Skip to content

Postfix

Overview

Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail.

  • Vendor: Postfix
  • Supported environment: On Premise
  • Version compatibility:
  • Detection based on: Telemetry
  • Supported application or feature: Email gateway, Mail server

Configure

As of now, the main solution to collect Postfix logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.

Rsyslog

Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30
2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215
11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)
3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)
77EFFC0015: warning: header Content-Disposition: inline; filename="image003.jpg"; size=26055;??creation-date="Thu, 12 Sep 2019 12:39:01 GMT";??modification-date="Thu, 12 Sep 2019 12:40:01 GMT" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>
3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>
2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279
B4B613F8B7: warning: header Content-Disposition: inline; filename="image001.png"; size=8879;??creation-date="Thu, 14 Mar 2024 10:19:00 GMT";??modification-date="Thu, 14 Mar 2024 10:19:00 GMT" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>
707A12000A: warning: header Content-Disposition: attachment;??filename="?iso-8859-2?q?representative_on_migration.pdf?="; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>
486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]
8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)
53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137
EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148
dns: new_dns_packet: domain is utf8 flagged: ns1.example.org
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)
476295F5AD: message-id=<aaaaaaaaaa=@pm.me>
123456789: message-id=<foo@corp.com>
NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294
NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299
Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net
action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com
E43D43F838: uid=117 from=<no-reply@example.org>
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23 210
Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>
None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>
Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23
prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131
None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128
Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120
Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23
7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)
01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587
023069605C: Used TLS for smtp.example.org[163.172.55.8]:25
NOQUEUE: client=unknown[10.100.0.3]
warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)
0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)
proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>
D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25
581B85F5B3: warning: header Content-Disposition: inline; filename=""image018.png""; size=162328;??creation-date=""Thu, 11 Apr 2024 07:53:08 GMT"";??modification-date=""Thu, 11 Apr 2024 07:53:08 GMT"" from local; from=<jdoe@example.org> to=<jane.doe@example.com>
59B835F5AD: warning: header Content-Disposition: attachment;??filename=""=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>
EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>
000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE
008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE
action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
whitelisted: mx.example.org[1.2.3.4/32]
whitelisted: unknown[1.2.3.4/32]
89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)
074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)
CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257
56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)
95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
2F46A140256: replace: header From: "Example Help" <help@example.org: From: [help@example.org](mailto:help@example.org)
warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)
30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)
connect to mx.example.org[5.6.7.8]:25: No route to host
connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125
96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))
021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>
lost connection after BDAT from mx.example.org[192.168.100.124]
warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known
warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org
lost connection after AUTH from unknown[1.1.1.1]
connect from unknown[10.1.1.1] 88
Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled
spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5
spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118
spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117
spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118
spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118
spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117
spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30
2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215
11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)
3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)
77EFFC0015: warning: header Content-Disposition: inline; filename="image003.jpg"; size=26055;??creation-date="Thu, 12 Sep 2019 12:39:01 GMT";??modification-date="Thu, 12 Sep 2019 12:40:01 GMT" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>
3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>
2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279
B4B613F8B7: warning: header Content-Disposition: inline; filename="image001.png"; size=8879;??creation-date="Thu, 14 Mar 2024 10:19:00 GMT";??modification-date="Thu, 14 Mar 2024 10:19:00 GMT" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>
707A12000A: warning: header Content-Disposition: attachment;??filename="?iso-8859-2?q?representative_on_migration.pdf?="; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>
486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]
8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)
53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137
EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148
dns: new_dns_packet: domain is utf8 flagged: ns1.example.org
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)
476295F5AD: message-id=<aaaaaaaaaa=@pm.me>
123456789: message-id=<foo@corp.com>
NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294
NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299
Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net
action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com
E43D43F838: uid=117 from=<no-reply@example.org>
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23 210
Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>
None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>
Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23
prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131
None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128
Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120
Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23
7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)
01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587
023069605C: Used TLS for smtp.example.org[163.172.55.8]:25
NOQUEUE: client=unknown[10.100.0.3]
warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)
0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)
proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>
D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25
581B85F5B3: warning: header Content-Disposition: inline; filename=""image018.png""; size=162328;??creation-date=""Thu, 11 Apr 2024 07:53:08 GMT"";??modification-date=""Thu, 11 Apr 2024 07:53:08 GMT"" from local; from=<jdoe@example.org> to=<jane.doe@example.com>
59B835F5AD: warning: header Content-Disposition: attachment;??filename=""=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>
EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>
000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE
008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE
action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
whitelisted: mx.example.org[1.2.3.4/32]
whitelisted: unknown[1.2.3.4/32]
89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)
074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)
CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257
56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)
95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
2F46A140256: replace: header From: "Example Help" <help@example.org: From: [help@example.org](mailto:help@example.org)
warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)
30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)
connect to mx.example.org[5.6.7.8]:25: No route to host
connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125
96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))
021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>
lost connection after BDAT from mx.example.org[192.168.100.124]
warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known
warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org
lost connection after AUTH from unknown[1.1.1.1]
connect from unknown[10.1.1.1] 88
Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled
spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5
spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118
spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117
spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118
spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118
spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117
spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake Postfix. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Postfix on ATT&CK Navigator

Advanced IP Scanner

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

  • Effort: master
Burp Suite Tool Detected

Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).

  • Effort: intermediate
Certify Or Certipy

Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.

  • Effort: advanced
Cobalt Strike Default Beacons Names

Detects the default names of Cobalt Strike beacons / payloads.

  • Effort: intermediate
Correlation Potential DNS Tunnel

Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.

  • Effort: advanced
Credential Dump Tools Related Files

Detects processes or file names related to credential dumping tools and the dropped files they generate by default.

  • Effort: advanced
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
EvilProxy Phishing Domain

Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.

  • Effort: intermediate
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
HackTools Suspicious Names

Quick-win rule to detect the default process names or file names of several HackTools.

  • Effort: elementary
Login Brute-Force Successful On SentinelOne EDR Management Console

A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and succeeded to login.

  • Effort: master
PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

  • Effort: elementary
Potential DNS Tunnel

Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.

  • Effort: advanced
RSA SecurID Failed Authentification

Detects many failed attempts to authenticate followed by a successfull login for a super admin account.

  • Effort: advanced
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

  • Effort: master
Remote Monitoring and Management Software - Atera

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
Suspicious Email Attachment Received

Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware.

  • Effort: elementary
Suspicious File Name

Detects suspicious file name possibly linked to malicious tool.

  • Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

  • Effort: advanced
Suspicious TOR Gateway

Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: advanced
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master
Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

  • Effort: advanced
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Email gateway Postfix logs many details on every handled message
Mail server Postfix logs many details on every handled message

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category email
Type info

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/anvil"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "admin@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/error"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "sub.corp.com",
        "domain": "sub.corp.com",
        "registered_domain": "corp.com",
        "subdomain": "sub",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "USER@sub.corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "sub.corp.com"
        ]
    }
}
{
    "message": "3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "bounced",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "exemple.com",
        "domain": "exemple.com",
        "registered_domain": "exemple.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "john.doe@exemple.com"
            ]
        }
    },
    "file": {
        "created": "2019-09-12T12:39:01Z",
        "ctime": "2019-09-12T12:40:01Z",
        "name": "image003.jpg",
        "size": 26055
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "exemple.com",
            "mail.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.outbound.protection.outlook.com",
        "domain": "mail.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "foo@corp.com"
            ]
        },
        "to": {
            "address": [
                "first.last@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "SUBDOMAIN.CORP.COM",
            "corp.com"
        ],
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "SUBDOMAIN.CORP.COM",
        "domain": "SUBDOMAIN.CORP.COM",
        "ip": "10.1.1.1",
        "registered_domain": "CORP.COM",
        "subdomain": "SUBDOMAIN",
        "top_level_domain": "COM"
    }
}
{
    "message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "email@corp.com"
            ]
        },
        "to": {
            "address": [
                "email@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "SUBDOMAIN.CORP.COM",
            "corp.com"
        ],
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "SUBDOMAIN.CORP.COM",
        "domain": "SUBDOMAIN.CORP.COM",
        "ip": "10.1.1.1",
        "registered_domain": "CORP.COM",
        "subdomain": "SUBDOMAIN",
        "top_level_domain": "COM"
    }
}
{
    "message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "office365.eu.vadesecure.com",
        "domain": "office365.eu.vadesecure.com",
        "registered_domain": "vadesecure.com",
        "subdomain": "office365.eu",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "ndr.journaling@corp.com"
            ]
        },
        "to": {
            "address": [
                "corp@office365.eu.vadesecure.com"
            ]
        }
    },
    "file": {
        "created": "2024-03-14T10:19:00Z",
        "ctime": "2024-03-14T10:19:00Z",
        "name": "image001.png",
        "size": 8879
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "office365.eu.vadesecure.com",
            "subdomain.key.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "subdomain.key.corp.com",
        "domain": "subdomain.key.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "subdomain.key",
        "top_level_domain": "com"
    }
}
{
    "message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "lacomte.net",
        "domain": "lacomte.net",
        "registered_domain": "lacomte.net",
        "top_level_domain": "net"
    },
    "email": {
        "from": {
            "address": [
                "photo@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "file": {
        "name": "?iso-8859-2?q?representative_on_migration.pdf?=",
        "size": 259210
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "lacomte.net",
            "mordor.com"
        ]
    },
    "source": {
        "address": "mordor.com",
        "domain": "mordor.com",
        "registered_domain": "mordor.com",
        "top_level_domain": "com"
    }
}
{
    "message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "COMPUTER.sub.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "COMPUTER.sub.corp.com",
        "domain": "COMPUTER.sub.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "COMPUTER.sub",
        "top_level_domain": "com"
    }
}
{
    "message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client whitelist",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client whitelist",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp2.fr",
        "domain": "corp2.fr",
        "registered_domain": "corp2.fr",
        "top_level_domain": "fr"
    },
    "email": {
        "from": {
            "address": [
                "firstname.lastname@corp.fr"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@corp2.fr"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp2.fr",
            "mail-corp123.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail-corp123.outbound.protection.outlook.com",
        "domain": "mail-corp123.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail-corp123.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "smtp.office365.com",
        "ip": "1.1.1.1"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "P212321.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "P212321.PROD.OUTLOOK.COM",
        "domain": "P212321.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "P212321.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "52.97.201.210",
        "domain": "smtp.office365.com",
        "ip": "52.97.201.210"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1111111111111.US0394.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "52.97.201.210"
        ]
    },
    "source": {
        "address": "1111111111111.US0394.PROD.OUTLOOK.COM",
        "domain": "1111111111111.US0394.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "1111111111111.US0394.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "localhost"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "localhost",
        "domain": "localhost",
        "ip": "127.0.0.1"
    }
}
{
    "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "localhost"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "localhost",
        "domain": "localhost",
        "ip": "127.0.0.1"
    }
}
{
    "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "firstname.lastname@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "ns1.example.org",
        "domain": "ns1.example.org",
        "registered_domain": "example.org",
        "subdomain": "ns1",
        "top_level_domain": "org"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "ns1.example.org"
        ]
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "foreman-proxy@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.com"
        ]
    }
}
{
    "message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.localdomain",
        "domain": "example.localdomain",
        "subdomain": "example"
    },
    "email": {
        "to": {
            "address": [
                "proxy@example.localdomain"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": ""
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "sample.orig.to"
    },
    "related": {
        "hosts": [
            "example.localdomain"
        ]
    }
}
{
    "message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 2525,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "john.doe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "jane.doe@example.com"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "476295F5AD: message-id=<aaaaaaaaaa=@pm.me>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "aaaaaaaaaa=@pm.me"
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "123456789: message-id=<foo@corp.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "foo@corp.com"
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "filter",
        "outcome": "success",
        "target": "network-traffic",
        "type": "RCPT"
    },
    "destination": {
        "address": "othercorp.com",
        "domain": "othercorp.com",
        "registered_domain": "othercorp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "foo.bar@subdomain.corp.com"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@othercorp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "foo.key.corp.com",
            "othercorp.com"
        ],
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "foo.key.corp.com",
        "domain": "foo.key.corp.com",
        "ip": "192.168.1.1",
        "registered_domain": "corp.com",
        "subdomain": "foo.key",
        "top_level_domain": "com"
    }
}
{
    "message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "filter",
        "outcome": "success",
        "target": "network-traffic",
        "type": "RCPT"
    },
    "destination": {
        "address": "corp2.com",
        "domain": "corp2.com",
        "registered_domain": "corp2.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "firstname.firstname@subdomain.corp.com"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@corp2.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "HOSTNAME.key.corp.com",
            "corp2.com"
        ],
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "HOSTNAME.key.corp.com",
        "domain": "HOSTNAME.key.corp.com",
        "ip": "192.168.1.1",
        "registered_domain": "corp.com",
        "subdomain": "HOSTNAME.key",
        "top_level_domain": "com"
    }
}
{
    "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "triplet found",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "destination": {
        "address": "lacomte.net",
        "domain": "lacomte.net",
        "registered_domain": "lacomte.net",
        "top_level_domain": "net"
    },
    "email": {
        "from": {
            "address": [
                "mechant@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "lacomte.net",
            "mordor.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mordor.com",
        "domain": "mordor.com",
        "ip": "1.1.1.1",
        "registered_domain": "mordor.com",
        "top_level_domain": "com"
    }
}
{
    "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client AAA",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AAA",
        "target": "network-traffic"
    },
    "destination": {
        "address": "acme.com",
        "domain": "acme.com",
        "registered_domain": "acme.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "Coyotte@acme.com"
            ]
        },
        "to": {
            "address": [
                "BIPBIP.NEWMAN@acme.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "acme.com",
            "example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.com",
        "domain": "example.com",
        "ip": "1.2.3.4",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    }
}
{
    "message": "E43D43F838: uid=117 from=<no-reply@example.org>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "no-reply@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pickup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23 210",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "ops@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "corp.com",
        "domain": "corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "noreply@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Neutral",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "john.doem@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.mail.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.mail.protection.outlook.com",
        "domain": "example.mail.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.mail.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mail.example.org",
        "domain": "mail.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mail",
        "top_level_domain": "org"
    }
}
{
    "message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "no-reply@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Softfail",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "noreply@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "prvs=30447fe13=no-reply@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.com",
        "domain": "mx.example.com",
        "ip": "1.2.3.4",
        "registered_domain": "example.com",
        "subdomain": "mx",
        "top_level_domain": "com"
    }
}
{
    "message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "doe@newsletter.example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mta-11-22-33-44.example.or"
        ],
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "mta-11-22-33-44.example.or",
        "domain": "mta-11-22-33-44.example.or",
        "ip": "11.22.33.44",
        "subdomain": "mta-11-22-33-44.example"
    }
}
{
    "message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.corp.com",
        "domain": "mail.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "mail",
        "top_level_domain": "com"
    }
}
{
    "message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "noreply@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "sub.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "sub.corp.com",
        "domain": "sub.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "sub",
        "top_level_domain": "com"
    }
}
{
    "message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Softfail",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "corp.com",
        "domain": "corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "2.3.4.5"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "2.3.4.5"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "posta.example.org"
        ],
        "ip": [
            "2.3.4.5"
        ]
    },
    "source": {
        "address": "posta.example.org",
        "domain": "posta.example.org",
        "ip": "2.3.4.5",
        "registered_domain": "example.org",
        "subdomain": "posta",
        "top_level_domain": "org"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "40.101.136.242",
        "domain": "smtp.office365.com",
        "ip": "40.101.136.242"
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "EXAMPLE.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "40.101.136.242"
        ]
    },
    "source": {
        "address": "EXAMPLE.PROD.OUTLOOK.COM",
        "domain": "EXAMPLE.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "EXAMPLE.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "10.19.65.1",
        "domain": "10.19.65.1",
        "ip": "10.19.65.1",
        "port": 587
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "10.19.65.1"
        ],
        "ip": [
            "10.19.65.1"
        ]
    }
}
{
    "message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "163.172.55.8",
        "domain": "smtp.example.org",
        "ip": "163.172.55.8",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "163.172.55.8"
        ]
    }
}
{
    "message": "NOQUEUE: client=unknown[10.100.0.3]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "10.100.0.3",
        "ip": "10.100.0.3"
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "10.100.0.3"
        ]
    }
}
{
    "message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "unexpected EOF (Operation now in progress)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "port": 10030
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "mail2sms.smsbox.net",
        "domain": "mail2sms.smsbox.net",
        "ip": "127.0.0.1",
        "port": 10025,
        "registered_domain": "smsbox.net",
        "subdomain": "mail2sms",
        "top_level_domain": "net"
    },
    "email": {
        "to": {
            "address": [
                "sms@mail2sms.smsbox.net"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail2sms.smsbox.net"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "accept",
        "outcome": "success",
        "target": "network-traffic",
        "type": "END-OF-MESSAGE"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org",
            "mx.example.org"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "smtp-in.example.com",
        "ip": "5.6.7.8",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp-in.example.com"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "file": {
        "name": "image018.png",
        "size": 162328
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org"
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix-nospam/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "smtp.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "127.0.0.1",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "newsletter@wine.com"
            ]
        },
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix-nospam/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org",
            "smtp.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "127.0.0.1",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "early-retry (10s missing)",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "early-retry (10s missing)",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "new",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "new",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "new",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "new",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4"
    }
}
{
    "message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client AWL",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AWL",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client whitelist",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client whitelist",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "triplet found",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "whitelisted: mx.example.org[1.2.3.4/32]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "whitelisted: unknown[1.2.3.4/32]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test1@acme.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/qmgr"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "acme.com"
        ]
    },
    "source": {
        "address": "acme.com",
        "domain": "acme.com",
        "registered_domain": "acme.com",
        "top_level_domain": "com"
    }
}
{
    "message": "074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/qmgr"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "hrd.corp.com"
        ]
    },
    "source": {
        "address": "hrd.corp.com",
        "domain": "hrd.corp.com",
        "registered_domain": "corp.com",
        "subdomain": "hrd",
        "top_level_domain": "com"
    }
}
{
    "message": "CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "srv.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "f.lastname@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "srv.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "1.1.1.1",
        "ip": "1.1.1.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.1.1.1"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "hola@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "EXAMPLE <[hola@example.org](mailto:hola@example.org)>",
                "[noreply@example.org](mailto:noreply@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "Example Mailbox <[test@example.org](mailto:test@example.org)>",
                "[noreply@example.org](mailto:noreply@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "2F46A140256: replace: header From: \"Example Help\" <help@example.org: From: [help@example.org](mailto:help@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "<help@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "\"Example Help\" <help@example.org",
                "[help@example.org](mailto:help@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
    "event": {
        "category": [
            "email"
        ],
        "reason": "SASL LOGIN authentication failed: authentication failure",
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "11.22.33.44",
        "ip": "11.22.33.44"
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "-"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "<abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "connect to mx.example.org[5.6.7.8]:25: No route to host",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "mail.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "exemple.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "exemple.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.com"
        ],
        "ip": [
            "192.168.100.124"
        ]
    },
    "source": {
        "address": "mx.example.com",
        "domain": "mx.example.com",
        "ip": "192.168.100.124",
        "registered_domain": "example.com",
        "subdomain": "mx",
        "top_level_domain": "com"
    }
}
{
    "message": "lost connection after BDAT from mx.example.org[192.168.100.124]",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "BDAT"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "192.168.100.124"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "192.168.100.124",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known",
    "event": {
        "category": [
            "email"
        ],
        "reason": "Name or service not known",
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "5.6.7.8",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
    "event": {
        "category": [
            "email"
        ],
        "reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "192.168.100.132"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "192.168.100.132",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "lost connection after AUTH from unknown[1.1.1.1]",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "AUTH"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "connect from unknown[10.1.1.1] 88",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "connect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "10.1.1.1",
        "ip": "10.1.1.1"
    }
}
{
    "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.outbound.protection.outlook.com",
        "domain": "mail.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "mx.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<11111111111111@uexample.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 44944
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 45880
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 49594
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "(unknown)"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 46436
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 39504
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 37172
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 56082
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 51336
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 33278
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "test.com"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "test.com",
        "domain": "test.com",
        "ip": "127.0.0.1",
        "port": 33620,
        "registered_domain": "test.com",
        "top_level_domain": "com"
    }
}
{
    "message": "spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "127.0.0.1",
        "port": 33620,
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 53684,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "test.host.test"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "test.host.test",
        "domain": "test.host.test",
        "ip": "127.0.0.1",
        "port": 44702,
        "subdomain": "test.host"
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 36236
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 41352
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 42678
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 45060
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 45920
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 33254
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "admin@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "sub.corp.com",
        "domain": "sub.corp.com",
        "registered_domain": "corp.com",
        "subdomain": "sub",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "USER@sub.corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "sub.corp.com"
        ]
    }
}
{
    "message": "3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "bounced",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "exemple.com",
        "domain": "exemple.com",
        "registered_domain": "exemple.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "john.doe@exemple.com"
            ]
        }
    },
    "file": {
        "created": "2019-09-12T12:39:01Z",
        "ctime": "2019-09-12T12:40:01Z",
        "name": "image003.jpg",
        "size": 26055
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "exemple.com",
            "mail.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.outbound.protection.outlook.com",
        "domain": "mail.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "foo@corp.com"
            ]
        },
        "to": {
            "address": [
                "first.last@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "SUBDOMAIN.CORP.COM",
            "corp.com"
        ],
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "SUBDOMAIN.CORP.COM",
        "domain": "SUBDOMAIN.CORP.COM",
        "ip": "10.1.1.1",
        "registered_domain": "CORP.COM",
        "subdomain": "SUBDOMAIN",
        "top_level_domain": "COM"
    }
}
{
    "message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "email@corp.com"
            ]
        },
        "to": {
            "address": [
                "email@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "SUBDOMAIN.CORP.COM",
            "corp.com"
        ],
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "SUBDOMAIN.CORP.COM",
        "domain": "SUBDOMAIN.CORP.COM",
        "ip": "10.1.1.1",
        "registered_domain": "CORP.COM",
        "subdomain": "SUBDOMAIN",
        "top_level_domain": "COM"
    }
}
{
    "message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "office365.eu.vadesecure.com",
        "domain": "office365.eu.vadesecure.com",
        "registered_domain": "vadesecure.com",
        "subdomain": "office365.eu",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "ndr.journaling@corp.com"
            ]
        },
        "to": {
            "address": [
                "corp@office365.eu.vadesecure.com"
            ]
        }
    },
    "file": {
        "created": "2024-03-14T10:19:00Z",
        "ctime": "2024-03-14T10:19:00Z",
        "name": "image001.png",
        "size": 8879
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "office365.eu.vadesecure.com",
            "subdomain.key.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "subdomain.key.corp.com",
        "domain": "subdomain.key.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "subdomain.key",
        "top_level_domain": "com"
    }
}
{
    "message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "lacomte.net",
        "domain": "lacomte.net",
        "registered_domain": "lacomte.net",
        "top_level_domain": "net"
    },
    "email": {
        "from": {
            "address": [
                "photo@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "file": {
        "name": "?iso-8859-2?q?representative_on_migration.pdf?=",
        "size": 259210
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "lacomte.net",
            "mordor.com"
        ]
    },
    "source": {
        "address": "mordor.com",
        "domain": "mordor.com",
        "registered_domain": "mordor.com",
        "top_level_domain": "com"
    }
}
{
    "message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "COMPUTER.sub.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "COMPUTER.sub.corp.com",
        "domain": "COMPUTER.sub.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "COMPUTER.sub",
        "top_level_domain": "com"
    }
}
{
    "message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client whitelist",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client whitelist",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp2.fr",
        "domain": "corp2.fr",
        "registered_domain": "corp2.fr",
        "top_level_domain": "fr"
    },
    "email": {
        "from": {
            "address": [
                "firstname.lastname@corp.fr"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@corp2.fr"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp2.fr",
            "mail-corp123.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail-corp123.outbound.protection.outlook.com",
        "domain": "mail-corp123.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail-corp123.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "smtp.office365.com",
        "ip": "1.1.1.1"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "P212321.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "P212321.PROD.OUTLOOK.COM",
        "domain": "P212321.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "P212321.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "52.97.201.210",
        "domain": "smtp.office365.com",
        "ip": "52.97.201.210"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1111111111111.US0394.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "52.97.201.210"
        ]
    },
    "source": {
        "address": "1111111111111.US0394.PROD.OUTLOOK.COM",
        "domain": "1111111111111.US0394.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "1111111111111.US0394.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "localhost"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "localhost",
        "domain": "localhost",
        "ip": "127.0.0.1"
    }
}
{
    "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "localhost"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "localhost",
        "domain": "localhost",
        "ip": "127.0.0.1"
    }
}
{
    "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "firstname.lastname@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "ns1.example.org",
        "domain": "ns1.example.org",
        "registered_domain": "example.org",
        "subdomain": "ns1",
        "top_level_domain": "org"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "ns1.example.org"
        ]
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "foreman-proxy@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.com"
        ]
    }
}
{
    "message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.localdomain",
        "domain": "example.localdomain",
        "subdomain": "example"
    },
    "email": {
        "to": {
            "address": [
                "proxy@example.localdomain"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "sample.orig.to"
    },
    "related": {
        "hosts": [
            "example.localdomain"
        ]
    }
}
{
    "message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 2525,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "john.doe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "jane.doe@example.com"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "476295F5AD: message-id=<aaaaaaaaaa=@pm.me>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "aaaaaaaaaa=@pm.me"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "123456789: message-id=<foo@corp.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "foo@corp.com"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "filter",
        "outcome": "success",
        "target": "network-traffic",
        "type": "RCPT"
    },
    "destination": {
        "address": "othercorp.com",
        "domain": "othercorp.com",
        "registered_domain": "othercorp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "foo.bar@subdomain.corp.com"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@othercorp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "foo.key.corp.com",
            "othercorp.com"
        ],
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "foo.key.corp.com",
        "domain": "foo.key.corp.com",
        "ip": "192.168.1.1",
        "registered_domain": "corp.com",
        "subdomain": "foo.key",
        "top_level_domain": "com"
    }
}
{
    "message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "filter",
        "outcome": "success",
        "target": "network-traffic",
        "type": "RCPT"
    },
    "destination": {
        "address": "corp2.com",
        "domain": "corp2.com",
        "registered_domain": "corp2.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "firstname.firstname@subdomain.corp.com"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@corp2.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "HOSTNAME.key.corp.com",
            "corp2.com"
        ],
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "HOSTNAME.key.corp.com",
        "domain": "HOSTNAME.key.corp.com",
        "ip": "192.168.1.1",
        "registered_domain": "corp.com",
        "subdomain": "HOSTNAME.key",
        "top_level_domain": "com"
    }
}
{
    "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "port": 25
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "triplet found",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "destination": {
        "address": "lacomte.net",
        "domain": "lacomte.net",
        "registered_domain": "lacomte.net",
        "top_level_domain": "net"
    },
    "email": {
        "from": {
            "address": [
                "mechant@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "lacomte.net",
            "mordor.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mordor.com",
        "domain": "mordor.com",
        "ip": "1.1.1.1",
        "registered_domain": "mordor.com",
        "top_level_domain": "com"
    }
}
{
    "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client AAA",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AAA",
        "target": "network-traffic"
    },
    "destination": {
        "address": "acme.com",
        "domain": "acme.com",
        "registered_domain": "acme.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "Coyotte@acme.com"
            ]
        },
        "to": {
            "address": [
                "BIPBIP.NEWMAN@acme.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "acme.com",
            "example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.com",
        "domain": "example.com",
        "ip": "1.2.3.4",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    }
}
{
    "message": "E43D43F838: uid=117 from=<no-reply@example.org>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "no-reply@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23 210",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "ops@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "corp.com",
        "domain": "corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "noreply@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Neutral",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "john.doem@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.mail.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.mail.protection.outlook.com",
        "domain": "example.mail.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.mail.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mail.example.org",
        "domain": "mail.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mail",
        "top_level_domain": "org"
    }
}
{
    "message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "no-reply@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Softfail",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "noreply@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "prvs=30447fe13=no-reply@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.com",
        "domain": "mx.example.com",
        "ip": "1.2.3.4",
        "registered_domain": "example.com",
        "subdomain": "mx",
        "top_level_domain": "com"
    }
}
{
    "message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "doe@newsletter.example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mta-11-22-33-44.example.or"
        ],
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "mta-11-22-33-44.example.or",
        "domain": "mta-11-22-33-44.example.or",
        "ip": "11.22.33.44",
        "subdomain": "mta-11-22-33-44.example"
    }
}
{
    "message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.corp.com",
        "domain": "mail.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "mail",
        "top_level_domain": "com"
    }
}
{
    "message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "noreply@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "sub.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "sub.corp.com",
        "domain": "sub.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "sub",
        "top_level_domain": "com"
    }
}
{
    "message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Softfail",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "corp.com",
        "domain": "corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "2.3.4.5"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "2.3.4.5"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "posta.example.org"
        ],
        "ip": [
            "2.3.4.5"
        ]
    },
    "source": {
        "address": "posta.example.org",
        "domain": "posta.example.org",
        "ip": "2.3.4.5",
        "registered_domain": "example.org",
        "subdomain": "posta",
        "top_level_domain": "org"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "40.101.136.242",
        "domain": "smtp.office365.com",
        "ip": "40.101.136.242"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "EXAMPLE.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "40.101.136.242"
        ]
    },
    "source": {
        "address": "EXAMPLE.PROD.OUTLOOK.COM",
        "domain": "EXAMPLE.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "EXAMPLE.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "10.19.65.1",
        "domain": "10.19.65.1",
        "ip": "10.19.65.1",
        "port": 587
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "10.19.65.1"
        ],
        "ip": [
            "10.19.65.1"
        ]
    }
}
{
    "message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "163.172.55.8",
        "domain": "smtp.example.org",
        "ip": "163.172.55.8",
        "port": 25
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "163.172.55.8"
        ]
    }
}
{
    "message": "NOQUEUE: client=unknown[10.100.0.3]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "10.100.0.3",
        "ip": "10.100.0.3"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "10.100.0.3"
        ]
    }
}
{
    "message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "unexpected EOF (Operation now in progress)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "port": 10030
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "mail2sms.smsbox.net",
        "domain": "mail2sms.smsbox.net",
        "ip": "127.0.0.1",
        "port": 10025,
        "registered_domain": "smsbox.net",
        "subdomain": "mail2sms",
        "top_level_domain": "net"
    },
    "email": {
        "to": {
            "address": [
                "sms@mail2sms.smsbox.net"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail2sms.smsbox.net"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "accept",
        "outcome": "success",
        "target": "network-traffic",
        "type": "END-OF-MESSAGE"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org",
            "mx.example.org"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "smtp-in.example.com",
        "ip": "5.6.7.8",
        "port": 25
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp-in.example.com"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "file": {
        "name": "image018.png",
        "size": 162328
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "smtp.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "127.0.0.1",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "newsletter@wine.com"
            ]
        },
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org",
            "smtp.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "127.0.0.1",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "early-retry (10s missing)",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "early-retry (10s missing)",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "new",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "new",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "new",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "new",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4"
    }
}
{
    "message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client AWL",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AWL",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client whitelist",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client whitelist",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "triplet found",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "whitelisted: mx.example.org[1.2.3.4/32]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "whitelisted: unknown[1.2.3.4/32]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test1@acme.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "acme.com"
        ]
    },
    "source": {
        "address": "acme.com",
        "domain": "acme.com",
        "registered_domain": "acme.com",
        "top_level_domain": "com"
    }
}
{
    "message": "074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "hrd.corp.com"
        ]
    },
    "source": {
        "address": "hrd.corp.com",
        "domain": "hrd.corp.com",
        "registered_domain": "corp.com",
        "subdomain": "hrd",
        "top_level_domain": "com"
    }
}
{
    "message": "CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "srv.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "f.lastname@corp.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "srv.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "1.1.1.1",
        "ip": "1.1.1.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.1.1.1"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "hola@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "EXAMPLE <[hola@example.org](mailto:hola@example.org)>",
                "[noreply@example.org](mailto:noreply@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "Example Mailbox <[test@example.org](mailto:test@example.org)>",
                "[noreply@example.org](mailto:noreply@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "2F46A140256: replace: header From: \"Example Help\" <help@example.org: From: [help@example.org](mailto:help@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "<help@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "\"Example Help\" <help@example.org",
                "[help@example.org](mailto:help@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
    "event": {
        "category": [
            "email"
        ],
        "reason": "SASL LOGIN authentication failed: authentication failure",
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "11.22.33.44",
        "ip": "11.22.33.44"
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "<abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "connect to mx.example.org[5.6.7.8]:25: No route to host",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8",
        "port": 25
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "mail.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "exemple.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "exemple.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.com"
        ],
        "ip": [
            "192.168.100.124"
        ]
    },
    "source": {
        "address": "mx.example.com",
        "domain": "mx.example.com",
        "ip": "192.168.100.124",
        "registered_domain": "example.com",
        "subdomain": "mx",
        "top_level_domain": "com"
    }
}
{
    "message": "lost connection after BDAT from mx.example.org[192.168.100.124]",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "BDAT"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "192.168.100.124"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "192.168.100.124",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known",
    "event": {
        "category": [
            "email"
        ],
        "reason": "Name or service not known",
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "5.6.7.8",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
    "event": {
        "category": [
            "email"
        ],
        "reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "192.168.100.132"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "192.168.100.132",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "lost connection after AUTH from unknown[1.1.1.1]",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "AUTH"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "connect from unknown[10.1.1.1] 88",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "connect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "10.1.1.1",
        "ip": "10.1.1.1"
    }
}
{
    "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.outbound.protection.outlook.com",
        "domain": "mail.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "mx.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<11111111111111@uexample.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 44944
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 45880
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 49594
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "(unknown)"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 46436
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 39504
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 37172
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 56082
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 51336
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 33278
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "test.com"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "test.com",
        "domain": "test.com",
        "ip": "127.0.0.1",
        "port": 33620,
        "registered_domain": "test.com",
        "top_level_domain": "com"
    }
}
{
    "message": "spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "127.0.0.1",
        "port": 33620,
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 53684,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM"
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "test.host.test"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "test.host.test",
        "domain": "test.host.test",
        "ip": "127.0.0.1",
        "port": 44702,
        "subdomain": "test.host"
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 36236
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 41352
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 42678
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 45060
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 45920
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<111111111111111111111111111111111111@mx.example.org>"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 33254
    },
    "user": {
        "name": "debian-spamd"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
action.target keyword
destination.address keyword Destination network address.
destination.domain keyword The domain name of the destination.
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
email.from.address keyword The sender's email address.
email.message_id wildcard Value from the Message-ID header.
email.to.address keyword Email address of recipient
event.category keyword Event category. The second categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.created date File creation time.
file.ctime date Last time the file attributes or metadata changed.
file.name keyword Name of the file including the extension, without the directory.
file.size long File size in bytes.
network.protocol keyword Application protocol name.
postfix.headers.from array
postfix.orig_to keyword
source.address keyword Source network address.
source.domain keyword The domain name of the source.
source.ip ip IP address of the source.
source.port long Port of the source.
user.name keyword Short name or login of the user.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.