jfqd/Postfix config for logstash

## Postfix config for logstash
#####################################
# Postfix
#
if [type] == "redis-input" and "postfix" in [@tags] {
  grok {
    match   => [ "@message", "%{PF}" ]
    add_tag => [ "postfix", "grokked" ]
    patterns_dir => [ "/opt/logstash/patterns-extensions/" ]
  }

  if [relayip] {
    geoip {
      source => "relayip"
      target => "geoip"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
      add_tag   => [ 'geoip' ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }

  if [from] {
    mutate {
      lowercase => [ "from" ]
    }
  }

  if [to] {
    mutate {
      lowercase => [ "to" ]
    }
  }

}

## Postfix grok file for logstash
# Syslog stuff
COMPONENT ([\w._\/%-]+)
COMPID postfix\/%{COMPONENT:component}(?:\[%{POSINT:pid}\])?
POSTFIXBASE %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: (\[ID\ %{DATA:id}\ %{DATA:facility}\.%{DATA:level}\])

# Milter
HELO (?:\[%{IP:helo}\]|%{HOST:helo}|%{DATA:helo})

MILTERCONNECT %{QUEUEID:qid}: milter-reject: CONNECT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTERUNKNOWN %{QUEUEID:qid}: milter-reject: UNKNOWN from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTEREHLO %{QUEUEID:qid}: milter-reject: EHLO from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
MILTERMAIL %{QUEUEID:qid}: milter-reject: MAIL from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> proto=%{WORD:proto} helo=<%{HELO}>
MILTERHELO %{QUEUEID:qid}: milter-reject: HELO from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
MILTERRCPT %{QUEUEID:qid}: milter-reject: RCPT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>
MILTERENDOFMESSAGE %{QUEUEID:qid}: milter-reject: END-OF-MESSAGE from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>

# Postfix stuff
QUEUEID (?:[A-F0-9]+|NOQUEUE)
EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
#RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?:%{POSREAL:relayport})))
POSREAL [0-9]+(.[0-9]+)?
#DELAYS %{POSREAL:a}/%{POSREAL:b}/%{POSREAL:c}/%{POSREAL:d}
#DELAYS (%{POSREAL}[/]*)+
DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}
STATUS sent|deferred|bounced|expired
PERMERROR 5[0-9]{2}
MESSAGELEVEL reject|warning|error|fatal|panic

POSTFIXSMTPMESSAGE %{MESSAGELEVEL}: %{GREEDYDATA:reason}
POSTFIXACTION discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn

# postfix/smtp and postfix/lmtp, postfix/local and postfix/error
POSTFIXSMTP %{POSTFIXBASE} (%{POSTFIXSMTPRELAY}|%{POSTFIXSMTPCONNECT}|%{POSTFIXTLSCONNECT}|%{POSTFIXSMTP5XX}|%{POSTFIXSMTPREFUSAL}|%{POSTFIXSMTPLOSTCONNECTION}|%{POSTFIXSMTPTIMEOUT})
POSTFIXSMTPRELAY %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY},(?: conn_use=%{POSREAL:conn_use},)? (%{WORD}=%{DATA},)+ dsn=%{DSN:dsn}, status=%{STATUS:result} %{GREEDYDATA:reason}
POSTFIXSMTPCONNECT connect to %{RELAY}: %{GREEDYDATA:reason}
POSTFIXSMTP5XX %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY}, (%{WORD}=%{DATA},)+ dsn=%{DSN:dsn}, status=%{STATUS:result} \(host %{HOSTNAME}\[%{IP}\] said: %{PERMERROR:responsecode} %{DATA:smtp_response} \(in reply to %{DATA:command} command\)\)
POSTFIXSMTPREFUSAL %{QUEUEID:qid}: host %{RELAY} refused to talk to me: %{GREEDYDATA:reason}
POSTFIXSMTPLOSTCONNECTION %{QUEUEID:qid}: lost connection with %{RELAY} while %{GREEDYDATA:reason}
POSTFIXSMTPTIMEOUT %{QUEUEID:qid}: conversation with %{RELAY} timed out while %{GREEDYDATA:reason}
POSTFIXTLSCONNECT %{DATA:connection_type} connection established %{WORD:direction} %{RELAY}: %{GREEDYDATA:protocol}

# postfix/smtpd
POSTFIXSMTPD %{POSTFIXBASE} (%{POSTFIXSMTPDCONNECTS}|%{POSTFIXSMTPDMILTER}|%{POSTFIXSMTPDACTIONS}|%{POSTFIXSMTPDTIMEOUTS}|%{POSTFIXSMTPDLOGIN}|%{POSTFIXSMTPDCLIENT}|%{POSTFIXSMTPDNOQUEUE}|%{POSTFIXSMTPDWARNING}|%{POSTFIXSMTPDWARNINGFALLBACK}|%{POSTFIXSMTPDLOSTCONNECTION})
POSTFIXSMTPDCONNECTS (?:dis)?connect from %{RELAY}
POSTFIXSMTPDMILTER %{MILTERCONNECT}|%{MILTERUNKNOWN}|%{MILTEREHLO}|%{MILTERMAIL}|%{MILTERHELO}|%{MILTERRCPT}
POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{PERMERROR:responsecode} %{DSN:dsn} %{DATA}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
#POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{DATA:smtp_response}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
POSTFIXSMTPDTIMEOUTS timeout after %{DATA:command} from %{RELAY}
POSTFIXSMTPDLOGIN %{QUEUEID:qid}: client=%{DATA:client}, sasl_method=%{DATA:saslmethod}, sasl_username=%{GREEDYDATA:saslusername}
POSTFIXSMTPDCLIENT %{QUEUEID:qid}: client=%{GREEDYDATA:client}
POSTFIXSMTPDNOQUEUE NOQUEUE: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{GREEDYDATA:reason}
POSTFIXSMTPDWARNING warning: %{IP}: %{GREEDYDATA:reason}
POSTFIXSMTPDWARNINGFALLBACK warning: %{GREEDYDATA:reason}
POSTFIXSMTPDLOSTCONNECTION lost connection after %{DATA:smtp_response} from %{RELAY}

# postfix login
POSTFIXSASL %{POSTFIXBASE} %{MESSAGELEVEL}: %{RELAY}: SASL LOGIN %{GREEDYDATA:reason}

# postfix/cleanup
POSTFIXCLEANUP %{POSTFIXBASE} %{POSTFIXCLEANUPMESSAGE}|%{POSTFIXCLEANUPMILTER}
POSTFIXCLEANUPMESSAGE %{QUEUEID:qid}: (resent-)?message-id=<%{GREEDYDATA:messageid}>
POSTFIXCLEANUPMILTER %{MILTERENDOFMESSAGE}

# postfix/bounce
POSTFIXBOUNCE %{QUEUEID:qid}: sender non-delivery notification: %{QUEUEID:bouncequeueid}

# postfix/qmgr and postfix/pickup
POSTFIXQMGR %{POSTFIXBASE} %{QUEUEID:qid}: (?:removed|from=<(?:%{EMAILADDRESS:from})?>(?:, size=%{POSINT:size}, nrcpt=%{POSINT:nrcpt} \(%{GREEDYDATA:queuestatus}\))?)

# postfix/anvil
POSTFIXANVIL %{POSTFIXBASE} statistics: %{GREEDYDATA:anvilstatistic}

# greylog

GREYLOG1 %{POSTFIXBASE} action=%{DATA:reason}, reason=%{DATA}, client_name=%{DATA}, client_address=%{IP:relayip}, recipient=%{EMAILADDRESS:to}
GREYLOG2 %{POSTFIXBASE} action=%{DATA:reason}, reason=%{DATA}, client_name=%{DATA}, client_address=%{IP:relayip}, sender=%{EMAILADDRESS:from}, recipient=%{EMAILADDRESS:to}

# AMAVISD
USER_AGENT User-Agent|X-Mailer
RECIPIENTS <%{EMAILADDRESS:recipient}>(,<%{GREEDYDATA:recipientlist}>)?
AMAVIS %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, Message-ID: <(%{DATA:messageid})>, mail_id: %{DATA:mail_id}, Hits: %{NUMBER:score}, size: %{DATA:mail_size}(, queued_as: %{DATA:queued_id})?, %{DATA:duration} ms
AMAVIS0 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, Message-ID: <(%{DATA:messageid})>, mail_id: %{DATA:mail_id}, Hits: %{NUMBER:score}, size: %{DATA:mail_size}, queued_as: %{DATA:queued_id}, dkim_id=%{DATA:dkim_id}(,<%{DATA:dkim_id_second}>)?, %{DATA:duration} ms
AMAVIS1 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, Message-ID: <(%{DATA:messageid})>, %{GREEDYDATA:rest_of_message}
AMAVIS2 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, %{DATA}, Message-ID: <(%{DATA:messageid})>, %{GREEDYDATA:rest_of_message}
AMAVIS3 %{POSTFIXBASE} \(%{DATA}\) spam_scan: score=%{NUMBER:score} autolearn=%{DATA:autolearn} autolearn_force=%{DATA:autolearn_force} tests=\[%{DATA:tests}\]
AMAVIS4 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, <%{EMAILADDRESS:from}> -> <(%{EMAILADDRESS:to})>, %{DATA:spam_flag}, score=%{NUMBER:score} tag=%{DATA:tag} tag2=%{DATA:tag2} kill=%{DATA:kill} tests=\[%{DATA:tests}\] autolearn=%{DATA:autolearn} autolearn_force=%{DATA:autolearn_force}
AMAVIS5 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, <%{EMAILADDRESS:from}> -> <(%{EMAILADDRESS:to})>, %{DATA:spam_flag}, score=%{NUMBER:score} tagged_above=%{DATA:tag} required=%{DATA:tag2} tests=\[%{DATA:tests}\] autolearn=%{DATA:autolearn} autolearn_force=%{DATA:autolearn_force}
AMAVIS6 %{POSTFIXBASE} \(%{DATA}\) TIMING-%{DATA:reason} total %{INT:time} ms - %{GREEDYDATA:time_report_details}
AMAVIS7 %{POSTFIXBASE} \(%{DATA}\) size: %{DATA}, TIMING \[total %{INT:time} ms\] - %{DATA:reason} greeting: %{GREEDYDATA:time_report_details}

PF (%{POSTFIXSASL}|%{POSTFIXSMTP}|%{POSTFIXANVIL}|%{POSTFIXQMGR}|%{POSTFIXCLEANUP}|%{POSTFIXSMTPD}|%{AMAVIS3}|%{AMAVIS}|%{AMAVIS0}|%{AMAVIS1}|%{AMAVIS2}|%{AMAVIS4}|%{AMAVIS5}|%{AMAVIS6}|%{AMAVIS7}|%{GREYLOG1}|%{GREYLOG2})
	#####################################
	# Postfix
	#
	if [type] == "redis-input" and "postfix" in [@tags] {
	grok {
	match => [ "@message", "%{PF}" ]
	add_tag => [ "postfix", "grokked" ]
	patterns_dir => [ "/opt/logstash/patterns-extensions/" ]
	}

	if [relayip] {
	geoip {
	source => "relayip"
	target => "geoip"
	add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
	add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
	add_tag => [ 'geoip' ]
	}
	mutate {
	convert => [ "[geoip][coordinates]", "float" ]
	}
	}

	if [from] {
	mutate {
	lowercase => [ "from" ]
	}
	}

	if [to] {
	mutate {
	lowercase => [ "to" ]
	}
	}

	}
	# Syslog stuff
	COMPONENT ([\w._\/%-]+)
	COMPID postfix\/%{COMPONENT:component}(?:\[%{POSINT:pid}\])?
	POSTFIXBASE %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: (\[ID\ %{DATA:id}\ %{DATA:facility}\.%{DATA:level}\])

	# Milter
	HELO (?:\[%{IP:helo}\]\|%{HOST:helo}\|%{DATA:helo})

	MILTERCONNECT %{QUEUEID:qid}: milter-reject: CONNECT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
	MILTERUNKNOWN %{QUEUEID:qid}: milter-reject: UNKNOWN from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
	MILTEREHLO %{QUEUEID:qid}: milter-reject: EHLO from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
	MILTERMAIL %{QUEUEID:qid}: milter-reject: MAIL from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> proto=%{WORD:proto} helo=<%{HELO}>
	MILTERHELO %{QUEUEID:qid}: milter-reject: HELO from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
	MILTERRCPT %{QUEUEID:qid}: milter-reject: RCPT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>
	MILTERENDOFMESSAGE %{QUEUEID:qid}: milter-reject: END-OF-MESSAGE from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>

	# Postfix stuff
	QUEUEID (?:[A-F0-9]+\|NOQUEUE)
	EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
	EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
	RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
	#RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?:%{POSREAL:relayport})))
	POSREAL [0-9]+(.[0-9]+)?
	#DELAYS %{POSREAL:a}/%{POSREAL:b}/%{POSREAL:c}/%{POSREAL:d}
	#DELAYS (%{POSREAL}[/]*)+
	DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}
	STATUS sent\|deferred\|bounced\|expired
	PERMERROR 5[0-9]{2}
	MESSAGELEVEL reject\|warning\|error\|fatal\|panic

	POSTFIXSMTPMESSAGE %{MESSAGELEVEL}: %{GREEDYDATA:reason}
	POSTFIXACTION discard\|dunno\|filter\|hold\|ignore\|info\|prepend\|redirect\|replace\|reject\|warn

	# postfix/smtp and postfix/lmtp, postfix/local and postfix/error
	POSTFIXSMTP %{POSTFIXBASE} (%{POSTFIXSMTPRELAY}\|%{POSTFIXSMTPCONNECT}\|%{POSTFIXTLSCONNECT}\|%{POSTFIXSMTP5XX}\|%{POSTFIXSMTPREFUSAL}\|%{POSTFIXSMTPLOSTCONNECTION}\|%{POSTFIXSMTPTIMEOUT})
	POSTFIXSMTPRELAY %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY},(?: conn_use=%{POSREAL:conn_use},)? (%{WORD}=%{DATA},)+ dsn=%{DSN:dsn}, status=%{STATUS:result} %{GREEDYDATA:reason}
	POSTFIXSMTPCONNECT connect to %{RELAY}: %{GREEDYDATA:reason}
	POSTFIXSMTP5XX %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY}, (%{WORD}=%{DATA},)+ dsn=%{DSN:dsn}, status=%{STATUS:result} \(host %{HOSTNAME}\[%{IP}\] said: %{PERMERROR:responsecode} %{DATA:smtp_response} \(in reply to %{DATA:command} command\)\)
	POSTFIXSMTPREFUSAL %{QUEUEID:qid}: host %{RELAY} refused to talk to me: %{GREEDYDATA:reason}
	POSTFIXSMTPLOSTCONNECTION %{QUEUEID:qid}: lost connection with %{RELAY} while %{GREEDYDATA:reason}
	POSTFIXSMTPTIMEOUT %{QUEUEID:qid}: conversation with %{RELAY} timed out while %{GREEDYDATA:reason}
	POSTFIXTLSCONNECT %{DATA:connection_type} connection established %{WORD:direction} %{RELAY}: %{GREEDYDATA:protocol}

	# postfix/smtpd
	POSTFIXSMTPD %{POSTFIXBASE} (%{POSTFIXSMTPDCONNECTS}\|%{POSTFIXSMTPDMILTER}\|%{POSTFIXSMTPDACTIONS}\|%{POSTFIXSMTPDTIMEOUTS}\|%{POSTFIXSMTPDLOGIN}\|%{POSTFIXSMTPDCLIENT}\|%{POSTFIXSMTPDNOQUEUE}\|%{POSTFIXSMTPDWARNING}\|%{POSTFIXSMTPDWARNINGFALLBACK}\|%{POSTFIXSMTPDLOSTCONNECTION})
	POSTFIXSMTPDCONNECTS (?:dis)?connect from %{RELAY}
	POSTFIXSMTPDMILTER %{MILTERCONNECT}\|%{MILTERUNKNOWN}\|%{MILTEREHLO}\|%{MILTERMAIL}\|%{MILTERHELO}\|%{MILTERRCPT}
	POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{PERMERROR:responsecode} %{DSN:dsn} %{DATA}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
	#POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{DATA:smtp_response}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
	POSTFIXSMTPDTIMEOUTS timeout after %{DATA:command} from %{RELAY}
	POSTFIXSMTPDLOGIN %{QUEUEID:qid}: client=%{DATA:client}, sasl_method=%{DATA:saslmethod}, sasl_username=%{GREEDYDATA:saslusername}
	POSTFIXSMTPDCLIENT %{QUEUEID:qid}: client=%{GREEDYDATA:client}
	POSTFIXSMTPDNOQUEUE NOQUEUE: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{GREEDYDATA:reason}
	POSTFIXSMTPDWARNING warning: %{IP}: %{GREEDYDATA:reason}
	POSTFIXSMTPDWARNINGFALLBACK warning: %{GREEDYDATA:reason}
	POSTFIXSMTPDLOSTCONNECTION lost connection after %{DATA:smtp_response} from %{RELAY}

	# postfix login
	POSTFIXSASL %{POSTFIXBASE} %{MESSAGELEVEL}: %{RELAY}: SASL LOGIN %{GREEDYDATA:reason}

	# postfix/cleanup
	POSTFIXCLEANUP %{POSTFIXBASE} %{POSTFIXCLEANUPMESSAGE}\|%{POSTFIXCLEANUPMILTER}
	POSTFIXCLEANUPMESSAGE %{QUEUEID:qid}: (resent-)?message-id=<%{GREEDYDATA:messageid}>
	POSTFIXCLEANUPMILTER %{MILTERENDOFMESSAGE}

	# postfix/bounce
	POSTFIXBOUNCE %{QUEUEID:qid}: sender non-delivery notification: %{QUEUEID:bouncequeueid}

	# postfix/qmgr and postfix/pickup
	POSTFIXQMGR %{POSTFIXBASE} %{QUEUEID:qid}: (?:removed\|from=<(?:%{EMAILADDRESS:from})?>(?:, size=%{POSINT:size}, nrcpt=%{POSINT:nrcpt} \(%{GREEDYDATA:queuestatus}\))?)

	# postfix/anvil
	POSTFIXANVIL %{POSTFIXBASE} statistics: %{GREEDYDATA:anvilstatistic}

	# greylog

	GREYLOG1 %{POSTFIXBASE} action=%{DATA:reason}, reason=%{DATA}, client_name=%{DATA}, client_address=%{IP:relayip}, recipient=%{EMAILADDRESS:to}
	GREYLOG2 %{POSTFIXBASE} action=%{DATA:reason}, reason=%{DATA}, client_name=%{DATA}, client_address=%{IP:relayip}, sender=%{EMAILADDRESS:from}, recipient=%{EMAILADDRESS:to}

	# AMAVISD
	USER_AGENT User-Agent\|X-Mailer
	RECIPIENTS <%{EMAILADDRESS:recipient}>(,<%{GREEDYDATA:recipientlist}>)?
	AMAVIS %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, Message-ID: <(%{DATA:messageid})>, mail_id: %{DATA:mail_id}, Hits: %{NUMBER:score}, size: %{DATA:mail_size}(, queued_as: %{DATA:queued_id})?, %{DATA:duration} ms
	AMAVIS0 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, Message-ID: <(%{DATA:messageid})>, mail_id: %{DATA:mail_id}, Hits: %{NUMBER:score}, size: %{DATA:mail_size}, queued_as: %{DATA:queued_id}, dkim_id=%{DATA:dkim_id}(,<%{DATA:dkim_id_second}>)?, %{DATA:duration} ms
	AMAVIS1 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, Message-ID: <(%{DATA:messageid})>, %{GREEDYDATA:rest_of_message}
	AMAVIS2 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, \[%{IP:relay}\](:%{DATA:relay_port})? \[%{IP:originip}\] <(%{EMAILADDRESS:from})> -> <(%{EMAILADDRESS:to})>, %{DATA}, Message-ID: <(%{DATA:messageid})>, %{GREEDYDATA:rest_of_message}
	AMAVIS3 %{POSTFIXBASE} \(%{DATA}\) spam_scan: score=%{NUMBER:score} autolearn=%{DATA:autolearn} autolearn_force=%{DATA:autolearn_force} tests=\[%{DATA:tests}\]
	AMAVIS4 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, <%{EMAILADDRESS:from}> -> <(%{EMAILADDRESS:to})>, %{DATA:spam_flag}, score=%{NUMBER:score} tag=%{DATA:tag} tag2=%{DATA:tag2} kill=%{DATA:kill} tests=\[%{DATA:tests}\] autolearn=%{DATA:autolearn} autolearn_force=%{DATA:autolearn_force}
	AMAVIS5 %{POSTFIXBASE} \(%{DATA}\) %{DATA:reason} (\{RelayedOpenRelay\})?, <%{EMAILADDRESS:from}> -> <(%{EMAILADDRESS:to})>, %{DATA:spam_flag}, score=%{NUMBER:score} tagged_above=%{DATA:tag} required=%{DATA:tag2} tests=\[%{DATA:tests}\] autolearn=%{DATA:autolearn} autolearn_force=%{DATA:autolearn_force}
	AMAVIS6 %{POSTFIXBASE} \(%{DATA}\) TIMING-%{DATA:reason} total %{INT:time} ms - %{GREEDYDATA:time_report_details}
	AMAVIS7 %{POSTFIXBASE} \(%{DATA}\) size: %{DATA}, TIMING \[total %{INT:time} ms\] - %{DATA:reason} greeting: %{GREEDYDATA:time_report_details}

	PF (%{POSTFIXSASL}\|%{POSTFIXSMTP}\|%{POSTFIXANVIL}\|%{POSTFIXQMGR}\|%{POSTFIXCLEANUP}\|%{POSTFIXSMTPD}\|%{AMAVIS3}\|%{AMAVIS}\|%{AMAVIS0}\|%{AMAVIS1}\|%{AMAVIS2}\|%{AMAVIS4}\|%{AMAVIS5}\|%{AMAVIS6}\|%{AMAVIS7}\|%{GREYLOG1}\|%{GREYLOG2})