Extract sender activity from postfix logs for auditing user

emailpostfix

We have a mail user on our postfix server that was using the company mail to send compromising information to our competitors.

I've been asked to make a report of the actions for that user in the last time.

There are tools like pflogsumm and others that can extract statistic data, but I haven't so far found anything useful to get all the info for a user because the data is in multiple lines.

I'd like to get something like this:

For the sent mail

11/11/11 00:00:00 infractor@example.com -> user@anothercompany.com
11/11/11 00:00:01 infractor@example.com -> user2@anothercompany2.com

For the received mail

10/10/11 00:00:00 user@anothercompany.com -> infractor@example.com
10/10/11 00:00:01 user2@anothercompany2.com -> infractor@example.com

I know I can do a script by myself, but matching the postfix ID for every mail is not something that can be made with a simple grep, and I've a lot of mail history that I have to recheck distributed among different files and so on.

The source log is the standard postfix format, for example this one…

Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: from=<infractor@example.com,   size=10755, nrcpt=1 (queue active)
Sep 13 16:15:57 server postfix/smtpd[32099]: disconnect from localhost[127.0.0.1]
Sep 13 16:15:57 server postfix/smtp[32420]: 58C3E5EC9C: to=<user@anothercompany.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.01/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=32697-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B35CB5ED3D)
Sep 13 16:15:57 server postfix/qmgr[18142]: 58C3E5EC9C: removed
Sep 13 16:15:57 server postfix/smtp[32379]: B35CB5ED3D: to=<user@anothercompany.com>, relay=mail.anothercompany.com[123.123.123.163]:25, delay=0.06, delays=0.03/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 77D0EB6C025)
Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: removed

Best Answer

Download perl script maillogconvert.pl and execute it as:

perl maillogconvert.pl standard < /var/log/mail.log > result.log

Usage:

perl maillogconvert.pl [standard|vadmin] [year] < logfile > output

The first parameter specifies what format the mail logfile is : standard - logfile is standard postfix,sendmail,qmail or mdaemon log format vadmin - logfile is qmail log format with vadmin multi-host support

The second parameter specifies what year to timestamp logfile with, if current year is not the correct one (ie. 2002). Always use 4 digits. If not specified, current year is used.

If no output is specified, it goes to the console (stdout).

Related Topic