Merge pull request #155 from whyscream/azhinu-master

Mark NOQUEUE as QUEUEID

postfix.grok

@@ -1,5 +1,5 @@
 # common postfix patterns
-POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
+POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,}|NOQUEUE)
 POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
 POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
 POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
@@ -38,7 +38,7 @@ POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}
 POSTFIX_SMTPD_CONNECT connect from %{POSTFIX_CLIENT_INFO}
 POSTFIX_SMTPD_DISCONNECT disconnect from %{POSTFIX_CLIENT_INFO}( %{GREEDYDATA:postfix_command_counter_data})?
 POSTFIX_SMTPD_LOSTCONN %{POSTFIX_LOSTCONN:postfix_smtpd_lostconn_data}( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage}( \(%{INT} bytes\))?)? from %{POSTFIX_CLIENT_INFO}(: %{GREEDYDATA:postfix_smtpd_lostconn_reason})?
-POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
+POSTFIX_SMTPD_NOQUEUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
 POSTFIX_SMTPD_PIPELINING improper command pipelining after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_improper_pipelining_data}
 POSTFIX_SMTPD_PROXY proxy-%{POSTFIX_ACTION:postfix_proxy_result}: (%{POSTFIX_SMTP_STAGE:postfix_proxy_smtp_stage}): %{POSTFIX_PROXY_MESSAGE:postfix_proxy_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
 

test/postscreen_0027.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_POSTSCREEN}$
 data: "NOQUEUE: reject: RCPT from [182.98.255.184]:2413: 550 5.5.1 Protocol error; from=<[email protected]>, to=<[email protected]>, proto=SMTP, helo=<mx32.usaindiamunish.net>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: RCPT
     postfix_client_ip: 182.98.255.184

test/postscreen_0028.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_POSTSCREEN}$
 data: "NOQUEUE: reject: RCPT from [27.157.200.233]:4984: 550 5.7.1 Service unavailable; client [27.157.200.233] blocked using zen.spamhaus.org; from=<[email protected]>, to=<[email protected]>, proto=ESMTP, helo=<qhhn.com>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: RCPT
     postfix_client_ip: 27.157.200.233

test/smtpd_0004.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: reject: RCPT from 061238241086.static.ctinets.com[61.238.241.86]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ecsolved.com>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: RCPT
     postfix_client_hostname: 061238241086.static.ctinets.com

test/smtpd_0008.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: reject: RCPT from unknown[2001:980:cfb1:1:82f:f74e:a45c:3033]: 504 5.5.2 <aap@henk>: Sender address rejected: need fully-qualified address; from=<aap@henk> to=<[email protected]> proto=SMTP helo=<test>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: RCPT
     postfix_client_hostname: unknown

test/smtpd_0009.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: reject: RCPT from news.zihan-promo.com[192.36.205.58]: 554 5.7.1 Service unavailable; Helo command [news.zihan-promo.com] blocked using dbl.spamhaus.org; http://www.spamhaus.org/query/dbl?domain=zihan-promo.com; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<news.zihan-promo.com>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: RCPT
     postfix_client_hostname: news.zihan-promo.com

test/smtpd_0017.yaml

@@ -3,6 +3,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: reject: VRFY from unknown[2001:968:9999:20:88b:9b7d:2a54:2bd2]: 454 4.7.1 <[email protected]>: Relay access denied; to=<[email protected]> proto=SMTP helo=<me>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: VRFY
     postfix_client_hostname: unknown

test/smtpd_0018.yaml

@@ -3,6 +3,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: reject: VRFY from unknown[2001:968:9999:20:88b:9b7d:2a54:2bd2]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; to=<[email protected]> proto=SMTP helo=<me>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: reject
     postfix_smtp_stage: VRFY
     postfix_client_hostname: unknown

test/smtpd_0026.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: discard: MAIL from ccm231.constantcontact.com[208.75.123.231]: <[email protected]>: Sender address SPAM; from=<[email protected]> proto=ESMTP helo=<ccm231.constantcontact.com>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: discard
     postfix_smtp_stage: MAIL
     postfix_client_hostname: ccm231.constantcontact.com

test/smtpd_0027.yaml

@@ -1,6 +1,7 @@
 pattern: ^%{POSTFIX_SMTPD}$
 data: "NOQUEUE: filter: RCPT from unknown[85.25.255.255]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<plutoapp.biz>"
 results:
+    postfix_queueid: NOQUEUE
     postfix_action: filter
     postfix_smtp_stage: RCPT
     postfix_client_hostname: unknown