[Mimedefang] logwatch support for mimedefang: first cut
gary at intrepid.com
Wed Sep 10 02:07:58 EDT 2008
Recently, I made a first cut at a logwatch script
that processes the sendmail log file, /var/log/maillog,
summarizing information logged by our mimedefang filter,
which is a hodge-podge of various suggestions and
contributions of filter code made to this list, and elsewhere.
The logwatch code is here:
(The URL will be good for a month, until 2008-10-08.)
Here's the documentation:
This logwatch script processes lines in a logfile that
are in "maillog" format, as written by the "sendmail"
program, and by "mimedefang". These log lines must
include, at a minimum, "MDLOG" lines that are typically
processed by the "graphdefang" tool.
This script also collects statistics on MDLOG
lines written by greylisting extensions, derived
from code developed by John Kirkland (see
Further, a few additional lines in the logfile receive
"RELAY: RELAY_IP RELAY_HOSTNAME"
Extensions to "filter_relay" write the hostname
and host IP address into the log file, along with
the pid of mimedefang process that is running the
"filter_relay said ACCEPT_AND_NO_MORE_FILTERING"
The pid on this line must match the pid of a
previously written "RELAY" line. It is assumed
that if this line appears in the logfile, that
"filter_relay" has accepted delivery of the
message based only on the relay's IP address.
This relay will be tabulated as a "trusted host".
"filter_recipient said ACCEPT_AND_NO_MORE_FILTERING"
It is assumed that this line appears in the log when
"filter_recipient" has determined that the sender
was authenticated; the authenticated sender count
Virus-related statistics are also tabulated for
"MDLOG" lines written when a virus is detected.
Special handling is implemented for "CLAMAV" virus names
identified by the SANE Security email virus scanning
extensions (see <http://www.sanesecurity.co.uk/>).
To try it out, install the three files listed in the
pastebin text, and then try something like:
$ logwatch --print --service mimedefang --range today
An example report follows:
host1.local [10.10.1.2] 38
localhost.localdomain [127.0.0.1] 2
host2.local [10.10.1.7] 1
Authenticated senders: 40
Relays  (top 20)
example.org [192.168.2.1] 958
sourceware.org [126.96.36.199] 341
test1.hosting.lsoft.com [188.8.131.52] 98
Spam Relays  (top 20)
example.org [192.168.2.1] 59
mail.example.com [192.168.2.3] 12
Feedback/suggestions appreciated. Additional code can
be posted to the pastebin thread, also.
PS: Statistics gathering would be much more reliable
and general if _all_ relevant events are logged with
MDLOG entries. We plan to implement that change.
More information about the MIMEDefang