0

I have Debian 10 (Buster) installed with dovecot, sieve and logwatch.

In my sieve file I have rules with discard. As a consequence I get plenty of the following lines in my syslog file.

Nov  2 19:46:17 xxxxx dovecot: lda(xxxxx)<12473><IOa9OvlToF+5MAAAwswyaQ>: sieve: msgid=<[email protected]>: marked message to be discarded if not explicitly delivered (discard action)

In the logwatch report I see this

**Unmatched Entries**
    dovecot: lda(xxxxx)<1003><RUjQJX2GoV/rAwAAwswyaQ>: sieve: msgid=<[email protected]>: marked message to be discarded if not explicitly delivered (discard action): 1 Time(s)
...

I checked the dovecot filter code of logwatch in /usr/share/logwatch/scripts/services/dovecot and a rule to ignore these messages is present, but is apparently not working.

This is what I find in the script file:

   } elsif ( $ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\(.*\): .*sieve: msgid=.* marked message to be discarded if not explicitly delivered/ ) {
   # dovecot: lda(joe): sieve: msgid=<m$01$@com>: marked message to be discarded if not explicitly delivered (discard action)
   # IGNORE
   }

My dovecot version is 2.3.4.1. My logwatch version is 7.4.3.

Improve this question

2 Answers 2

Reset to default
0

By testing "in vitro" I found out that the script rule fails due to the presence of <1003><RUjQJX2GoV/rAwAAwswyaQ>. The rule match if I remove it.

The problem was fixed by inserting .*. Here is the fixed rule

   } elsif ( $ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\(.*\).*: .*sieve: msgid=.* marked message to be discarded if not explicitly delivered/ ) {
   # dovecot: lda(joe): sieve: msgid=<m$01$@com>: marked message to be discarded if not explicitly delivered (discard action)
   # IGNORE
   }

I’m using Debian 10 with Dovecot 2.3.4.1 and Logwatch 7.4.3. It’s not the latest version of Logwatch, but the one installed by apt-get by default on Debian.

Improve this answer
0

I also ran into this after upgrading to Debian 10.

The log prefix for dovecot 2.3.4.1 was changed to include pid and session by default. Buster's version of Logwatch (7.4.3) doesn't take this into account which causes a lot of Unmatched Entries and errors not being grouped together. ( You can look at the rules for dovecot at /usr/share/logwatch/scripts/services/dovecot ) Even the latest version of Logwatch, 7.5.5 as of this writing, doesn't seem to have a corrected rule for every possibility.

What worked best for me was to remove the pid and session from dovecot's log prefix.

Change the mail_log_prefix option in /etc/dovecot/conf.d/10-logging.conf to

# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
#  remove pid and session for compatability with logwatch
mail_log_prefix = "%s(%u): "

restart dovecot for the change to take effect

systemctl restart dovecot
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.