11

We have a postfix server that requires authentication to SMTP relay through it. We use virtual mailboxes in MySQL database.

A message was relayed through our system, and we need to determine which one of our user accounts was used to send it.

The message headers contains:

Received: from User (c-76-109-241-139.hsd1.fl.comcast.net [xx.109.xxx.139]) 
    by ourserver.com (Postfix) with ESMTPA id 7BA184B4AD4; 
    Tue,  3 Jul 2012 05:42:59 -0400 (EDT)

We don't have a user called "User", and the IP address is not one that we would be sending mail from. I'd like to find out which of our user accounts the sender authenticated as when sending the message.

Is there a way to track this?

Nick
  • 4,503
  • 29
  • 69
  • 97
  • In the above, `User` is the hostname of your mail server. Did you see something like this `Authenticated sender:`? – quanta Jul 05 '12 at 03:36

1 Answers1

17

If you grep for the message ID (7BA184B4AD4 in your case) in /var/log/mail.log you should find a log line indicating the sasl_username. For example:

% zgrep 07A1753F /var/log/mail.log*
Jul  4 19:47:58 mammon postfix/smtpd[4936]: 07A1753F: client=c-69-181-123-456.hsd1.ca.comcast.net[69.181.123.456], sasl_method=PLAIN, sasl_username=mgorven

Edit: If you set the smtpd_sasl_authenticated_header option in /etc/postfix/main.cf Postfix will add the SASL username to the Received header in mails. Note that this header can be tampered with, so the above is the only reliable way to determine which user submitted the message.

smtpd_sasl_authenticated_header = yes
mgorven
  • 30,615
  • 7
  • 79
  • 122
  • 2
    I don't see this in my logs, all these entries have is client=xxx and no sasl info, whether or not sasl is used. I guess this is because I use Dovecot for sasl authentication, not Cyrus SASL. I can get Dovecot to log its own records of authentications but these are hard to match up reliably against postfix's log messages. – gogoud Dec 09 '16 at 10:33
  • 1
    WHM/cPanel users: `/var/log/maillog` – rinogo May 08 '19 at 14:34