Thanks Noel for all your help. Glad to know you. -- Klaus Engelmann CCNA CCDA - CSCO10971632 LPIC-1 - LPI000138061
On Wed, Apr 7, 2010 at 10:04 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 4/6/2010 6:09 PM, Klaus Engelmann wrote: >> >> Hello Everybody. >> >> I am running a Postfix postfix-2.3.3-2.1.el5_2 on a CentOS 5.4 box at >> a Federal University in Brazil. >> Our users (students and professors) suffered several social >> engineering attacks and spammers got some valid users and passwords. >> >> I know that the spammers are using a fake email (i...@freelotto.com) >> to send SPAM through our MX. But they are using some unidentified >> usernames. >> >> I need some help or thoughts about: >> >> - which parameter at master.cf or main.cf can I turn on in order to >> see the IP used by a specif user (authentication against SASL DOVECOT) >> or >> to see the IP address used by the sender i...@freelotto.com. > > The logs already show all this information. > > When someone authenticates with sasl, there will be a line including > client=name[IP], sasl_method=FOO, and sasl_username=tito. Searching the log > for "sasl_username=tito" will show each time user tito authenticated, and > from which IP. > > To find the IP a sender address comes from, search the log for the sender > you're interested in, then search again for the QUEUEID associated with that > sender. > > Truncated Example: > # grep 'njo...@example.com' /var/log/maillog > postfix/qmgr[95868]: 39B95797897: from=<njo...@example.com>, size=2619, > nrcpt=1 (queue active) > > > # grep 39B95797897 /var/log/maillog > postfix/smtpd[16982]: 39B95797897: > client=client-192.1.0.34.example.net[192.1.0.34] > (and other lines associated with this QUEUEID) > > You can also record this information in the Received: header of the mail. > http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header > > -- Noel Jones >
