LF_DISTSMTP support for postfix
Posted: 21 Feb 2016, 19:57
Here is an updated "processdistsmtpline" function in RegexMain.pm that adds Distributed SMTP Login (LF_DISTSMTP) support for Postfix:
Successful Postfix SMTP_AUTH log file example
Regex Text
https://regex101.com/r/hnNGkC/1
RegexMain.pm function processdistsmtpline on line 795
Successful Postfix SMTP_AUTH log file example
Code: Select all
Sep 23 11:45:31 el7p17 postfix/smtpd[39220]: CB957400A36E: client=unknown[192.168.1.122], sasl_method=PLAIN, sasl_username=test@example.com
https://regex101.com/r/hnNGkC/1
RegexMain.pm function processdistsmtpline on line 795
Code: Select all
sub processdistsmtpline {
my $line = shift;
my $tline = $line;
$tline =~ s/".*"/""/g;
my @bits =split(/\s+/,$tline);
my $ip;
# postfix
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ postfix\/(submission\/)?smtpd(?:\[\d+\])?: \w+: client=\S+\[(\S+)\], sasl_method=(?:(?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5), sasl_username=(\S+)$/) {
$ip = $3; my $account = $4; $ip =~ s/^::ffff://;
if (checkip(\$ip) and $ip ne "127.0.0.1" and $ip ne "::1") {
return ($ip,$account)
} else {
return;
}
}
if ($tline !~ /^\S+\s+\S+\s+(\[\d+\]\s)?\S+ <=/) {return}
if ($tline =~ / U=(\S+) P=local /) {return}
if ($tline =~ / H=[^=]*\[(\S+)\]/) {
$ip = $1;
unless (checkip(\$ip) or $ip eq "127.0.0.1" or $ip eq "::1") {return}
} else {
return;
}
if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|fixed_login|fixed_plain|login|plain):(\S+)/)){
my $account = $2;
if (($tline =~ / P=(esmtpa|esmtpsa) /)) {return ($ip, $account)}
}
}