[syslog-ng] [PATCH]: Experimental SMTP destination
Gergely Nagy
algernon at balabit.hu
Sun Feb 13 00:45:32 CET 2011
On Sat, 2011-02-12 at 22:56 +0000, Alexander Clouter wrote:
> Gergely Nagy <algernon at balabit.hu> wrote:
> >
> > [snipped sendmail approach]
> >
> > Yes, that's a possibility, indeed, but that assumes one has a sendmail
> > command installed.
> >
> For those crazy enough to run syslog-ng on a non-sendmail environment,
> there are alternatives:
>
> http://glob.com.au/sendmail/
Sadly, that does not run on my router.
> > * Tighter integration with syslog-ng allows for easier troubleshooting:
> > one only has to look at one place
> >
> It does not answer "where did my email alert go?" Did syslog eat it?
> Did the smarthost toast it? Was it lost further upstream?
Of course it does not make me able to troubleshoot issues beyond the box
itself, but it does make it easier to see whether the message left the
system at all, as I only have to look at syslog-ng's debug output, and
don't have to hunt down wherever sendmail logged to.
> > * Safer: If $MSG happens to be multi-line, and one manages to craft a
> > message with an embedded "\r\n.\r\n", we're in trouble. Similar things
> > could be done to the headers aswell. Of course, that can be guarded
> > against, but then the program destination becomes considerably
> > different, and one would need a wrapper program. Or escaping template
> > functions (which would be useful, if we don't have any yet..)
> >
> No need to guard against it, add support into syslog-ng to send EOF at
> the end of each message and you use that as your magic marker instead.
Well, consider a log message sent by a malicious client:
"blahblah\r\n.\r\nmail from:<>\r\nrcpt to:<somewhere at example.com>\r\ndata\r\nblahblah\r\n.\r\n"
As far as I remember, the syslog protocol (the new one) allows embeded
newlines, so such messages should be accounted for, one way or the
other.
> > That, and having the option to do it without an external program was one
> > of the driving forces behind the code (I really, really don't like
> > calling external programs, if I can avoid it).
> >
> Probably time to stop using UNIX :P
I only use unix to boot into emacs. I guess it shows. ;)
--
|8]
More information about the syslog-ng
mailing list