SV: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!]
It do log from=. Default config from debian: root@linuxlite-desktop:/var/log# grep NOQUEUE syslog.1 Jan 15 11:12:37 linuxlite-desktop postfix/smtpd[31407]: NOQUEUE: reject: RCPT from unknown[202.12.83.69]: 554 5.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo=<202-12-83-69-dynamic.mangalore.cscnet.in> Jan 15 11:12:42 linuxlite-desktop postfix/smtpd[31409]: NOQUEUE: reject: RCPT from unknown[202.12.83.69]: 554 5.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo=<202-12-83-69-dynamic.mangalore.cscnet.in> Jan 15 12:57:05 linuxlite-desktop postfix/smtpd[32440]: NOQUEUE: reject: RCPT from 1-160-42-66.dynamic.hinet.net[1.160.42.66]: 554 5.7.1 : Relay access denied; from= to= proto=SMTP helo=<46.227.69.210> Jan 15 14:28:40 linuxlite-desktop postfix/smtpd[956]: NOQUEUE: reject: RCPT from unknown[114.130.4.61]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=<192.168.0.137> Jan 15 16:15:46 linuxlite-desktop postfix/smtpd[2263]: NOQUEUE: reject: RCPT from 111-251-109-66.dynamic.hinet.net[111.251.109.66]: 554 5.7.1 : Relay access denied; from= to= proto=SMTP helo=<46.227.69.210> Jan 15 19:52:43 linuxlite-desktop postfix/smtpd[4638]: NOQUEUE: reject: RCPT from 1-160-42-242.dynamic.hinet.net[1.160.42.242]: 554 5.7.1 : Relay access denied; from= to= proto=SMTP helo=<46.227.69.210> Jan 16 00:16:50 linuxlite-desktop postfix/smtpd[7278]: NOQUEUE: reject: RCPT from 1-162-232-106.dynamic.hinet.net[1.162.232.106]: 554 5.7.1 : Relay access denied; from= to= proto=SMTP helo=<46.227.69.210> Jan 16 00:32:10 linuxlite-desktop postfix/smtpd[7443]: NOQUEUE: reject: RCPT from 24-54-48-245.sh.cgocable.ca[24.54.48.245]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=<192.168.0.247> Jan 16 05:50:33 linuxlite-desktop postfix/smtpd[11103]: NOQUEUE: reject: RCPT from 111-251-103-173.dynamic.hinet.net[111.251.103.173]: 554 5.7.1 : Relay access denied; from= to= proto=SMTP helo=<46.227.69.210> root@linuxlite-desktop:/var/log# -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Christian Ro¨ßner Skickat: den 16 januari 2017 14:59 Till: Postfix users Ämne: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!] Hi, I have looked at man 5 postconf, if there exists an option to add the envelope sender to the postfix smtp client, but I didn'T find one. If an account gets stolen and this account starts sending lots of mails, it often leads to RBLs. If you try to find the account that was compromised, a first command would be something like: grep "postfix/smtp\[" mail.log | grep -i reject which will only give you thousands of queue-IDs. But this makes it harder to dive deeper in searching for the compromised account, as you can not simply enhance bash commands and sort for the from= filed (because it does not exist). Therefor I ask, if it is possible to add this little feature to 3.2 (if not already frozen code). Thanks in advance Christian Rößner -- Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 smime.p7s Description: S/MIME Cryptographic Signature
SV: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!] [invalid signature!]
Try this: grep "postfix/smtp\[" LOGFILE | grep -io "\]\:\s[0123456789ABCDEF]*\:" | grep -io "[0123456789ABCDEF]*" | grep -f - LOGFILE | grep "postfix/qmgr\[" | grep "from=" -Ursprungligt meddelande- Från: Christian Rößner [mailto:c...@roessner-network-solutions.com] Skickat: den 16 januari 2017 15:17 Till: Sebastian Nielsen Kopia: Postfix users Ämne: Re: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!] [invalid signature!] Hi, not smtpd ;-) smtp client > Am 16.01.2017 um 15:08 schrieb Sebastian Nielsen : > > It do log from=. > Default config from debian: > > root@linuxlite-desktop:/var/log# grep NOQUEUE syslog.1 Jan 15 11:12:37 > linuxlite-desktop postfix/smtpd[31407]: NOQUEUE: reject: RCPT from > unknown[202.12.83.69]: 554 5.7.1 : Sender address > rejected: Access denied; from= > to= proto=ESMTP > helo=<202-12-83-69-dynamic.mangalore.cscnet.in> > Jan 15 11:12:42 linuxlite-desktop postfix/smtpd[31409]: NOQUEUE: > reject: RCPT from unknown[202.12.83.69]: 554 5.7.1 > : Sender address rejected: Access denied; > from= to= proto=ESMTP > helo=<202-12-83-69-dynamic.mangalore.cscnet.in> > Jan 15 12:57:05 linuxlite-desktop postfix/smtpd[32440]: NOQUEUE: > reject: RCPT from 1-160-42-66.dynamic.hinet.net[1.160.42.66]: 554 > 5.7.1 : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 15 14:28:40 linuxlite-desktop > postfix/smtpd[956]: NOQUEUE: reject: RCPT from unknown[114.130.4.61]: > 554 5.7.1 : Relay access denied; from= > to= proto=ESMTP helo=<192.168.0.137> Jan 15 16:15:46 > linuxlite-desktop postfix/smtpd[2263]: NOQUEUE: reject: RCPT from > 111-251-109-66.dynamic.hinet.net[111.251.109.66]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 15 19:52:43 linuxlite-desktop > postfix/smtpd[4638]: NOQUEUE: reject: RCPT from > 1-160-42-242.dynamic.hinet.net[1.160.42.242]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 16 00:16:50 linuxlite-desktop > postfix/smtpd[7278]: NOQUEUE: reject: RCPT from > 1-162-232-106.dynamic.hinet.net[1.162.232.106]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 16 00:32:10 linuxlite-desktop > postfix/smtpd[7443]: NOQUEUE: reject: RCPT from > 24-54-48-245.sh.cgocable.ca[24.54.48.245]: 554 5.7.1 > : Relay access denied; from= > to= proto=ESMTP helo=<192.168.0.247> Jan 16 05:50:33 > linuxlite-desktop postfix/smtpd[11103]: NOQUEUE: reject: RCPT from > 111-251-103-173.dynamic.hinet.net[111.251.103.173]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> root@linuxlite-desktop:/var/log# > > -Ursprungligt meddelande- > Från: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] För Christian Ro¨ßner > Skickat: den 16 januari 2017 14:59 > Till: Postfix users > Ämne: [Feature-request for 3.2] log from= in postfix/smtp - or looking > for unknown option [invalid signature!] > > Hi, > > I have looked at man 5 postconf, if there exists an option to add the > envelope sender to the postfix smtp client, but I didn'T find one. > > If an account gets stolen and this account starts sending lots of mails, it > often leads to RBLs. If you try to find the account that was compromised, a > first command would be something like: > > grep "postfix/smtp\[" mail.log | grep -i reject > > which will only give you thousands of queue-IDs. But this makes it harder to > dive deeper in searching for the compromised account, as you can not simply > enhance bash commands and sort for the from= filed (because it does not > exist). > > Therefor I ask, if it is possible to add this little feature to 3.2 (if not > already frozen code). > > Thanks in advance > > Christian Rößner > -- > Erlenwiese 14, 36304 Alsfeld > T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 > > Christian Rößner -- Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 smime.p7s Description: S/MIME Cryptographic Signature
SV: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!] [invalid signature!]
Oops wrong, forgot about reject... (I tested on my system and I currently have no outgoing rejects) grep "postfix/smtp\[" LOGFILE | grep -i "reject" | grep -io "\]\:\s[0123456789ABCDEF]*\:" | grep -io "[0123456789ABCDEF]*" | grep -f - LOGFILE | grep "postfix/qmgr\[" | grep "from=" -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Christian Ro¨ßner Skickat: den 16 januari 2017 15:17 Till: Sebastian Nielsen Kopia: Postfix users Ämne: Re: [Feature-request for 3.2] log from= in postfix/smtp - or looking for unknown option [invalid signature!] [invalid signature!] Hi, not smtpd ;-) smtp client > Am 16.01.2017 um 15:08 schrieb Sebastian Nielsen : > > It do log from=. > Default config from debian: > > root@linuxlite-desktop:/var/log# grep NOQUEUE syslog.1 Jan 15 11:12:37 > linuxlite-desktop postfix/smtpd[31407]: NOQUEUE: reject: RCPT from > unknown[202.12.83.69]: 554 5.7.1 : Sender address > rejected: Access denied; from= > to= proto=ESMTP > helo=<202-12-83-69-dynamic.mangalore.cscnet.in> > Jan 15 11:12:42 linuxlite-desktop postfix/smtpd[31409]: NOQUEUE: > reject: RCPT from unknown[202.12.83.69]: 554 5.7.1 > : Sender address rejected: Access denied; > from= to= proto=ESMTP > helo=<202-12-83-69-dynamic.mangalore.cscnet.in> > Jan 15 12:57:05 linuxlite-desktop postfix/smtpd[32440]: NOQUEUE: > reject: RCPT from 1-160-42-66.dynamic.hinet.net[1.160.42.66]: 554 > 5.7.1 : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 15 14:28:40 linuxlite-desktop > postfix/smtpd[956]: NOQUEUE: reject: RCPT from unknown[114.130.4.61]: > 554 5.7.1 : Relay access denied; from= > to= proto=ESMTP helo=<192.168.0.137> Jan 15 16:15:46 > linuxlite-desktop postfix/smtpd[2263]: NOQUEUE: reject: RCPT from > 111-251-109-66.dynamic.hinet.net[111.251.109.66]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 15 19:52:43 linuxlite-desktop > postfix/smtpd[4638]: NOQUEUE: reject: RCPT from > 1-160-42-242.dynamic.hinet.net[1.160.42.242]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 16 00:16:50 linuxlite-desktop > postfix/smtpd[7278]: NOQUEUE: reject: RCPT from > 1-162-232-106.dynamic.hinet.net[1.162.232.106]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> Jan 16 00:32:10 linuxlite-desktop > postfix/smtpd[7443]: NOQUEUE: reject: RCPT from > 24-54-48-245.sh.cgocable.ca[24.54.48.245]: 554 5.7.1 > : Relay access denied; from= > to= proto=ESMTP helo=<192.168.0.247> Jan 16 05:50:33 > linuxlite-desktop postfix/smtpd[11103]: NOQUEUE: reject: RCPT from > 111-251-103-173.dynamic.hinet.net[111.251.103.173]: 554 5.7.1 > : Relay access denied; > from= to= proto=SMTP > helo=<46.227.69.210> root@linuxlite-desktop:/var/log# > > -Ursprungligt meddelande- > Från: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] För Christian Ro¨ßner > Skickat: den 16 januari 2017 14:59 > Till: Postfix users > Ämne: [Feature-request for 3.2] log from= in postfix/smtp - or looking > for unknown option [invalid signature!] > > Hi, > > I have looked at man 5 postconf, if there exists an option to add the > envelope sender to the postfix smtp client, but I didn'T find one. > > If an account gets stolen and this account starts sending lots of mails, it > often leads to RBLs. If you try to find the account that was compromised, a > first command would be something like: > > grep "postfix/smtp\[" mail.log | grep -i reject > > which will only give you thousands of queue-IDs. But this makes it harder to > dive deeper in searching for the compromised account, as you can not simply > enhance bash commands and sort for the from= filed (because it does not > exist). > > Therefor I ask, if it is possible to add this little feature to 3.2 (if not > already frozen code). > > Thanks in advance > > Christian Rößner > -- > Erlenwiese 14, 36304 Alsfeld > T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 > > Christian Rößner -- Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 smime.p7s Description: S/MIME Cryptographic Signature
