Skip to content

Postfix

Overview

Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail.

The following Sekoia.io built-in rules match the intake Postfix. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Postfix on ATT&CK Navigator

Burp Suite Tool Detected

Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).

  • Effort: intermediate
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Potential DNS Tunnel

Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.

  • Effort: advanced
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
Suspicious Email Attachment Received

Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware.

  • Effort: elementary
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master
Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

  • Effort: advanced
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Email gateway Postfix logs many details on every handled message
Mail server Postfix logs many details on every handled message

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category email
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/anvil"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "admin@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/error"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "sub.corp.com",
        "domain": "sub.corp.com",
        "registered_domain": "corp.com",
        "subdomain": "sub",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "USER@sub.corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "sub.corp.com"
        ]
    }
}
{
    "message": "3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "bounced",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "exemple.com",
        "domain": "exemple.com",
        "registered_domain": "exemple.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "john.doe@exemple.com"
            ]
        }
    },
    "file": {
        "created": "2019-09-12T12:39:01Z",
        "ctime": "2019-09-12T12:40:01Z",
        "name": "image003.jpg",
        "size": 26055
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "exemple.com",
            "mail.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.outbound.protection.outlook.com",
        "domain": "mail.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "foo@corp.com"
            ]
        },
        "to": {
            "address": [
                "first.last@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "SUBDOMAIN.CORP.COM",
            "corp.com"
        ],
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "SUBDOMAIN.CORP.COM",
        "domain": "SUBDOMAIN.CORP.COM",
        "ip": "10.1.1.1",
        "registered_domain": "CORP.COM",
        "subdomain": "SUBDOMAIN",
        "top_level_domain": "COM"
    }
}
{
    "message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "email@corp.com"
            ]
        },
        "to": {
            "address": [
                "email@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "SUBDOMAIN.CORP.COM",
            "corp.com"
        ],
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "SUBDOMAIN.CORP.COM",
        "domain": "SUBDOMAIN.CORP.COM",
        "ip": "10.1.1.1",
        "registered_domain": "CORP.COM",
        "subdomain": "SUBDOMAIN",
        "top_level_domain": "COM"
    }
}
{
    "message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "office365.eu.vadesecure.com",
        "domain": "office365.eu.vadesecure.com",
        "registered_domain": "vadesecure.com",
        "subdomain": "office365.eu",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "ndr.journaling@corp.com"
            ]
        },
        "to": {
            "address": [
                "corp@office365.eu.vadesecure.com"
            ]
        }
    },
    "file": {
        "created": "2024-03-14T10:19:00Z",
        "ctime": "2024-03-14T10:19:00Z",
        "name": "image001.png",
        "size": 8879
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "office365.eu.vadesecure.com",
            "subdomain.key.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "subdomain.key.corp.com",
        "domain": "subdomain.key.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "subdomain.key",
        "top_level_domain": "com"
    }
}
{
    "message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "lacomte.net",
        "domain": "lacomte.net",
        "registered_domain": "lacomte.net",
        "top_level_domain": "net"
    },
    "email": {
        "from": {
            "address": [
                "photo@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "file": {
        "name": "?iso-8859-2?q?representative_on_migration.pdf?=",
        "size": 259210
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "lacomte.net",
            "mordor.com"
        ]
    },
    "source": {
        "address": "mordor.com",
        "domain": "mordor.com",
        "registered_domain": "mordor.com",
        "top_level_domain": "com"
    }
}
{
    "message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "COMPUTER.sub.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "COMPUTER.sub.corp.com",
        "domain": "COMPUTER.sub.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "COMPUTER.sub",
        "top_level_domain": "com"
    }
}
{
    "message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client whitelist",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client whitelist",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp2.fr",
        "domain": "corp2.fr",
        "registered_domain": "corp2.fr",
        "top_level_domain": "fr"
    },
    "email": {
        "from": {
            "address": [
                "firstname.lastname@corp.fr"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@corp2.fr"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp2.fr",
            "mail-corp123.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail-corp123.outbound.protection.outlook.com",
        "domain": "mail-corp123.outbound.protection.outlook.com",
        "ip": "1.1.1.1",
        "registered_domain": "outlook.com",
        "subdomain": "mail-corp123.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "smtp.office365.com",
        "ip": "1.1.1.1"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "P212321.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "P212321.PROD.OUTLOOK.COM",
        "domain": "P212321.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "P212321.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "52.97.201.210",
        "domain": "smtp.office365.com",
        "ip": "52.97.201.210"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1111111111111.US0394.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "52.97.201.210"
        ]
    },
    "source": {
        "address": "1111111111111.US0394.PROD.OUTLOOK.COM",
        "domain": "1111111111111.US0394.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "1111111111111.US0394.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "localhost"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "localhost",
        "domain": "localhost",
        "ip": "127.0.0.1"
    }
}
{
    "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "localhost"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "localhost",
        "domain": "localhost",
        "ip": "127.0.0.1"
    }
}
{
    "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "disconnect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "corp.com",
        "domain": "corp.com",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "firstname.lastname@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ]
    }
}
{
    "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "ns1.example.org",
        "domain": "ns1.example.org",
        "registered_domain": "example.org",
        "subdomain": "ns1",
        "top_level_domain": "org"
    },
    "log": {
        "syslog": {
            "appname": "spamd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "ns1.example.org"
        ]
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 10025,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "to": {
            "address": [
                "foreman-proxy@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.com"
        ]
    }
}
{
    "message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.localdomain",
        "domain": "example.localdomain",
        "subdomain": "example"
    },
    "email": {
        "to": {
            "address": [
                "proxy@example.localdomain"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "sample.orig.to"
    },
    "related": {
        "hosts": [
            "example.localdomain"
        ]
    }
}
{
    "message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 2525,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "john.doe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/local"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "jane.doe@example.com"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "476295F5AD: message-id=<aaaaaaaaaa=@pm.me>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "aaaaaaaaaa=@pm.me"
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "123456789: message-id=<foo@corp.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "foo@corp.com"
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "filter",
        "outcome": "success",
        "target": "network-traffic",
        "type": "RCPT"
    },
    "destination": {
        "address": "othercorp.com",
        "domain": "othercorp.com",
        "registered_domain": "othercorp.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "foo.bar@subdomain.corp.com"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@othercorp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "foo.key.corp.com",
            "othercorp.com"
        ],
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "foo.key.corp.com",
        "domain": "foo.key.corp.com",
        "ip": "192.168.1.1",
        "registered_domain": "corp.com",
        "subdomain": "foo.key",
        "top_level_domain": "com"
    }
}
{
    "message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "filter",
        "outcome": "success",
        "target": "network-traffic",
        "type": "RCPT"
    },
    "destination": {
        "address": "corp2.com",
        "domain": "corp2.com",
        "registered_domain": "corp2.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "firstname.firstname@subdomain.corp.com"
            ]
        },
        "to": {
            "address": [
                "firstname.lastname@corp2.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "HOSTNAME.key.corp.com",
            "corp2.com"
        ],
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "HOSTNAME.key.corp.com",
        "domain": "HOSTNAME.key.corp.com",
        "ip": "192.168.1.1",
        "registered_domain": "corp.com",
        "subdomain": "HOSTNAME.key",
        "top_level_domain": "com"
    }
}
{
    "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}
{
    "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "triplet found",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "destination": {
        "address": "lacomte.net",
        "domain": "lacomte.net",
        "registered_domain": "lacomte.net",
        "top_level_domain": "net"
    },
    "email": {
        "from": {
            "address": [
                "mechant@mordor.com"
            ]
        },
        "to": {
            "address": [
                "Pipin.touque@lacomte.net"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "lacomte.net",
            "mordor.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mordor.com",
        "domain": "mordor.com",
        "ip": "1.1.1.1",
        "registered_domain": "mordor.com",
        "top_level_domain": "com"
    }
}
{
    "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client AAA",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AAA",
        "target": "network-traffic"
    },
    "destination": {
        "address": "acme.com",
        "domain": "acme.com",
        "registered_domain": "acme.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "Coyotte@acme.com"
            ]
        },
        "to": {
            "address": [
                "BIPBIP.NEWMAN@acme.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "acme.com",
            "example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.com",
        "domain": "example.com",
        "ip": "1.2.3.4",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    }
}
{
    "message": "E43D43F838: uid=117 from=<no-reply@example.org>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "no-reply@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pickup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "127.0.0.1",
        "port": 10025,
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/pipe"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23 210",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "ops@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "corp.com",
        "domain": "corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "noreply@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Neutral",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "john.doem@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.mail.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.mail.protection.outlook.com",
        "domain": "example.mail.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.mail.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mail.example.org",
        "domain": "mail.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mail",
        "top_level_domain": "org"
    }
}
{
    "message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Permerror",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "no-reply@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Softfail",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "noreply@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "prvs=30447fe13=no-reply@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.com",
        "domain": "mx.example.com",
        "ip": "1.2.3.4",
        "registered_domain": "example.com",
        "subdomain": "mx",
        "top_level_domain": "com"
    }
}
{
    "message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "prepend Received-SPF",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "doe@newsletter.example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mta-11-22-33-44.example.or"
        ],
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "mta-11-22-33-44.example.or",
        "domain": "mta-11-22-33-44.example.or",
        "ip": "11.22.33.44",
        "subdomain": "mta-11-22-33-44.example"
    }
}
{
    "message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Pass",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "mail.corp.com",
        "domain": "mail.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "mail",
        "top_level_domain": "com"
    }
}
{
    "message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "noreply@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "sub.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "sub.corp.com",
        "domain": "sub.corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "subdomain": "sub",
        "top_level_domain": "com"
    }
}
{
    "message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "Softfail",
        "outcome": "success",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "username@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "corp.com",
        "domain": "corp.com",
        "ip": "1.1.1.1",
        "registered_domain": "corp.com",
        "top_level_domain": "com"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.2.3.4"
        ],
        "ip": [
            "2.3.4.5"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "1.2.3.4",
        "ip": "2.3.4.5"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "posta.example.org"
        ],
        "ip": [
            "2.3.4.5"
        ]
    },
    "source": {
        "address": "posta.example.org",
        "domain": "posta.example.org",
        "ip": "2.3.4.5",
        "registered_domain": "example.org",
        "subdomain": "posta",
        "top_level_domain": "org"
    }
}
{
    "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>  Reject action: 550 5.7.23",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "reject",
        "outcome": "success",
        "outcome_reason": "SPF validation failed",
        "target": "network-traffic"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "policyd-spf"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.outbound.protection.outlook.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "example.outbound.protection.outlook.com",
        "domain": "example.outbound.protection.outlook.com",
        "ip": "1.2.3.4",
        "registered_domain": "outlook.com",
        "subdomain": "example.outbound.protection",
        "top_level_domain": "com"
    }
}
{
    "message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "action": {
        "outcome": "success",
        "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
        "target": "network-traffic",
        "type": "end of DATA"
    },
    "destination": {
        "address": "40.101.136.242",
        "domain": "smtp.office365.com",
        "ip": "40.101.136.242"
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "EXAMPLE.PROD.OUTLOOK.COM",
            "smtp.office365.com"
        ],
        "ip": [
            "40.101.136.242"
        ]
    },
    "source": {
        "address": "EXAMPLE.PROD.OUTLOOK.COM",
        "domain": "EXAMPLE.PROD.OUTLOOK.COM",
        "registered_domain": "OUTLOOK.COM",
        "subdomain": "EXAMPLE.PROD",
        "top_level_domain": "COM"
    }
}
{
    "message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "10.19.65.1",
        "domain": "10.19.65.1",
        "ip": "10.19.65.1",
        "port": 587
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "10.19.65.1"
        ],
        "ip": [
            "10.19.65.1"
        ]
    }
}
{
    "message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "163.172.55.8",
        "domain": "smtp.example.org",
        "ip": "163.172.55.8",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp.example.org"
        ],
        "ip": [
            "163.172.55.8"
        ]
    }
}
{
    "message": "NOQUEUE: client=unknown[10.100.0.3]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "10.100.0.3",
        "ip": "10.100.0.3"
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "10.100.0.3"
        ]
    }
}
{
    "message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "unexpected EOF (Operation now in progress)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "port": 10030
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "mail2sms.smsbox.net",
        "domain": "mail2sms.smsbox.net",
        "ip": "127.0.0.1",
        "port": 10025,
        "registered_domain": "smsbox.net",
        "subdomain": "mail2sms",
        "top_level_domain": "net"
    },
    "email": {
        "to": {
            "address": [
                "sms@mail2sms.smsbox.net"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail2sms.smsbox.net"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "accept",
        "outcome": "success",
        "target": "network-traffic",
        "type": "END-OF-MESSAGE"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org",
            "mx.example.org"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "smtp-in.example.com",
        "ip": "5.6.7.8",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "smtp-in.example.com"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "file": {
        "name": "image018.png",
        "size": 162328
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org"
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    }
}
{
    "message": "000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix-nospam/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "smtp.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "127.0.0.1",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "newsletter@wine.com"
            ]
        },
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix-nospam/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.org",
            "smtp.example.org"
        ],
        "ip": [
            "127.0.0.1"
        ]
    },
    "source": {
        "address": "smtp.example.org",
        "domain": "smtp.example.org",
        "ip": "127.0.0.1",
        "registered_domain": "example.org",
        "subdomain": "smtp",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "early-retry (10s missing)",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "early-retry (10s missing)",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "new",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "new",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "new",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "greylist",
        "outcome": "success",
        "outcome_reason": "new",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "domain": "example.org",
        "ip": "1.2.3.4"
    }
}
{
    "message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client AWL",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client AWL",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "client whitelist",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "client whitelist",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "reason": "triplet found",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "triplet found",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "whitelisted: mx.example.org[1.2.3.4/32]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "1.2.3.4",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "whitelisted: unknown[1.2.3.4/32]",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postgrey"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test1@acme.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/qmgr"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "acme.com"
        ]
    },
    "source": {
        "address": "acme.com",
        "domain": "acme.com",
        "registered_domain": "acme.com",
        "top_level_domain": "com"
    }
}
{
    "message": "074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/qmgr"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "hrd.corp.com"
        ]
    },
    "source": {
        "address": "hrd.corp.com",
        "domain": "hrd.corp.com",
        "registered_domain": "corp.com",
        "subdomain": "hrd",
        "top_level_domain": "com"
    }
}
{
    "message": "CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "srv.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "f.lastname@corp.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "srv.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "1.1.1.1",
        "ip": "1.1.1.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "1.1.1.1"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "hola@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "EXAMPLE <[hola@example.org](mailto:hola@example.org)>",
                "[noreply@example.org](mailto:noreply@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "test@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "Example Mailbox <[test@example.org](mailto:test@example.org)>",
                "[noreply@example.org](mailto:noreply@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "2F46A140256: replace: header From: \"Example Help\" <help@example.org: From: [help@example.org](mailto:help@example.org)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "email": {
        "from": {
            "address": [
                "<help@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "headers": {
            "from": [
                "\"Example Help\" <help@example.org",
                "[help@example.org](mailto:help@example.org)"
            ]
        }
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    },
    "source": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
    "event": {
        "category": [
            "email"
        ],
        "reason": "SASL LOGIN authentication failed: authentication failure",
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/cleanup"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "11.22.33.44"
        ]
    },
    "source": {
        "address": "11.22.33.44",
        "ip": "11.22.33.44"
    }
}
{
    "message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "foreman-proxy"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "postfix": {
        "orig_to": "dmarc@example.org"
    },
    "related": {
        "hosts": [
            "example.org"
        ]
    }
}
{
    "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "sent",
        "outcome": "success",
        "outcome_reason": "success",
        "target": "network-traffic"
    },
    "destination": {
        "address": "127.0.0.1",
        "domain": "127.0.0.1",
        "ip": "127.0.0.1",
        "port": 10025
    },
    "email": {
        "to": {
            "address": [
                "jdoe@example.org"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "127.0.0.1"
        ],
        "ip": [
            "127.0.0.1"
        ]
    }
}
{
    "message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
    "event": {
        "category": [
            "email"
        ],
        "reason": "<abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "connect to mx.example.org[5.6.7.8]:25: No route to host",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "domain": "mx.example.org",
        "ip": "5.6.7.8",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    }
}
{
    "message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "mail.corp.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.corp.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "deferred",
        "outcome": "success",
        "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
        "target": "network-traffic"
    },
    "destination": {
        "address": "1.1.1.1",
        "domain": "exemple.com",
        "ip": "1.1.1.1",
        "port": 25
    },
    "email": {
        "to": {
            "address": [
                "rob@exemple.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtp"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "exemple.com"
        ],
        "ip": [
            "1.1.1.1"
        ]
    }
}
{
    "message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "example.com",
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "jdoe@example.org"
            ]
        },
        "to": {
            "address": [
                "jane.doe@example.com"
            ]
        }
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "example.com",
            "mx.example.com"
        ],
        "ip": [
            "192.168.100.124"
        ]
    },
    "source": {
        "address": "mx.example.com",
        "domain": "mx.example.com",
        "ip": "192.168.100.124",
        "registered_domain": "example.com",
        "subdomain": "mx",
        "top_level_domain": "com"
    }
}
{
    "message": "lost connection after BDAT from mx.example.org[192.168.100.124]",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "BDAT"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "192.168.100.124"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "192.168.100.124",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known",
    "event": {
        "category": [
            "email"
        ],
        "reason": "Name or service not known",
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "5.6.7.8"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "5.6.7.8",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
    "event": {
        "category": [
            "email"
        ],
        "reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mx.example.org"
        ],
        "ip": [
            "192.168.100.132"
        ]
    },
    "source": {
        "address": "mx.example.org",
        "domain": "mx.example.org",
        "ip": "192.168.100.132",
        "registered_domain": "example.org",
        "subdomain": "mx",
        "top_level_domain": "org"
    }
}
{
    "message": "lost connection after AUTH from unknown[1.1.1.1]",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "lost connection",
        "outcome": "success",
        "target": "network-traffic",
        "type": "AUTH"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "1.1.1.1"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    }
}
{
    "message": "connect from unknown[10.1.1.1] 88",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "connect",
        "outcome": "success",
        "target": "network-traffic"
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "ip": [
            "10.1.1.1"
        ]
    },
    "source": {
        "address": "10.1.1.1",
        "ip": "10.1.1.1"
    }
}
{
    "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "log": {
        "syslog": {
            "appname": "postfix/smtpd"
        }
    },
    "network": {
        "protocol": "smtp"
    },
    "related": {
        "hosts": [
            "mail.outbound.protection.outlook.com"
        ],
        "ip"</