How to use Message FIlter to log postfix authenticated sender header

nmarangella · ‎06-12-2014

I'm trying to log the username from the postfix authenticated sender header information.

Here is an example of the header:

Received: from [123.123.123.123] (client.domain.edu [234.234.234.234])

(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client

certificate requested) (Authenticated sender: username@ad.domain.edu) by

postfix.domain.edu (Postfix) with ESMTPSA id DE8A3E9429 for

<username@domain.edu>; Thu, 12 Jun 2014 12:16:56 -0700 (PDT)

And here is the message filter I'm working on:

if (recv-int == "OutboundIP") {

if(header('Received') == '\$Authenticated sender: .+@ad\\.domain\\.edu\$') {

log-entry("Authenticated Sender: '$MatchedContent'");

}

Everything is working except for the $MatchedContent variable. It is creating the custom log entry but it is only showing as "Authenticated Sender: "

Does anyone have any ideas on how to get the $MatchedContent variable to work or another way to log that username?

Robert Sherwin · ‎06-12-2014

Try taking out the ' from around your '$MatchedContent'...

My example:

dictionary_match:
if (dictionary-match('not_allowed_words')){
edit-header-text ("Subject", "^", "Notice Content Matched on: $MatchedContent");
log-entry("#---# This email had: $MatchedContent #---#");
notify('robsherw@cisco.com');
}

Sent an email with a known "secret" in the email body... and "secret" is in my "not_allowed_words" dictionary... so it'll trip my "dictionary_match" message filter...

Mail logs --->

Thu Jun 12 23:10:46 2014 Info: New SMTP ICID 181 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
Thu Jun 12 23:10:46 2014 Info: ICID 181 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Thu Jun 12 23:10:46 2014 Info: Start MID 105 ICID 181
Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 From: <robsherw.cisco@gmail.com>
Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 RID 0 To: <robsherw_cisco@yahoo.com>
Thu Jun 12 23:10:46 2014 Info: MID 105 Message-ID '<4DFE4A57-854D-4490-8C36-7ED27DD91F55@gmail.com>'
Thu Jun 12 23:10:46 2014 Info: MID 105 Subject 'This email has an issue'
Thu Jun 12 23:10:46 2014 Info: MID 105 ready 561 bytes from <robsherw.cisco@gmail.com>
Thu Jun 12 23:10:46 2014 Info: MID 105 Custom Log Entry: #---# This email had: secret #---#
Thu Jun 12 23:10:46 2014 Info: Start MID 106 ICID 0
Thu Jun 12 23:10:46 2014 Info: MID 106 was generated based on MID 105 by notify filter 'dictionary_match'
Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 From: <MAILER-DAEMON@myesa.local>
Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 RID 0 To: <robsherw@cisco.com>
Thu Jun 12 23:10:46 2014 Info: MID 106 DomainKeys: cannot sign - no profile matches MAILER-DAEMON@myesa.local
Thu Jun 12 23:10:46 2014 Info: MID 106 DKIM: cannot sign - no profile matches MAILER-DAEMON@myesa.local
Thu Jun 12 23:10:46 2014 Info: MID 106 ready 970 bytes from <MAILER-DAEMON@myesa.local>
Thu Jun 12 23:10:46 2014 Info: MID 106 queued for delivery
Thu Jun 12 23:10:46 2014 Info: MID 105 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Thu Jun 12 23:10:46 2014 Info: MID 105 queued for delivery
Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 53 interface 172.16.6.165 address 173.36.13.143 port 25
Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 54 interface 172.16.6.165 address 173.36.13.143 port 25
Thu Jun 12 23:10:46 2014 Info: Delivery start DCID 54 MID 105 to RID [0]
Thu Jun 12 23:10:47 2014 Info: DCID 53 TLS success protocol TLSv1 cipher RC4-SHA
Thu Jun 12 23:10:47 2014 Info: Delivery start DCID 53 MID 106 to RID [0]
Thu Jun 12 23:10:47 2014 Info: Message done DCID 54 MID 105 to RID [0]
Thu Jun 12 23:10:47 2014 Info: MID 105 RID [0] Response '2.0.0 s5D3Aobe022251 Message accepted for delivery'
Thu Jun 12 23:10:47 2014 Info: Message finished MID 105 done
Thu Jun 12 23:10:47 2014 Info: Message done DCID 53 MID 106 to RID [0]
Thu Jun 12 23:10:47 2014 Info: MID 106 RID [0] Response '2.0.0 s5D3AoFH012632 Message accepted for delivery'
Thu Jun 12 23:10:47 2014 Info: Message finished MID 106 done
Thu Jun 12 23:10:52 2014 Info: DCID 54 close
Thu Jun 12 23:10:52 2014 Info: DCID 53 close

I hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

nmarangella · ‎06-13-2014

Same result after removing the single quotes. Is it possible that the Header function doesn't use the $MatchedContent variable ? I am successfully using $MatchedContent in other filters but they aren't using Header().