Evren Yurtesen
Home arrow Blog arrow Get more info from mail logs
Thursday, 20 November 2008
  
 
Main Menu
Home
News
Blog
Articles
Links
Downloads
Contact Us
Search
News Feeds
FAQs
Newsflash

The http://dev.yurtesen.com is officially opened! You can register and submit your articles and guides. We will examine them and publish.
 
Get more info from mail logs Print
Written by Evren Yurtesen   
Friday, 29 June 2007

I am sure most of you had a problem where you have thousands of mail going through your server but you cant pinpoint from which IP address they are coming from or from which authenticated smtp user of yours is the naughty one. This is because these information is not shown clearly in H-Sphere's mail logs. In this article you can find a tiny plugin for the qmail-spp system which you can use to pinpoint these information.

Make sure that you have qmail-spp system activated in your mail server, please check here for more info:
http://www.psoft.net/HSdocumentation/sysadmin/qmail_configuration.html#qmailspp

Copy the simple C program below and save it as moreinfo.c 

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv) {
  char *user = getenv("SMTPAUTHUSER");
  char *ip = getenv("TCPREMOTEIP");
  char *mailfrom = getenv("SMTPMAILFROM");
  char *rcptto = getenv("SMTPRCPTTO");
  char *tempcount = getenv("SMTPRCPTCOUNTALL");
  int rcptcount = atoi(tempcount);
  int ppid = getppid();

  if (user != NULL && strlen(user) > 0 && rcptcount < 2) {
    fprintf(stderr, "auth: pid: %d ip: %s user: %s\n", ppid, ip, user);
  }
  fprintf(stderr, "info: pid: %d ip: %s from: %s to: %s count: %d\n", ppid, ip, mailfrom, rcptto, rcptcount);

  return 0;

}

Then compile it using the following command 'gcc moreinfo.c -o /var/qmail/control/plugins/moreinfo' then add the following line to /var/qmail/control/smtpplugins file under the [rcpt] section '/var/qmail/control/plugins/moreinfo'

Restart qmail and you will see similar output to below in /var/log/maillog

#tail -F /var/log/maillog | grep -e smtpd | grep -e info -e auth
Jun 29 02:13:13 mail smtpd: 1183072393.562254 auth: pid: 29986 ip: X.Y.U.Z user: 
 This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
 
Jun 29 02:13:13 mail smtpd: 1183072393.562344 info: pid: 29986 ip: X.Y.U.Z from: 
 This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
  to: 
 This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
  count: 1
Jun 29 02:13:13 mail smtpd: 1183072393.902115 info: pid: 29986 ip: X.Y.U.Z from: 
 This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
  to: 
 This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
  count: 2

Here the auth section gives the smtp auth information if this section is missing then probably there is data going from server to server or your users might be using pop before smtp. The count number shows the recipient numbers, if message was sent to 3 people then count will be from 1 to 3. 

Last Updated ( Friday, 12 October 2007 )
 
Next >
[ Back ]
Google Search
Donate For My Work

Amazon Search


 
Top!
© 2008 Evren Yurtesen
Joomla! is Free Software released under the GNU/GPL License.
 Top!