Log SASL usernames for longer, but don't include mail.log into syslog.

5 files changed, 193 insertions, 5 deletions

diff --git a/roles/common/files/etc/logrotate.d/fripost-mail b/roles/common/files/etc/logrotate.d/fripost-mail
index 9ed2617..4fc1a85 100644
--- a/roles/common/files/etc/logrotate.d/fripost-mail
+++ b/roles/common/files/etc/logrotate.d/fripost-mail
@@ -15,3 +15,20 @@
 		invoke-rc.d rsyslog rotate > /dev/null
 	endscript
 }
+
+# Keep a mapping Postfix's message ID -> SASL username for a month, to
+# find authors of potential abuse emails (if we are shown the header of
+# such emails.)
+/var/log/mail.sasl
+{
+	rotate 4
+	weekly
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	postrotate
+		invoke-rc.d rsyslog rotate > /dev/null
+	endscript
+}
diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf
new file mode 100644
index 0000000..4f07d9b
--- /dev/null
+++ b/roles/common/files/etc/rsyslog.conf
@@ -0,0 +1,130 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+
+mail.*				-/var/log/mail.log
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+# To preserve the privacy of our users, we stop processing relevant log
+# entries (eg, we don't put them into /var/log/syslog) that are of
+# severity info and lower.  Those lines are put into mail.log and
+# mail.info for troubleshooting, but those files are rotated frequently.
+# XXX: we should improve that: we shouldn't log envelopes and IPs unless
+# the mail is bounced, for instance.
+if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslogfacility-text == 'mail' and $syslogseverity >= 6 then ~
+
+#
+# Some standard log files.  Log by facility.
+#
+auth,authpriv.*		/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+user.*				-/var/log/user.log
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+# 
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+#daemon.*;mail.*;\
+#	news.err;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	|/dev/xconsole
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 89e4b6b..1e0a21e 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -26,6 +26,9 @@
   # pattern=init as a dummy assumption.
   service: name=networking pattern=init state=reloaded
 
+- name: Restart rsyslog
+  service: name=rsyslog state=restarted
+
 - name: Restart ntp
   service: name=ntp state=restarted
 
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 3215ebe..9430d0b 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -7,11 +7,36 @@
     - logcheck-database
     - logrotate
 
+- name: Configure rsyslog
+  copy: src=etc/rsyslog.conf
+        dest=/etc/rsyslog.conf
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart rsyslog
+  tags:
+    - syslog
+
+- name: Configure postfix's custom rsyslog rules
+  template: src=etc/rsyslog.d/postfix.conf.j2
+            dest=/etc/rsyslog.d/postfix.conf
+            owner=root group=root
+            mode=0644
+  register: r2
+  notify:
+    - Restart rsyslog
+  tags:
+    - syslog
+
 - name: Start rsyslog
   service: name=rsyslog state=started
+  when: not (r1.changed or r2.changed)
   tags:
     - syslog
 
+- meta: flush_handlers
+
 - name: Configure logcheck
   copy: src=etc/logcheck/{{ item }}
         dest=/etc/logcheck/{{ item }}
@@ -30,7 +55,7 @@
 
 - name: Minimal logging policy (1)
   lineinfile: dest=/etc/logrotate.d/rsyslog
-              regexp="^/var/log/mail.(log|info)$"
+              regexp="^/var/log/mail\\.(log|info|sasl)$"
               state=absent
 
 - name: Minimal logging policy (2)
@@ -40,7 +65,3 @@
         mode=0644
   tags:
     - logrotate
-
-# TODO: We also have specialized per-role logcheck rulesets, per-role
-# logrotate configuration (/etc/logrotate.d), and per-role rsyslog
-# configuration (/etc/rsyslog.d).
diff --git a/roles/common/templates/etc/rsyslog.d/postfix.conf.j2 b/roles/common/templates/etc/rsyslog.d/postfix.conf.j2
new file mode 100644
index 0000000..5acb56d
--- /dev/null
+++ b/roles/common/templates/etc/rsyslog.d/postfix.conf.j2
@@ -0,0 +1,17 @@
+# Create an additional socket in postfix's chroot in order not to break
+# mail logging when rsyslog is restarted.  If the directory is missing,
+# rsyslog will silently skip creating the socket.
+$AddUnixListenSocket /var/spool/postfix/dev/log
+{% for g in postfix_instance.keys() | sort %}
+{% if g in group_names %}
+$AddUnixListenSocket /var/spool/postfix-{{ postfix_instance[g].name }}/dev/log
+{% endif %}
+{% endfor %}
+
+{% if 'MSA' in group_names %}
+# User of our Authenticated SMTP server can choose the envelope from and From:
+# header of their choice.  As the SASL username is not logged in the mail
+# header, we keep a mapping Postfix's message ID -> SASL username in a separate
+# log file that is only rotated monthly.
+if $programname == 'postfix-msa' and $syslogfacility-text == 'mail' and $msg contains 'sasl_username=' then /var/log/mail.sasl
+{% endif %}