We have a mail user on our postfix server that was using the company mail to send compromising information to our competitors.
I've been asked to make a report of the actions for that user in the last time.
There are tools like pflogsumm and others that can extract statistic data, but I haven't so far found anything useful to get all the info for a user because the data is in multiple lines.
I'd like to get something like this:
For the sent mail
11/11/11 00:00:00 infractor@example.com -> user@anothercompany.com
11/11/11 00:00:01 infractor@example.com -> user2@anothercompany2.com
For the received mail
10/10/11 00:00:00 user@anothercompany.com -> infractor@example.com
10/10/11 00:00:01 user2@anothercompany2.com -> infractor@example.com
I know I can do a script by myself, but matching the postfix ID for every mail is not something that can be made with a simple grep, and I've a lot of mail history that I have to recheck distributed among different files and so on.
The source log is the standard postfix format, for example this one…
Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: from=<infractor@example.com, size=10755, nrcpt=1 (queue active)
Sep 13 16:15:57 server postfix/smtpd[32099]: disconnect from localhost[127.0.0.1]
Sep 13 16:15:57 server postfix/smtp[32420]: 58C3E5EC9C: to=<user@anothercompany.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.01/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=32697-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B35CB5ED3D)
Sep 13 16:15:57 server postfix/qmgr[18142]: 58C3E5EC9C: removed
Sep 13 16:15:57 server postfix/smtp[32379]: B35CB5ED3D: to=<user@anothercompany.com>, relay=mail.anothercompany.com[123.123.123.163]:25, delay=0.06, delays=0.03/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 77D0EB6C025)
Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: removed
Best Answer
Download perl script maillogconvert.pl and execute it as:
Usage:
The first parameter specifies what format the mail logfile is : standard - logfile is standard postfix,sendmail,qmail or mdaemon log format vadmin - logfile is qmail log format with vadmin multi-host support
The second parameter specifies what year to timestamp logfile with, if current year is not the correct one (ie. 2002). Always use 4 digits. If not specified, current year is used.
If no output is specified, it goes to the console (stdout).