NAME
postgreyreport - Fatal report for Postfix Greylisting Policy Server
SYNOPSIS
postgreyreport [options...]
-h, --help display this help and exit
--version display version and exit
--user=USER run as USER (default: postgrey)
--dbdir=PATH find db files in PATH (default: /var/lib/postgrey)
--delay=N report triplets that did not try again after N seconds (default: 300)
--greylist-text=TXT text to match on for greylist maillog lines
--skip_pool Skip report for 'subscriber pools' ( last 2 octets of IP found in PTR name )
--skip_dnsbl=RBL RBL server to query and skip reporting for any listed hosts (SLOW!!)
--skip_clients=FILE PTR or IP or REGEXP of clients to skip in report
--match_clients=FILE *ONLY* report if fatal *AND* PTR/IP of client matches
--show_tries display the number of attempts failed triplets made in first column
--nosingle_line display sender/recipients grouped by ptr - ip
--separate_by_subnet=TXT display TXT for every new /24 (ex: "=================\n" )
--separate_by_ip=TXT display TXT for every new IP (ex: "\n")
--check_sender=LIST one or more of: mx,mx/24,a,a/24
does DNS/A lookups for sender @domain and compares sending IP
if match displays "MX" "A" or "MX/24" or "A/24" depending on LIST
Note that --(skip|match)_clients can be specified multiple times and there are no default files.
Same rules apply as postgrey's --whitelist-clients, see postgrey doc for more info.
--skip_dnsbl can also be specified multiple times to query multiple DNSBL servers.
DESCRIPTION
postgreyreport opens postgrey.db as read-only; reads a maillog via
STDIN, extracts the triplets for any Greylisted lines and looks them up
in postgrey.db. if the difference in first and last time seen is less
than --delay=N then the triplet is considered fatal and displayed to
STDOUT
The report sorts by client IP address
Note:
unless you are using --lookup_by_subnet or excluding all known MTA
pools you will likely have false fatal reports for "BigISPs". A message
that was tried from every IP in SMTP pool before making it through will
show up in the report for all of the attempted source IPs
USAGE
It is best to run postgreyreport against a maillog that is at least
several hours old (yesterdays?) ( you be the judge on how old is
acceptable ). if you run the report against a live maillog you are not
giving legit MTA’s enough time to try again and you will have lots of
inaccurate information.
· Ex usage:
zcat /var/log/maillog.0.gz | ./postgreyreport [options] > postgreyreport.log
or
zcat /var/log/maillog.0.gz | \
./postgreyreport --nosingle_line --check_sender=mx,a \
--separate_by_subnet=":==================\n"
# 94 "=" total, some were omitted for clarity
· Ex Output: ( POD wrapping will mess this up, view source )
:============================================================================================
unknown 4.29.43.31
marissa_mcclendonuu@abit.com.tw user1@recipient1.com
jake_meyerdt@ali.com.tw user2@recipient1.com
jenny_banks_sh@translate.ru user1@recipient2.com
rvazquezpo@ali.com.tw user3@recipient1.com
aep@notimexico.com user2@recipient1.com
brittneystanley_ei@cetra.org.tw user2@recipient1.com
brendasheehan_cw@lib.ru user2@recipient1.com
:============================================================================================
lsanca1-ar5-127-189.biz.dsl.gtei.net 4.33.127.189
A fokkensr@lsanca1-ar5-127-189.biz.dsl.gtei.net user2@recipient1.com
cyxlfrfwciercu@publicist.com user3@recipient4.com
:============================================================================================
smtpout.mac.com 17.250.248.83
do_not_reply@apple.com user4@recipient5.com
smtpout.mac.com 17.250.248.88
MX legituser@mac.com user6@recipient7.com
:============================================================================================
HISTORY
1.14.2 20040715
BUGFIX: (automatic) lookup-by-subnet support was broken, fixed.
BUGFIX: corrected a few spelling errors
new Option: --skip_pool Skip report for 'subscriber pools'
1.14.1 20040712
Changed --return-string to --greylist-text to match postgrey
new Option: --skip_clients=FILE
new Option: --match_clients=FILE
new Option: --skip_dnsbl=RBL.DNS.NAME
All 3 of the new options can be specified multiple times.
Updated do_*_subsititions again to match postgrey
1.11.1 20040701
missing keys from DB are considered fatal triplets and included in report
Changed --delay testing from "greater than" to "greater than or equal to"
Fixed --help and --man switches
Removed setuid Notice
1.6.4 20040618
Initial Public Version (postgrey/contrib)
AUTHOR
Tom Baker <tbaker@bakerfl.org>