=%{DATA:saslmethod}, sasl_username=%{SASLUSERNAME}
POSTFIXSMTPDCLIENT %{QUEUEID:qid}: client=%{CLIENT}
POSTFIXSMTPDNOQUEUE NOQUEUE: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{CLIENT}: %{GREEDYDATA:reason}
POSTFIXSMTPDWARNING warning: %{IP:clientip}: %{GREEDYDATA:reason}
POSTFIXSMTPDLOSTCONNECTION lost connection after %{DATA:smtp_response} from %{CLIENT}
# postfix/cleanup
POSTFIXCLEANUP %{SYSLOGNOPROG} postfix/cleanup\[%{POSINT:pid}\]: %{POSTFIXCLEANUPMESSAGE}|%{POSTFIXCLEANUPMILTER}
POSTFIXCLEANUPMESSAGE %{QUEUEID:qid}: (resent-)?message-id=<%{GREEDYDATA:messageid}>
POSTFIXCLEANUPMILTER %{MILTERENDOFMESSAGE}
# postfix/bounce
POSTFIXBOUNCE %{SYSLOGNOPROG} postfix/bounce\[%{POSINT:pid}\]: %{QUEUEID:qid}: sender non-delivery notification: %{QUEUEID:bouncequeueid}
# postfix/qmgr and postfix/pickup
POSTFIXQMGR %{SYSLOGNOPROG} postfix/qmgr\[%{POSINT:pid}\]: %{QUEUEID:qid}: (?:removed|from=<(?:%{EMAILADDRESS:from})?>(?:, size=%{POSINT:size}, nrcpt=%{POSINT:nrcpt} \(%{GREEDYDATA:queuestatus}\))?)
# postfix/anvil
POSTFIXANVIL %{SYSLOGNOPROG} postfix/anvil\[%{POSINT:pid}\]: statistics: %{DATA:anvilstatistic} for (%{DATA:remotehost}) at %{SYSLOGTIMESTAMP:timestamp}
# postfix/relay:
POSTFIXRELAY %{SYSLOGBASE2} %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY},(?: conn_use=%{POSREAL:conn_use},)? delay=%{DELAY:delay}, delays=%{DELAYS:delays}, dsn=%{DSN:dsn}, status=%{STATUS:status} %{GREEDYDATA:reason}
# postfix-policyd
POSTFIXPOLICY %{SYSLOGBASE2} rcpt=%{POSINT:rcpt}, (throttle|throttle_rcpt)=%{THROTTLE:throttle}, host=%{IP:clientip}, from=%{EMAILADDRESS:from}, to=%{EMAILADDRESS:to}%{GREEDYDATA:reason}
# dovecot
DOVECOT %{SYSLOGBASE2} %{DOVECOTAUTH}|%{DOVECOTLOGIN}|%{DOVECOTPROTO}
DOVECOTPROTOCOL %{WORD}-%{WORD}
DOVECOTAUTH auth-worker\(%{DATA:worker}\): %{DATA:backend}\(%{EMAILADDRESS:user},%{IP:clientip}\): %{GREEDYDATA:reason}
DOVECOTLOGIN %{DOVECOTPROTOCOL:protocol}: %{DOVECOTLOGINLOGIN}|%{DOVECOTLOGINDISCONNECT}
DOVECOTLOGINLOGIN Login: user=<%{EMAILADDRESS:user}>, method=%{DATA:method}, rip=%{IP:clientip}, lip=%{IP:localip}(?:\s, %{GREEDYDATA:reason})?
DOVECOTLOGINDISCONNECT Disconnected \(%{DATA:authattempts}\): rip=%{IP:clientip}, lip=%{IP:localip}(?:\s, %{GREEDYDATA:reason})?
DOVECOTPROTO %{WORD:protocol}\(%{EMAILADDRESS:user}\): %{GREEDYDATA:reason}