WIP Parse the contents of the postfix_tls field into specifics

whyscream · whyscream · commit 64fb31e7b1c6 · 2025-11-18T01:17:18.000+01:00
diff --git a/50-filter-postfix.conf b/50-filter-postfix.conf
@@ -222,6 +222,14 @@ filter {
                 remove_field   => [ "postfix_delays" ]
             }
         }
+        if [postfix_tls] {
+            grok {
+                patterns_dir   => "/etc/logstash/patterns.d"
+                match          => ["postfix_tls", "^%{POSTFIX_TLS_FEATURES}$"]
+                tag_on_failure => [ "_grok_kv_postfix_tls_nomatch" ]
+                remove_field   => [ "postfix_tls" ]
+            }
+        }
     }
 
     # process command counter data if it exists
@@ -289,6 +297,9 @@ filter {
             "postfix_delay_transmission", "float",
             "postfix_postscreen_violation_time", "float"
         ]
-    }
+        gsub => [
+            # rewrite some extracted values
+            "postfix_tls_policy_undecided", "\?", "true"
+        ]
+   }
 }
-
diff --git a/postfix.grok b/postfix.grok
@@ -121,6 +121,10 @@ POSTFIX_VERIFY_CACHE cache %{DATA} (?<postfix_verify_cleanup_type>(full|partial)
 # local patterns
 POSTFIX_LOCAL_DELIVERY %{POSTFIX_KEYVALUE} status=%{STATUS_WORD:postfix_status}( \(%{GREEDYDATA:postfix_local_response}\))?
 
+# TLS features
+POSTFIX_TLS_POLICY_UNDECIDED \?
+POSTFIX_TLS_FEATURES %{STATUS_WORD:postfix_tls_security_level}(:%{STATUS_WORD:postfix_tls_downgrade_level})?(%{POSTFIX_TLS_POLICY_UNDECIDED:postfix_tls_policy_undecided})?
+
 # aggregate all patterns
 POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTPD_PROXY}|%{POSTFIX_KEYVALUE}
 POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MESSAGEID}|%{POSTFIX_CLEANUP_MILTER}|%{POSTFIX_CLEANUP_PREPEND}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE}
diff --git a/test/tls_features_0007.yaml b/test/tls_features_0007.yaml
@@ -0,0 +1,4 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane"
+results:
+    postfix_tls_security_level: dane
diff --git a/test/tls_features_0008.yaml b/test/tls_features_0008.yaml
@@ -0,0 +1,5 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane:none"
+results:
+    postfix_tls_security_level: dane
+    postfix_tls_downgrade_level: none
diff --git a/test_pipeline.sh b/test_pipeline.sh
@@ -63,6 +63,8 @@ CONTAINER_ID=$(docker run --rm --detach \
 
 printf "Waiting for output from logstash "
 until test -s "$OUTPUT"; do
+  # For debugging a crashing container (probably invalid configuration)
+  # docker inspect "$CONTAINER_ID" | jq '.[0].State'
   printf "."
   sleep 2
 done

Original file line number	Diff line number	Diff line change
`@@ -222,6 +222,14 @@ filter {`
`222`	`222`	`remove_field => [ "postfix_delays" ]`
`223`	`223`	`}`
`224`	`224`	`}`
	`225`	`+ if [postfix_tls] {`
	`226`	`+ grok {`
	`227`	`+ patterns_dir => "/etc/logstash/patterns.d"`
	`228`	`+ match => ["postfix_tls", "^%{POSTFIX_TLS_FEATURES}$"]`
	`229`	`+ tag_on_failure => [ "_grok_kv_postfix_tls_nomatch" ]`
	`230`	`+ remove_field => [ "postfix_tls" ]`
	`231`	`+ }`
	`232`	`+ }`
`225`	`233`	`}`
`226`	`234`
`227`	`235`	`# process command counter data if it exists`
`@@ -289,6 +297,9 @@ filter {`
`289`	`297`	`"postfix_delay_transmission", "float",`
`290`	`298`	`"postfix_postscreen_violation_time", "float"`
`291`	`299`	`]`
`292`		`- }`
	`300`	`+ gsub => [`
	`301`	`+ # rewrite some extracted values`
	`302`	`+ "postfix_tls_policy_undecided", "\?", "true"`
	`303`	`+ ]`
	`304`	`+ }`
`293`	`305`	`}`
`294`		`-`