Tool to analyze postfix maillog

Question

I have a mailserver running on iRedMail.

Recently we have some issues that people reporting they would receive phisihing emails from us, which haven't been sent by the users they are saying the are coming from.

Is there a tool (offline is fine too) to parse the maillog files to retrieve all entries related to a given email address?

Like for example: bob@builderbob.com

and it will output me all log entries related to mails from and to this email address?

Thanks.

You could simply use grep to achieve this. Or you don't want to? — Vinícius Ferrão, Jun 19 '14 at 17:29
i would need more than only the lines containing this email address. i would like to have all lines related to this (based on the message id for example, like connect to mailserver with auth infos a.s.o.) — Andreas Hinderberger, Jun 19 '14 at 17:33
Sometimes I have to recursively grep for this. Extract all lines with the desired to/from pairs, extract the message IDS then grep again. Pretty easy to script up using grep/awk/sed/while loops. — jeffatrackaid, Jun 19 '14 at 19:40

Vinícius Ferrão · Answer 1 · 2014-06-19T17:44:57.847

2

Just parse your logfile with grep command. It's clean and simple.

grep -i --color email@example.com /var/log/maillog

Since you're using iRedMail you can even use AWStats that's builtin on the package. Take a look and check if this is sufficient to your needs: http://awstats.sourceforge.net; and there's a screenshot too: http://awstats.sourceforge.net/awstats.mail.html

edited Jun 19 '14 at 17:44

answered Jun 19 '14 at 17:30

Vinícius Ferrão

5,520
11
55
95

this would show me up only the lines that contain the email address but not the other lines that are related to it (by the message id) – Andreas Hinderberger Jun 19 '14 at 17:31
Check if AWStats is sufficient for you. – Vinícius Ferrão Jun 19 '14 at 17:45
AWStats shows me only the summary, but i can't select to "detail" on given email address – Andreas Hinderberger Jun 19 '14 at 17:57
Do you have the RAW message from ppl complaining about this? Perhaps the message was forged using your domain mail address? – Vinícius Ferrão Jun 19 '14 at 17:59
I am waiting for the RAW, but haven't received anything yet. – Andreas Hinderberger Jun 19 '14 at 18:40

score 0 · Accepted Answer · answered Jun 19 '14 at 18:13

0

Using grep will get you some of the data for a domain but in order to retrieve all you would need to get the actual message ID for each message. Then grep for all of those messages ID's. Try this instead though.. http://sareport.darold.net/

answered Jun 19 '14 at 18:13

ThatGuy

293
1
2
9

The message-id present in postfix logs is not unique in the long term, it's unique only in a short time span. Don't rely on it to identify an email uniquely during later processing. See here - http://postfix.1071664.n5.nabble.com/message-id-is-a-unique-number-td19314.html – Tutul Jun 20 '14 at 16:32

score 0 · Answer 3 · answered Jun 19 '14 at 19:17

0

I had to explain to a customer that the UK Government's Tax and Revenue service does not send e-mails from a metal working company in Canada. The customer did not believe me and they were convinced that the mails were genuine. Eventually the penny dropped....

The headers need to be obtained from the person who received the e-mail.

1) Analyse the mail headers

http://mxtoolbox.com/EmailHeaders.aspx

2) Check the location of IP address that sent the e-mail

http://whois.domaintools.com/198.20.69.74

answered Jun 19 '14 at 19:17

John Auld

594
2
6

I am nearly 99% sure that the email was not from our mailserver, but just wanted a tool to make it possible to directely check it in the mailserver logs, before "nerving" the receipient to send us back the original message headers. – Andreas Hinderberger Jun 19 '14 at 19:21

Tool to analyze postfix maillog

3 Answers3