Postfix
Overview
Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Email gateway |
Postfix logs many details on every handled message |
Mail server |
Postfix logs many details on every handled message |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | event |
Category | email |
Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[52.100.135.105]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"to": {
"address": [
"john.doe@exemple.com"
]
}
},
"file": {
"created": "2019-09-12T12:39:01Z",
"ctime": "2019-09-12T12:40:01Z",
"name": "image003.jpg",
"size": 26055
},
"network": {
"protocol": "ESMTP"
},
"related": {
"hosts": [
"mail.outbound.protection.outlook.com"
]
},
"source": {
"address": "52.100.135.105",
"domain": "mail.outbound.protection.outlook.com"
}
}
{
"message": "disconnect from unknown[170.20.104.2] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"170.20.104.2"
]
},
"source": {
"address": "170.20.104.2",
"ip": "170.20.104.2"
}
}
{
"message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "52.97.201.210",
"domain": "smtp.office365.com",
"ip": "52.97.201.210"
},
"related": {
"hosts": [
"P212321.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"52.97.201.210"
]
},
"source": {
"address": "P212321.PROD.OUTLOOK.COM",
"domain": "P212321.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "P212321.PROD",
"top_level_domain": "COM"
}
}
{
"message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"destination": {
"address": "ns1.example.org",
"domain": "ns1.example.org",
"registered_domain": "example.org",
"subdomain": "ns1",
"top_level_domain": "org"
},
"related": {
"hosts": [
"ns1.example.org"
]
}
}
{
"message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"photo@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"file": {
"name": "?iso-8859-2?q?representative_on_migration.pdf?=",
"size": 259210
}
}
{
"message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"destination": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4",
"port": 25
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
}
}
{
"message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=193.0.178.186, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"mechant@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"related": {
"hosts": [
"mordor.com"
],
"ip": [
"193.0.178.186"
]
},
"source": {
"address": "193.0.178.186",
"domain": "mordor.com",
"ip": "193.0.178.186"
}
}
{
"message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AAA",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"Coyotte@acme.com"
]
},
"to": {
"address": [
"BIPBIP.NEWMAN@acme.com"
]
}
},
"related": {
"hosts": [
"example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "example.com",
"ip": "1.2.3.4"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"prvs=30447fe13=no-reply@example.com"
]
}
},
"related": {
"hosts": [
"mx.example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "mx.example.com",
"ip": "1.2.3.4"
}
}
{
"message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"doe@newsletter.example.org"
]
}
},
"related": {
"hosts": [
"mta-11-22-33-44.example.or"
],
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "11.22.33.44",
"domain": "mta-11-22-33-44.example.or",
"ip": "11.22.33.44"
}
}
{
"message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"test1@acme.com"
]
}
}
}
{
"message": "56E28C0007: to=<rob@exemple.com>, relay=174.133.212.30[174.133.212.30]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "174.133.212.30",
"domain": "174.133.212.30",
"ip": "174.133.212.30",
"port": 10025
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"related": {
"hosts": [
"174.133.212.30"
],
"ip": [
"174.133.212.30"
]
}
}
{
"message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"hola@example.org"
]
}
}
}
{
"message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
"event": {
"category": [
"email"
],
"kind": "event",
"reason": "SASL LOGIN authentication failed: authentication failure",
"type": [
"info"
]
},
"related": {
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "11.22.33.44",
"ip": "11.22.33.44"
}
}
{
"message": "lost connection after AUTH from unknown[185.234.219.5]",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "AUTH"
},
"related": {
"ip": [
"185.234.219.5"
]
},
"source": {
"address": "185.234.219.5",
"ip": "185.234.219.5"
}
}
{
"message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[174.133.212.29]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[174.133.212.29] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
"event": {
"category": [
"email"
],
"kind": "event",
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
"target": "network-traffic"
},
"destination": {
"address": "174.133.212.29",
"domain": "exemple.com",
"ip": "174.133.212.29",
"port": 25
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"related": {
"hosts": [
"exemple.com"
],
"ip": [
"174.133.212.29"
]
}
}
{
"message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[40.107.6.96]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"related": {
"hosts": [
"mail.outbound.protection.outlook.com"
],
"ip": [
"40.107.6.96"
]
},
"source": {
"address": "40.107.6.96",
"domain": "mail.outbound.protection.outlook.com",
"ip": "40.107.6.96"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"email": {
"message_id": "<11111111111111@uexample.org>"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 44944
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
"event": {
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"destination": {
"port": 783
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "127.0.0.1",
"port": 53684,
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
action.target |
keyword |
|
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
email.from.address |
keyword |
The sender's email address. |
email.message_id |
wildcard |
Value from the Message-ID header. |
email.to.address |
keyword |
Email address of recipient |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.created |
date |
File creation time. |
file.ctime |
date |
Last time the file attributes or metadata changed. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.size |
long |
File size in bytes. |
network.protocol |
keyword |
Application protocol name. |
source.address |
keyword |
Source network address. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
Configure
As of now, the main solution to collect Postfix logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.
Rsyslog
Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.