# THUNDER PRM LIBRARY
# Copyright 2004 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# postfix library
#
# DESCRIPTION:
# This library is used to process logs from a system running the
# postfix email server daemon. Logs should be sent via SYSLOG
# directly to the Thunder server, or a Thunder client should be
# installed on this server and configured to monitor this daemon's
# log files. 
#
# LAST UPDATE: $Date$

############################
# NORMAIL EMAIL SIGNATURES #
############################

id=9900
name=The Postfix email server received an SMTP connection.
match=fix/
match=tp
match=fix/smtpd[
match=rom
match=connect from
match=onnect
match=ect
regex=postfix/smtpd\[.+ connect from.*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-SMTP_Connection srcip:$1 dstport:25 proto:6 type:connection

NEXT

id=9901
name=The Postfix email server had a normal SMTP disconnection.
match=fix/
match=tp
match=fix/smtpd[
match=rom
match=disconnect from
match=onnect
match=ect
regex=postfix/smtpd\[.+disconnect from.*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-SMTP_Disconnection srcip:$1 dstport:25 proto:6 type:connection

########
# SPAM #
########

NEXT 

id=9903
name=The Postfix email server had a user authentication failure.
match=fix/
match=tp
match=fix/smtpd[
match=ent
match=ail
match=rr
match=ion
match=le
match=ed
match=]: 535 Error: authentication failed
regex=postfix/smtpd\[[0-9]{1,5}\]: > .*\[([0-9]+(\.[0-9]+){3})\]:
log=event:Postfix-User_Authentication_Failure srcip:$1 dstport:25 proto:6 type:login-failure

NEXT

id=9904
name=The Postfix email server encountered an illegal address syntax in an email message.
match=fix/
match=tp
match=fix/smtpd[
match=ar
match=arn
match=rom
match=ing
match=le
match=ss
match=]: warning: Illegal address syntax from 
regex=warning: Illegal address syntax from .*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-Illegal_Address_Syntax srcip:$1 dstport:25 proto:6 type:error

NEXT

id=9905
name=The Postfix email server denied a relay request.
match=fix/
match=tp
match=fix/smtpd[
match=ce
match=ed
match=ss
match=: Relay access denied
match=acc
match=rom
match=: reject: RCPT from 
match=reject
match=ect
regex=RCPT .*\[([0-9]+(\.[0-9]+){3})\]:
log=event:Postfix-Illegal_Relay_Attempt srcip:$1 dstport:25 proto:6 type:access-denied

NEXT

id=9906
name=The Postfix email server rejected an email due to a Spam Assassin score.
match=fix/
match=le
match=fix/cleanup
match=an
match=reject
match=ect
match=X-Spam-Flag
log=event:Postfix-Spam_Mail_Rejected type:spam dstport:25 proto:6

#####################
# ATTACK AND PROBES #
#####################

NEXT

id=9902
name=The Postfix email server denied an email.
match=fix/
match=tp
match=fix/smtpd[
match=reject
match=ect
match=ed
match=ss
match=: Sender address rejected: Domain not found;
match=Do
regex=reject: RCPT from .*\[([0-9]+(\.[0-9]+){3})\]:
log=event:Postfix-Email_Rejected srcip:$1 dstport:25 proto:6 type:access-denied

NEXT

id=9908
name=The Postfix email server rejected an email because it did not recognize the recipient.
match=fix/
match=tp
match=fix/smtpd[
match=ent
match=ser
match=now
match=lo
match=le
match=ed
match=ss
match=: Recipient address rejected: User unknown in local recipient table;
match=ect
match=cal
match=reject
regex=reject: RCPT from .*\[([0-9]+(\.[0-9]+){3})\]:
log=event:Postfix-Unknown_Recipient srcip:$1 dstport:25 proto:6 type:error

NEXT

id=9907
name=The Postfix email server has rejected an email because of its SPF score.
match=reject
match=ect
match=fix/
match=tp
match=fix/smtpd[
match=pf
match=le
match=: Please see http://spf.pobox.com/why.html?
regex=.*http://spf\.pobox\.com/why.html\?sender=.*&ip=(.*)&receiver=.*
log=event:Postfix-SPF_Mail_Rejected srcip:$1 type:spam

NEXT

id=9910
name=The Postfix email server has blocked an email due to a Spamhaus lookup.
match=reject
match=ect
match=fix/
match=tp
match=fix/smtpd[
match=lo
match=ing
match=ed
match= blocked using sbl.spamhaus.org;
regex=.*Client host \[([0-9]+(\.[0-9]+){3})\] blocked
log=event:Postfix-Client_Blacklisted srcip:$1 type:spam

NEXT

id=9911
name=The Postfix email server has reported that it was unable to perform a DNS lookup on the IP address of an email client. This normally means that the DNS infrastructure was unavailable, but could also mean that the remote host is sending spam, and not being part of a managed DNS enabled network. 
match=fix/
match=tp
match=fix/smtpd[
match=ent
match=client
regex=.*client=unknown\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-Client_DNS_Unresolvable srcip:$1 type:error

NEXT

id=9912
name=The Postfix email server has reported an email message that would have caused email bouncing, but instead suppressed re-sending it.
match=fix/
match=tp
match=fix/smtp[
match=ce
match=ed
match=ss
match=DISCARD(bounce.suppressed))
match=pp
log=event:Postfix-SMTP_Discard_Bounce_Suppressed type:error

NEXT

id=9913
name=The Postfix email server has reported a TLS connection from an IP address with a non-resolvable DNS name.
match=fix/
match=tp
match=fix/smtpd[
match=now
match=rom
match=ion
match=ing
match= setting up TLS connection from unknown
match=ect
match=onnect
match=onnection
regex=.*unknown\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-SMTP_TLS_Connection_From_Unknown_DNS srcip:$1 dstport:587 type:connection

NEXT

id=9914
name=The Postfix email server has reported a TLS connection from an IP address with a non-resolvable DNS name has been established.
match=fix/
match=tp
match=fix/smtpd[
match=sta
match=est
match=now
match=rom
match=ion
match=ed
match=TLS connection established from unknown
match=ect
match=onnect
match=onnection
regex=.*unknown\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-SMTP_TLS_Established_From_Unknown_DNS srcip:$1 dstport:587 type:connection

NEXT

id=9915
name=The Postfix email server has reported that a hostname verification has failed. This can be the result of DNS not being able to resolve an IP address to a domain name.
match=fix/
match=tp
match=fix/smtpd[
match=hostname
match=ser
match=ail
match=now
match=ion
match=ce
match=le
match=ed
match=verification failed: Name or service not known
match=service
regex=.*warning: ([0-9]+(\.[0-9]+){3})
log=event:Postfix-SMTP_Hostname_Verification_Failed srcip:$1 type:error

NEXT

id=9916
name=The Postfix email server has issued a cleanup message.
match=fix/
match=le
match=postfix/cleanup
match=an
match=ss
match=: message-id=
log=event:Postfix-Cleanup_Message type:application

NEXT

id=9917
name=The Postfix email server has removed a message.
match=fix/
match=postfix/qmgr
match=ed
match=: removed
log=event:Postfix-Removed_Message type:application

NEXT

id=9918
name=The Postfix email server has a message in the active queue.
match=fix/
match=postfix/qmgr
match=(queue active)
log=event:Postfix-Message_In_Active_Queue type:application

NEXT

id=9919
name=The Postfix email server has a message to be relayed.
match=fix/
match=tp
match=fix/smtp
match=, relay=
match=!discarded,
regex=.* relay=([0-9]+(\.[0-9]+){3})
log=event:Postfix-SMTP_Message_Relayed srcip:$1 type:application

NEXT

id=9920
name=The Postfix email server has a message delivered via spamcyr service.
match=fix/
match=postfix/pipe
match=ser
match=ce
match=ed
match=(delivered via spamcyr service)
match=service
match=, relay=spamcyr,
log=event:Postfix-Delivered_Via_Spamcyr_Service type:application

NEXT

id=9921
name=The Postfix email server has issued a warning due to verification failure. Systems that deliver email should have their IP addresses available through DNS. If they can't be resolved, this may indicate SPAM activity, or it may indicate that DNS services are unavailable. 
match=fix/
match=tp
match=fix/smtpd[
match=ar
match=arn
match=ing
match= warning:
match=ser
match=ail
match=now
match=ion
match=le
match=ed
match= verification failed: hostname nor servname provided, or not known
regex=.* warning: ([0-9]+(\.[0-9]+){3})
log=event:Postfix-Verification_Failed srcip:$1 type:error

NEXT

id=9922
name=The Postfix email server attempted to send an email, but was denied because it was a relay attempt and was not allowed by the remote email server. 
match=fix/
match=tp
match=fix/smtp[
match=, relay=
match=sta
match=ce
match=ed
match=, status=bounced
match=status
regex=.*\(host .*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-Bounced_Email srcip:$1 type:error

NEXT

id=9923
name=The postfix daemon received an email connection which invoked TLS encryption.
match=fix/
match=tp
match=fix/smtpd[
match=sta
match=est
match=rom
match=ion
match=ed
match=TLS connection established from 
match=onnection
match=onnect
match=ect
regex=.* established from .*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-TLS_Connection srcip:$1 dstport:587 type:connection

NEXT

id=9924
name=The postfix daemon encountered a SASL login attempt which failed.
match=fix/
match=tp
match=fix/smtpd[
match=ent
match=ail
match=ion
match=le
match=ed
match=SASL 
match= authentication failed
match=ailed
regex=.* warning: .*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-SASL_Login_Failure srcip:$1 dstport:587 type:login-failure

NEXT

id=9925
name=The Postfix email server has discarded a message, most likely do to spam classification.
match=fix/
match=tp
match=fix/smtp
match=, relay=
match=ar
match=ed
match=discarded,
regex=.* relay=([0-9]+(\.[0-9]+){3})
log=event:Postfix-SMTP_Spam_Message_Dropped srcip:$1 type:spam

NEXT

id=9926
name=The Postfix email server has sent a message.
match=fix/
match=, relay=
match=ent
match=sta
match=status=sent
match=status
match=to
regex=.*\@([a-zA-Z0-9.-]+)\>,
log=event:Postfix-Message_Sent srcip:$1 type:application proto:6 dstport:25 

NEXT

id=9927
name=The Postfix email server encountered a secure TLS connection.
match=fix/
match=tp
match=fix/smtp
match=rom
match=ion
match=ing
match=setting up TLS connection from
match=onnection
match=onnect
match=ect
regex=.*\[([0-9]+(\.[0-9]+){3})\]
log=event:Postfix-SMTP_Message_Sent srcip:$1 type:application proto:6 dstport:587

NEXT

id=9928
name=The postfix daemon encountered a SASL login.
match=fix/
match=tp
match=fix/smtpd[
match=ent
match=client=
match=sasl_method=
regex=.* client=.*\[([0-9]+(\.[0-9]+){3})\],.* sasl_username=([^\ ]{2,35})
log=event:Postfix-SASL_Login srcip:$1 user:$3 type:login

NEXT

id=9929
name=The Postfix email server has had mail picked up.
match=fix/
match=rom
match=up
match=from
match= from=
regex=postfix\/pickup\[.* uid=.* from=
log=event:Postfix-Message_Pickup type:application proto:6 

NEXT

id=9930
name=The Postfix email server has mail waiting to be picked up.
match=fix/
match=post
match=up
match=pick
match=warning
match=days
match=message has been queued for
log=event:Postfix-Message_Queued_For_Days type:application proto:6

NEXT

id=9931
name=The Postfix cleanup warning: write queue file: No space left on device.
match=fix/
match=le
match=fix/cleanup
match=No space left on device
match=No
match=spa
match=dev
log=event:Postfix-No_Space_Left_On_Device type:error  proto:6