So far the rblsmtpd-protected qmail-smtpd service is still set up with the usual multilog "run" script, that is:
#!/bin/sh # qmail-smtpd/log/run # daemontools multilogger for qmail-smtpd # === exec setuidgid multilog multilog t /var/multilog/qmail-smtpd \ ### that's all, folks!
This directs all logging output to the directory /var/multilog/qmail-smtpd. Pretty soon, though, as spammers are blocked by the rblsmtpd utility, the logs will start showing lines like these:
$ cd /var/multilog/qmail-smtpd $ tail current | tai64nlocal 2004-09-24 10:20:53.411980500 tcpserver: status: 1/49 2004-09-24 10:20:53.414696500 tcpserver: pid 19288 from 220.127.116.11 2004-09-24 10:20:53.424020500 tcpserver: ok 19288 nimba.guinix.com:192.168.0.11:25 :18.104.22.168::46105 2004-09-24 10:20:54.071190500 rblsmtpd: 22.214.171.124 pid 19288: 451 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL16876 2004-09-24 10:20:57.846226500 tcpserver: end 19288 status 0 2004-09-24 10:20:57.846482500 tcpserver: status: 0/49
The fourth line in the sample output above shows a message from rblsmtpd as it blocks mail from the connection.
To get at just the rblsmtpd entries in the logs, the log files may simply be grep'ed periodically:
$ cat current |tai64nlocal |grep rblsmtpd 2004-09-24 10:20:54.071190500 rblsmtpd: 126.96.36.199 pid 19288: 451 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL16876 ...etc...
On the other hand, if you are interested in keeping a regular eye on rblsmtpd activity, this service makes a good case for using more of the capabilities of multilog.
First, make a copy of the original "run" script and open it in your editor:
# cd /service/qmail-smtpd/log # cp run run.new # vim run.new
Modify the file "run.new" to look like this:
#!/bin/sh # qmail-smtpd/log/run # daemontools multilogger for qmail-smtpd # + separate log for rblsmtpd # === exec setuidgid multilog multilog t \ /var/multilog/qmail-smtpd \ '-*' '+* rblsmtpd: *' /var/multilog/rblsmtpd ### that's all, folks!
The addition to this file includes the following new actions in the multilog "script":
|'-*'||first, deselect all lines|
|'+* rblsmtpd: *'||then, select just the lines which include the string "rblsmtpd:"|
|/var/multilog/rblsmtpd||now, maintain logs of these lines in the specified directory|
Set up the new log directory to capture just the rblsmtpd output:
# mkdir /var/multilog/rblsmtpd # chown multilog /var/multilog/rblsmtpd
Ready to go? Move the new multilogger into position and restart the qmail-smtpd service:
# cd /service/qmail-smtpd/log # mv run.new run # cd .. # svc -d . ./log; svc -u ./log .
All the lines recorded by the qmail-smtpd service will continue to appear in /var/multilog/qmail-smtpd as before. But now you will also have just the rblsmtpd messages, maintained in their own separate multilog directory, /var/multilog/rblsmtpd.
Copyright © 2003, 2004, Wayne Marshall.
All rights reserved.
Last edit 2004.09.30, wcm.