Try this: grep "postfix/smtp\[" LOGFILE | grep -io "\]\:\s[0123456789ABCDEF]*\:" | grep -io "[0123456789ABCDEF]*" | grep -f - LOGFILE | grep "postfix/qmgr\[" | grep "from="
-----Ursprungligt meddelande----- Från: Christian Rößner [mailto:c...@roessner-network-solutions.com] Skickat: den 16 januari 2017 15:17 Till: Sebastian Nielsen <sebast...@sebbe.eu> Kopia: Postfix users <postfix-users@postfix.org> Ämne: Re: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!] [invalid signature!] Hi, not smtpd ;-) smtp client > Am 16.01.2017 um 15:08 schrieb Sebastian Nielsen <sebast...@sebbe.eu>: > > It do log from=. > Default config from debian: > > root@linuxlite-desktop:/var/log# grep NOQUEUE syslog.1 Jan 15 11:12:37 > linuxlite-desktop postfix/smtpd[31407]: NOQUEUE: reject: RCPT from > unknown[202.12.83.69]: 554 5.7.1 <sebast...@sebbe.eu>: Sender address > rejected: Access denied; from=<sebast...@sebbe.eu> > to=<sebast...@sebbe.eu> proto=ESMTP > helo=<202-12-83-69-dynamic.mangalore.cscnet.in> > Jan 15 11:12:42 linuxlite-desktop postfix/smtpd[31409]: NOQUEUE: > reject: RCPT from unknown[202.12.83.69]: 554 5.7.1 > <sebast...@sebbe.eu>: Sender address rejected: Access denied; > from=<sebast...@sebbe.eu> to=<sebast...@sebbe.eu> proto=ESMTP > helo=<202-12-83-69-dynamic.mangalore.cscnet.in> > Jan 15 12:57:05 linuxlite-desktop postfix/smtpd[32440]: NOQUEUE: > reject: RCPT from 1-160-42-66.dynamic.hinet.net[1.160.42.66]: 554 > 5.7.1 <g...@linwayedm.com.tw>: Relay access denied; > from=<d...@email.cta.cq.cnt> to=<g...@linwayedm.com.tw> proto=SMTP > helo=<46.227.69.210> Jan 15 14:28:40 linuxlite-desktop > postfix/smtpd[956]: NOQUEUE: reject: RCPT from unknown[114.130.4.61]: > 554 5.7.1 <eax...@yahoo.com>: Relay access denied; from=<x...@ore.net> > to=<eax...@yahoo.com> proto=ESMTP helo=<192.168.0.137> Jan 15 16:15:46 > linuxlite-desktop postfix/smtpd[2263]: NOQUEUE: reject: RCPT from > 111-251-109-66.dynamic.hinet.net[111.251.109.66]: 554 5.7.1 > <g...@linwayedm.com.tw>: Relay access denied; > from=<d...@email.cta.cq.cnt> to=<g...@linwayedm.com.tw> proto=SMTP > helo=<46.227.69.210> Jan 15 19:52:43 linuxlite-desktop > postfix/smtpd[4638]: NOQUEUE: reject: RCPT from > 1-160-42-242.dynamic.hinet.net[1.160.42.242]: 554 5.7.1 > <g...@linwayedm.com.tw>: Relay access denied; > from=<d...@email.cta.cq.cnt> to=<g...@linwayedm.com.tw> proto=SMTP > helo=<46.227.69.210> Jan 16 00:16:50 linuxlite-desktop > postfix/smtpd[7278]: NOQUEUE: reject: RCPT from > 1-162-232-106.dynamic.hinet.net[1.162.232.106]: 554 5.7.1 > <g...@linwayedm.com.tw>: Relay access denied; > from=<d...@email.cta.cq.cnt> to=<g...@linwayedm.com.tw> proto=SMTP > helo=<46.227.69.210> Jan 16 00:32:10 linuxlite-desktop > postfix/smtpd[7443]: NOQUEUE: reject: RCPT from > 24-54-48-245.sh.cgocable.ca[24.54.48.245]: 554 5.7.1 > <eax...@yahoo.com>: Relay access denied; from=<x...@ore.net> > to=<eax...@yahoo.com> proto=ESMTP helo=<192.168.0.247> Jan 16 05:50:33 > linuxlite-desktop postfix/smtpd[11103]: NOQUEUE: reject: RCPT from > 111-251-103-173.dynamic.hinet.net[111.251.103.173]: 554 5.7.1 > <g...@linwayedm.com.tw>: Relay access denied; > from=<d...@email.cta.cq.cnt> to=<g...@linwayedm.com.tw> proto=SMTP > helo=<46.227.69.210> root@linuxlite-desktop:/var/log# > > -----Ursprungligt meddelande----- > Från: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] För Christian Ro¨ßner > Skickat: den 16 januari 2017 14:59 > Till: Postfix users <postfix-users@postfix.org> > Ämne: [Feature-request for 3.2] log from= in postfix/smtp - or looking > for unknown option [invalid signature!] > > Hi, > > I have looked at man 5 postconf, if there exists an option to add the > envelope sender to the postfix smtp client, but I didn'T find one. > > If an account gets stolen and this account starts sending lots of mails, it > often leads to RBLs. If you try to find the account that was compromised, a > first command would be something like: > > grep "postfix/smtp\[" mail.log | grep -i reject > > which will only give you thousands of queue-IDs. But this makes it harder to > dive deeper in searching for the compromised account, as you can not simply > enhance bash commands and sort for the from= filed (because it does not > exist). > > Therefor I ask, if it is possible to add this little feature to 3.2 (if not > already frozen code). > > Thanks in advance > > Christian Rößner > -- > Erlenwiese 14, 36304 Alsfeld > T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 > > Christian Rößner -- Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
smime.p7s
Description: S/MIME Cryptographic Signature
