summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-06-30 03:34:50 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:09 +0200
commitee4345cfc93747587608f0a87497123a6cacb946 (patch)
tree1b8cf7efb15e66f695adf4ae8bc79dbe00683eba /roles
parente1cc46486b686df85cf30073878c1ee69e320d1b (diff)
Log SASL usernames for longer, but don't include mail.log into syslog.
Diffstat (limited to 'roles')
-rw-r--r--roles/common/files/etc/logrotate.d/fripost-mail17
-rw-r--r--roles/common/files/etc/rsyslog.conf130
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/logging.yml31
-rw-r--r--roles/common/templates/etc/rsyslog.d/postfix.conf.j217
5 files changed, 193 insertions, 5 deletions
diff --git a/roles/common/files/etc/logrotate.d/fripost-mail b/roles/common/files/etc/logrotate.d/fripost-mail
index 9ed2617..4fc1a85 100644
--- a/roles/common/files/etc/logrotate.d/fripost-mail
+++ b/roles/common/files/etc/logrotate.d/fripost-mail
@@ -15,3 +15,20 @@
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
+
+# Keep a mapping Postfix's message ID -> SASL username for a month, to
+# find authors of potential abuse emails (if we are shown the header of
+# such emails.)
+/var/log/mail.sasl
+{
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+ delaycompress
+ sharedscripts
+ postrotate
+ invoke-rc.d rsyslog rotate > /dev/null
+ endscript
+}
diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf
new file mode 100644
index 0000000..4f07d9b
--- /dev/null
+++ b/roles/common/files/etc/rsyslog.conf
@@ -0,0 +1,130 @@
+# /etc/rsyslog.conf Configuration file for rsyslog.
+#
+# For more information see
+# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog # provides kernel logging support
+#$ModLoad immark # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# Logging for the mail system. Split it up so that
+# it is easy to write scripts to parse these files.
+#
+
+mail.* -/var/log/mail.log
+mail.info -/var/log/mail.info
+mail.warn -/var/log/mail.warn
+mail.err /var/log/mail.err
+
+# To preserve the privacy of our users, we stop processing relevant log
+# entries (eg, we don't put them into /var/log/syslog) that are of
+# severity info and lower. Those lines are put into mail.log and
+# mail.info for troubleshooting, but those files are rotated frequently.
+# XXX: we should improve that: we shouldn't log envelopes and IPs unless
+# the mail is bounced, for instance.
+if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslogfacility-text == 'mail' and $syslogseverity >= 6 then ~
+
+#
+# Some standard log files. Log by facility.
+#
+auth,authpriv.* /var/log/auth.log
+*.*;auth,authpriv.none -/var/log/syslog
+#cron.* /var/log/cron.log
+daemon.* -/var/log/daemon.log
+kern.* -/var/log/kern.log
+lpr.* -/var/log/lpr.log
+user.* -/var/log/user.log
+
+#
+# Logging for INN news system.
+#
+news.crit /var/log/news/news.crit
+news.err /var/log/news/news.err
+news.notice -/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+ auth,authpriv.none;\
+ news.none;mail.none -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+ auth,authpriv.none;\
+ cron,daemon.none;\
+ mail,news.none -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg :omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+# news.=crit;news.=err;news.=notice;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn /dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+# $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+# busy site..
+#
+#daemon.*;mail.*;\
+# news.err;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn |/dev/xconsole
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 89e4b6b..1e0a21e 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -26,6 +26,9 @@
# pattern=init as a dummy assumption.
service: name=networking pattern=init state=reloaded
+- name: Restart rsyslog
+ service: name=rsyslog state=restarted
+
- name: Restart ntp
service: name=ntp state=restarted
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 3215ebe..9430d0b 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -7,11 +7,36 @@
- logcheck-database
- logrotate
+- name: Configure rsyslog
+ copy: src=etc/rsyslog.conf
+ dest=/etc/rsyslog.conf
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart rsyslog
+ tags:
+ - syslog
+
+- name: Configure postfix's custom rsyslog rules
+ template: src=etc/rsyslog.d/postfix.conf.j2
+ dest=/etc/rsyslog.d/postfix.conf
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart rsyslog
+ tags:
+ - syslog
+
- name: Start rsyslog
service: name=rsyslog state=started
+ when: not (r1.changed or r2.changed)
tags:
- syslog
+- meta: flush_handlers
+
- name: Configure logcheck
copy: src=etc/logcheck/{{ item }}
dest=/etc/logcheck/{{ item }}
@@ -30,7 +55,7 @@
- name: Minimal logging policy (1)
lineinfile: dest=/etc/logrotate.d/rsyslog
- regexp="^/var/log/mail.(log|info)$"
+ regexp="^/var/log/mail\\.(log|info|sasl)$"
state=absent
- name: Minimal logging policy (2)
@@ -40,7 +65,3 @@
mode=0644
tags:
- logrotate
-
-# TODO: We also have specialized per-role logcheck rulesets, per-role
-# logrotate configuration (/etc/logrotate.d), and per-role rsyslog
-# configuration (/etc/rsyslog.d).
diff --git a/roles/common/templates/etc/rsyslog.d/postfix.conf.j2 b/roles/common/templates/etc/rsyslog.d/postfix.conf.j2
new file mode 100644
index 0000000..5acb56d
--- /dev/null
+++ b/roles/common/templates/etc/rsyslog.d/postfix.conf.j2
@@ -0,0 +1,17 @@
+# Create an additional socket in postfix's chroot in order not to break
+# mail logging when rsyslog is restarted. If the directory is missing,
+# rsyslog will silently skip creating the socket.
+$AddUnixListenSocket /var/spool/postfix/dev/log
+{% for g in postfix_instance.keys() | sort %}
+{% if g in group_names %}
+$AddUnixListenSocket /var/spool/postfix-{{ postfix_instance[g].name }}/dev/log
+{% endif %}
+{% endfor %}
+
+{% if 'MSA' in group_names %}
+# User of our Authenticated SMTP server can choose the envelope from and From:
+# header of their choice. As the SASL username is not logged in the mail
+# header, we keep a mapping Postfix's message ID -> SASL username in a separate
+# log file that is only rotated monthly.
+if $programname == 'postfix-msa' and $syslogfacility-text == 'mail' and $msg contains 'sasl_username=' then /var/log/mail.sasl
+{% endif %}