Page 1 of 1

Logwatch "unmatched" postfix messages

Posted: 21 May 2019 12:51
by warlord
Hi,
Running 4.x on CentOS 7.6, and in my daily logwatch it's seeing a lot of "unmatched" postfix entries:

--------------------- Postfix Begin ------------------------

1 Miscellaneous warnings

4 Connections
2 Connections lost (inbound)
4 Disconnections



**Unmatched Entries**
1 May 19 03:11:45 efa postfix/cleanup[29299]: 456CrK5pZyz4DmV: message-id=<456CrK5pZyz4DmV@efa.DOM.AIN>
1 May 19 03:11:45 efa postfix/pickup[20748]: 456CrK5pZyz4DmV: uid=0 from=<root>
1 May 19 03:11:55 efa postfix/qmgr[4362]: 456CrK5pZyz4DmV: removed
1 May 19 03:11:45 efa postfix/qmgr[4362]: 456CrK5pZyz4DmV: from=<root@DOM.AIN>, size=5374, nrcpt=1 (queue active)
1 May 19 03:11:55 efa postfix/smtp[29313]: 456CrK5pZyz4DmV: to=<ME@DOM.AIN>, orig_to=<root>, relay=mail2.DOM.AIN[XXX.XXX.XXX.XXX]:25, delay=52, delays=43/0.02/0.13/9.6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8FB04E2049)

---------------------- Postfix End -------------------------

This is on days when I literally have only one message coming through the system (it's not in production yet). I get 3x this when I have 3 messages through the system (e.g. a cron message too). I can't imagine what will happen once I get 500/day (or more). This seems like a postfix log format vs logwatch script expectation mismatch, possibly due to changes made by the EFA postfix package?

Re: Logwatch "unmatched" postfix messages

Posted: 08 Jul 2019 09:49
by shawniverson
So I installed logwatch and am seeing the same behavior. I'll research this. It seems that logwatch is not aware of the way mail is flowing through postfix via mailscanner.

Re: Logwatch "unmatched" postfix messages

Posted: 02 Jan 2020 15:40
by warlord
Hi.
FYI, this is still an issue in 4.0.1-8
(do I need to manually switch over from 4-testing to -stable?)

Re: Logwatch "unmatched" postfix messages

Posted: 03 Jan 2020 01:55
by shawniverson
This is not an an eFa problem but rather a Logwatch problem.

Logwatch does not understand the requeueing pipeline of eFa that results from the use of a milter (the queue id changes as the result of two independent queues in use). Logwatch would have to somehow take this into account and have code specially crafted to match the entries.

See

http://logreporters.sourceforge.net/faq.html#unmatched

Re: Logwatch "unmatched" postfix messages

Posted: 20 Feb 2020 18:12
by warlord
Thanks for the link (and sorry for the long delay in responding). I have emailed them a sample. Hopefully they will respond quickly.
Considering I expect to get hundreds of emails per day, thousands of unmatched entries in logwatch in untenable.
I will respond again if/when I hear anything.

Re: Logwatch "unmatched" postfix messages

Posted: 20 Feb 2020 23:51
by warlord
Got a response. The fix is to add this configuration to turn on long-queue-id processing:

Code: Select all

cat > /etc/logwatch/conf/services/postfix.conf <<EOF
$postfix_Enable_Long_Queue_Ids = Yes
EOF

Re: Logwatch "unmatched" postfix messages

Posted: 24 Feb 2020 00:41
by shawniverson
That was all? Cool :)