Skip to content

Postfix

Overview

Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Email gateway Postfix logs many details on every handled message
Mail server Postfix logs many details on every handled message

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category email
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[52.100.135.105]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "to": {
            "address": [
                "john.doe@exemple.com"
            ]
        }
    },
    "file": {
        "created": "2019-09-12T12:39:01Z",
        "ctime": "2019-09-12T12:40:01Z",
        "name": "image003.jpg",
        "size": 26055
    },
    "network": {
        "protocol": "ESMTP"
    },
    "related": {
        "hosts": [
            "mail.outbound.protection.outlook.com"
        ]
    },
    "source": {
        "address": "52.100.135.105",
        "domain": "mail.outbound.protection.outlook.com"
    }
}
{
    "message": "disconnect from unknown[170.20.104.2] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "170.20.104.2"
        ]
    },
    "source": {
        "address": "170.20.104.2",
        "ip": "170.20.104.2"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "52.97.201.210",
        "domain": "smtp.office365.com",
        "ip": "52.97.201.210"
    },
    "related": {
        "hosts": [
            "P212321.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "52.97.201.210"
        ]
    },
    "source": {
        "address": "P212321.PROD.OUTLOOK.COM",
        "domain": "P212321.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "P212321.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "ns1.example.org",
        "domain": "ns1.example.org",
        "registered_domain": "example.org",
        "subdomain": "ns1",
        "top_level_domain": "org"
    },
    "related": {
        "hosts": [
            "ns1.example.org"
        ]
    }
}
{
    "message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "photo@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "file": {
        "name": "?iso-8859-2?q?representative_on_migration.pdf?=",
        "size": 259210
    }
}
{
    "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "port": 25
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=193.0.178.186, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "mechant@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "related": {
        "hosts": [
            "mordor.com"
        ],
        "ip": [
            "193.0.178.186"
        ]
    },
    "source": {
        "address": "193.0.178.186",
        "domain": "mordor.com",
        "ip": "193.0.178.186"
    }
}
{
    "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AAA",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "Coyotte@acme.com"
            ]
        },
        "to": {
            "address": [
                "BIPBIP.NEWMAN@acme.com"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "example.com",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "prvs=30447fe13=no-reply@example.com"
            ]
        }
    },
    "related": {
        "hosts": [
            "mx.example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "mx.example.com",
        "ip": "1.2.3.4"
    }
}
{
    "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "doe@newsletter.example.org"
            ]
        }
    },
    "related": {
        "hosts": [
            "mta-11-22-33-44.example.or"
        ],
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "11.22.33.44",
        "domain": "mta-11-22-33-44.example.or",
        "ip": "11.22.33.44"
    }
}
{
    "message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test1@acme.com"
            ]
        }
    }
}
{
    "message": "56E28C0007: to=<rob@exemple.com>, relay=174.133.212.30[174.133.212.30]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "174.133.212.30",
        "domain": "174.133.212.30",
        "ip": "174.133.212.30",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "related": {
        "hosts": [
            "174.133.212.30"
        ],
        "ip": [
            "174.133.212.30"
        ]
    }
}
{
    "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "hola@example.org"
            ]
        }
    }
}
{
    "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "reason": "SASL LOGIN authentication failed: authentication failure",
        "type": [
            "info"
        ]
    },
    "related": {
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "11.22.33.44",
        "ip": "11.22.33.44"
    }
}
{
    "message": "lost connection after AUTH from unknown[185.234.219.5]",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "AUTH"
    },
    "related": {
        "ip": [
            "185.234.219.5"
        ]
    },
    "source": {
        "address": "185.234.219.5",
        "ip": "185.234.219.5"
    }
}
{
    "message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[174.133.212.29]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[174.133.212.29] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
        "target": "network-traffic"
    },
    "destination": {
        "address": "174.133.212.29",
        "domain": "exemple.com",
        "ip": "174.133.212.29",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "related": {
        "hosts": [
            "exemple.com"
        ],
        "ip": [
            "174.133.212.29"
        ]
    }
}
{
    "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[40.107.6.96]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "related": {
        "hosts": [
            "mail.outbound.protection.outlook.com"
        ],
        "ip": [
            "40.107.6.96"
        ]
    },
    "source": {
        "address": "40.107.6.96",
        "domain": "mail.outbound.protection.outlook.com",
        "ip": "40.107.6.96"
    }
}
{
    "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "<11111111111111@uexample.org>"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "debian-spamd"
        ]
    },
    "source": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 44944
    },
    "user": {
        "name": "debian-spamd"
    }
}
{
    "message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
    "event": {
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "destination": {
        "port": 783
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 53684,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
action.target keyword
destination.address keyword Destination network address.
destination.domain keyword The domain name of the destination.
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
email.from.address keyword The sender's email address.
email.message_id wildcard Value from the Message-ID header.
email.to.address keyword Email address of recipient
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.created date File creation time.
file.ctime date Last time the file attributes or metadata changed.
file.name keyword Name of the file including the extension, without the directory.
file.size long File size in bytes.
network.protocol keyword Application protocol name.
source.address keyword Source network address.
source.domain keyword The domain name of the source.
source.ip ip IP address of the source.
source.port long Port of the source.
user.name keyword Short name or login of the user.

Configure

As of now, the main solution to collect Postfix logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.

Rsyslog

Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.