Below are listed some common error messages that you will see in the reports made by logwatch.
SSH
If you see the following error in /var/log/auth.log:
error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
you can fix this by generating a new file:
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
Dovecot
Unmatched entries in the dovecot section:
hostname imap-login: Login: user=<username>, method=PLAIN, rip=<REMOTE_IP>, lip=<LOCAL_IP>, mpid=123, TLS
Open the dovecot script in an editor:
nano /usr/share/logwatch/scripts/services/dovecot
and add a regular expression to the list that should be ignored:
if ( ($ThisLine =~ /(?:ssl-build-param|ssl-params): SSL parameters regeneration completed/) or
($ThisLine =~ /ssl-params: Generating SSL parameters/) or
($ThisLine =~ /auth-worker/) or
($ThisLine =~ /auth:.*: Connected to/) or
($ThisLine =~ /Connection closed/) or
($ThisLine =~ /IMAP.*: Connection closed bytes/) or
($ThisLine =~ /IMAP.* failed with mbox file/) or
($ThisLine =~ /discarded duplicate forward to/) or
($ThisLine =~ /discarding vacation response/)
)
{
In this case:
if ( ($ThisLine =~ /(?:ssl-build-param|ssl-params): SSL parameters regeneration completed/) or
($ThisLine =~ /ssl-params: Generating SSL parameters/) or
($ThisLine =~ /auth-worker/) or
($ThisLine =~ /auth:.*: Connected to/) or
($ThisLine =~ /Connection closed/) or
($ThisLine =~ /IMAP.*: Connection closed bytes/) or
($ThisLine =~ /IMAP.* failed with mbox file/) or
($ThisLine =~ /discarded duplicate forward to/) or
($ThisLine =~ /discarding vacation response/) or
($ThisLine =~ /imap-login/)
)
{
The same can be done for pop3-login.
Update: Instead of ignoring the log-entry, it is better to fix a bug in the dovecot script.
Add an extra line to the following if-statement:
} elsif ( ( ($User, $Host) = ( $ThisLine =~ /^imap-login: Login: (.*?) [(.*)]/ ) ) or
( ($User, $Host) = ( $ThisLine =~ /^imap-login: Info: Login: user=<(.*?)>.*rip=(.*), lip=/ ) ) ) {
With the following line it will detect the imap-login:
} elsif ( ( ($User, $Host) = ( $ThisLine =~ /^imap-login: Login: (.*?) [(.*)]/ ) ) or
( ($User, $Host) = ( $ThisLine =~ /imap-login: Login: user=<(.*?)>.*rip=(.*), lip=/ ) ) or
( ($User, $Host) = ( $ThisLine =~ /^imap-login: Info: Login: user=<(.*?)>.*rip=(.*), lip=/ ) ) ) {
Repeat this for pop3-login.
Amavis
Mailing-list messages (newsletters, login information etc) often have bad headers. This will be recorded in the log-files like this:
Jan 1 12:00:00 es01 amavis[12345]: (12345-01) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <[email protected]> -> <[email protected]>, quarantine: Z/badh-Zabc123, ...
It seems that the message is quarantined and it is, but it is also delivered to the user’s account. So, it is really not necessary to have this message put in quarantine (as it is most often not spam, but just badly formatted mail).
Let’s edit the config to skip putting these messages in quarantine:
nano /etc/amavis/conf.d/50-user
and add the following line:
$bad_header_quarantine_to = undef;
Messages still will be tagged by amavis, but won’t be put in quarantine.