Add support for BDAT and NOOP SMTP stages and command counters

Author: whyscream

50-filter-postfix.conf

@@ -237,6 +237,8 @@ filter {
             "postfix_client_port", "integer",
             "postfix_cmd_auth", "integer",
             "postfix_cmd_auth_accepted", "integer",
+            "postfix_cmd_bdat", "integer",
+            "postfix_cmd_bdat_accepted", "integer",
             "postfix_cmd_count", "integer",
             "postfix_cmd_count_accepted", "integer",
             "postfix_cmd_data", "integer",
@@ -247,6 +249,8 @@ filter {
             "postfix_cmd_helo_accepted", "integer",
             "postfix_cmd_mail", "integer",
             "postfix_cmd_mail_accepted", "integer",
+            "postfix_cmd_noop", "integer",
+            "postfix_cmd_noop_accepted", "integer",
             "postfix_cmd_quit", "integer",
             "postfix_cmd_quit_accepted", "integer",
             "postfix_cmd_rcpt", "integer",

postfix.grok

@@ -12,7 +12,7 @@ POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,}|NOQUEUE)
 
 POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\](:%{INT:postfix_client_port})?
 POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
-POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
+POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|BDAT|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
 POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject|reject_warning)
 POSTFIX_STATUS_CODE \d{3}
 POSTFIX_STATUS_CODE_ENHANCED \d\.\d+\.\d+
@@ -31,7 +31,7 @@ POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmg
 POSTFIX_LOSTCONN (Connection timed out|No route to host|Connection refused|Network is unreachable|lost connection|timeout|SSL_accept error|-1)
 POSTFIX_LOSTCONN_REASONS (receiving the initial server greeting|sending message body|sending end of data -- message may be sent more than once)
 POSTFIX_PROXY_MESSAGE (%{POSTFIX_STATUS_CODE:postfix_proxy_status_code} )?(%{POSTFIX_STATUS_CODE_ENHANCED:postfix_proxy_status_code_enhanced})?.*
-POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix_cmd_helo_accepted}/)?%{INT:postfix_cmd_helo} )?(ehlo=(%{INT:postfix_cmd_ehlo_accepted}/)?%{INT:postfix_cmd_ehlo} )?(starttls=(%{INT:postfix_cmd_starttls_accepted}/)?%{INT:postfix_cmd_starttls} )?(auth=(%{INT:postfix_cmd_auth_accepted}/)?%{INT:postfix_cmd_auth} )?(mail=(%{INT:postfix_cmd_mail_accepted}/)?%{INT:postfix_cmd_mail} )?(rcpt=(%{INT:postfix_cmd_rcpt_accepted}/)?%{INT:postfix_cmd_rcpt} )?(data=(%{INT:postfix_cmd_data_accepted}/)?%{INT:postfix_cmd_data} )?(rset=(%{INT:postfix_cmd_rset_accepted}/)?%{INT:postfix_cmd_rset} )?(quit=(%{INT:postfix_cmd_quit_accepted}/)?%{INT:postfix_cmd_quit} )?(unknown=(%{INT:postfix_cmd_unknown_accepted}/)?%{INT:postfix_cmd_unknown} )?commands=(%{INT:postfix_cmd_count_accepted}/)?%{INT:postfix_cmd_count}
+POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix_cmd_helo_accepted}/)?%{INT:postfix_cmd_helo} )?(ehlo=(%{INT:postfix_cmd_ehlo_accepted}/)?%{INT:postfix_cmd_ehlo} )?(starttls=(%{INT:postfix_cmd_starttls_accepted}/)?%{INT:postfix_cmd_starttls} )?(auth=(%{INT:postfix_cmd_auth_accepted}/)?%{INT:postfix_cmd_auth} )?(mail=(%{INT:postfix_cmd_mail_accepted}/)?%{INT:postfix_cmd_mail} )?(rcpt=(%{INT:postfix_cmd_rcpt_accepted}/)?%{INT:postfix_cmd_rcpt} )?(bdat=(%{INT:postfix_cmd_bdat_accepted}/)?%{INT:postfix_cmd_bdat} )?(data=(%{INT:postfix_cmd_data_accepted}/)?%{INT:postfix_cmd_data} )?(rset=(%{INT:postfix_cmd_rset_accepted}/)?%{INT:postfix_cmd_rset} )?(noop=(%{INT:postfix_cmd_noop_accepted}/)?%{INT:postfix_cmd_noop} )?(quit=(%{INT:postfix_cmd_quit_accepted}/)?%{INT:postfix_cmd_quit} )?(unknown=(%{INT:postfix_cmd_unknown_accepted}/)?%{INT:postfix_cmd_unknown} )?commands=(%{INT:postfix_cmd_count_accepted}/)?%{INT:postfix_cmd_count}
 
 
 # warning patterns

test/smtpd_0028.yaml

@@ -4,4 +4,3 @@ results:
     postfix_client_hostname: unknown
     postfix_client_ip: 72.10.165.66
     postfix_command_counter_data: ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
-

test/smtpd_0033.yaml

@@ -0,0 +1,7 @@
+pattern: ^%{POSTFIX_SMTPD}$
+data: "lost connection after BDAT from example.net[158.247.23.50]"
+results:
+    postfix_smtpd_lostconn_data: lost connection
+    postfix_smtp_stage: BDAT
+    postfix_client_hostname: example.net
+    postfix_client_ip: 158.247.23.50

test/smtpd_0034.yaml

@@ -0,0 +1,6 @@
+pattern: ^%{POSTFIX_SMTPD}$
+data: "disconnect from example.net[158.247.23.50] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 commands=4/6"
+results:
+    postfix_client_hostname: example.net
+    postfix_client_ip: 158.247.23.50
+    postfix_command_counter_data: ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 commands=4/6

test/smtpd_0035.yaml

@@ -0,0 +1,6 @@
+pattern: ^%{POSTFIX_SMTPD}$
+data: "disconnect from unknown[93.188.162.137] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 noop=1 quit=1 commands=7/8"
+results:
+    postfix_client_hostname: unknown
+    postfix_client_ip: 93.188.162.137
+    postfix_command_counter_data: ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 noop=1 quit=1 commands=7/8