On 4/6/2010 6:09 PM, Klaus Engelmann wrote:
Hello Everybody.
I am running a Postfix postfix-2.3.3-2.1.el5_2 on a CentOS 5.4 box at
a Federal University in Brazil.
Our users (students and professors) suffered several social
engineering attacks and spammers got some valid users and passwords.
I know that the spammers are using a fake email (i...@freelotto.com)
to send SPAM through our MX. But they are using some unidentified
usernames.
I need some help or thoughts about:
- which parameter at master.cf or main.cf can I turn on in order to
see the IP used by a specif user (authentication against SASL DOVECOT)
or
to see the IP address used by the sender i...@freelotto.com.
The logs already show all this information.
When someone authenticates with sasl, there will be a line
including client=name[IP], sasl_method=FOO, and
sasl_username=tito. Searching the log for
"sasl_username=tito" will show each time user tito
authenticated, and from which IP.
To find the IP a sender address comes from, search the log for
the sender you're interested in, then search again for the
QUEUEID associated with that sender.
Truncated Example:
# grep 'njo...@example.com' /var/log/maillog
postfix/qmgr[95868]: 39B95797897: from=<njo...@example.com>,
size=2619, nrcpt=1 (queue active)
# grep 39B95797897 /var/log/maillog
postfix/smtpd[16982]: 39B95797897:
client=client-192.1.0.34.example.net[192.1.0.34]
(and other lines associated with this QUEUEID)
You can also record this information in the Received: header
of the mail.
http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
-- Noel Jones
