Postfix
Overview
Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Postfix. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Postfix on ATT&CK Navigator
Burp Suite Tool Detected
Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
- Effort: intermediate
Potential DNS Tunnel
Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.
- Effort: advanced
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Suspicious Email Attachment Received
Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware.
- Effort: elementary
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
- Effort: advanced
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Email gateway |
Postfix logs many details on every handled message |
Mail server |
Postfix logs many details on every handled message |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | `` |
Category | email |
Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/anvil"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"admin@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/error"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "sub.corp.com",
"domain": "sub.corp.com",
"registered_domain": "corp.com",
"subdomain": "sub",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"USER@sub.corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"sub.corp.com"
]
}
}
{
"message": "3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "bounced",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"username@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "exemple.com",
"domain": "exemple.com",
"registered_domain": "exemple.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"john.doe@exemple.com"
]
}
},
"file": {
"created": "2019-09-12T12:39:01Z",
"ctime": "2019-09-12T12:40:01Z",
"name": "image003.jpg",
"size": 26055
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"exemple.com",
"mail.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.outbound.protection.outlook.com",
"domain": "mail.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"foo@corp.com"
]
},
"to": {
"address": [
"first.last@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"SUBDOMAIN.CORP.COM",
"corp.com"
],
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "SUBDOMAIN.CORP.COM",
"domain": "SUBDOMAIN.CORP.COM",
"ip": "10.1.1.1",
"registered_domain": "CORP.COM",
"subdomain": "SUBDOMAIN",
"top_level_domain": "COM"
}
}
{
"message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"email@corp.com"
]
},
"to": {
"address": [
"email@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"SUBDOMAIN.CORP.COM",
"corp.com"
],
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "SUBDOMAIN.CORP.COM",
"domain": "SUBDOMAIN.CORP.COM",
"ip": "10.1.1.1",
"registered_domain": "CORP.COM",
"subdomain": "SUBDOMAIN",
"top_level_domain": "COM"
}
}
{
"message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "office365.eu.vadesecure.com",
"domain": "office365.eu.vadesecure.com",
"registered_domain": "vadesecure.com",
"subdomain": "office365.eu",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"ndr.journaling@corp.com"
]
},
"to": {
"address": [
"corp@office365.eu.vadesecure.com"
]
}
},
"file": {
"created": "2024-03-14T10:19:00Z",
"ctime": "2024-03-14T10:19:00Z",
"name": "image001.png",
"size": 8879
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"office365.eu.vadesecure.com",
"subdomain.key.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "subdomain.key.corp.com",
"domain": "subdomain.key.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "subdomain.key",
"top_level_domain": "com"
}
}
{
"message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "lacomte.net",
"domain": "lacomte.net",
"registered_domain": "lacomte.net",
"top_level_domain": "net"
},
"email": {
"from": {
"address": [
"photo@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"file": {
"name": "?iso-8859-2?q?representative_on_migration.pdf?=",
"size": 259210
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"lacomte.net",
"mordor.com"
]
},
"source": {
"address": "mordor.com",
"domain": "mordor.com",
"registered_domain": "mordor.com",
"top_level_domain": "com"
}
}
{
"message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"COMPUTER.sub.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "COMPUTER.sub.corp.com",
"domain": "COMPUTER.sub.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "COMPUTER.sub",
"top_level_domain": "com"
}
}
{
"message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client whitelist",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client whitelist",
"target": "network-traffic"
},
"destination": {
"address": "corp2.fr",
"domain": "corp2.fr",
"registered_domain": "corp2.fr",
"top_level_domain": "fr"
},
"email": {
"from": {
"address": [
"firstname.lastname@corp.fr"
]
},
"to": {
"address": [
"firstname.lastname@corp2.fr"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp2.fr",
"mail-corp123.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail-corp123.outbound.protection.outlook.com",
"domain": "mail-corp123.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail-corp123.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "1.1.1.1",
"domain": "smtp.office365.com",
"ip": "1.1.1.1"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"P212321.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "P212321.PROD.OUTLOOK.COM",
"domain": "P212321.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "P212321.PROD",
"top_level_domain": "COM"
}
}
{
"message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"localhost"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "localhost",
"domain": "localhost",
"ip": "127.0.0.1"
}
}
{
"message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"localhost"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "localhost",
"domain": "localhost",
"ip": "127.0.0.1"
}
}
{
"message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"firstname.lastname@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "ns1.example.org",
"domain": "ns1.example.org",
"registered_domain": "example.org",
"subdomain": "ns1",
"top_level_domain": "org"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"ns1.example.org"
]
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"foreman-proxy@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.com"
]
}
}
{
"message": "476295F5AD: message-id=<aaaaaaaaaa=@pm.me>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "aaaaaaaaaa=@pm.me"
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "123456789: message-id=<foo@corp.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "foo@corp.com"
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "filter",
"outcome": "success",
"target": "network-traffic",
"type": "RCPT"
},
"destination": {
"address": "othercorp.com",
"domain": "othercorp.com",
"registered_domain": "othercorp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"foo.bar@subdomain.corp.com"
]
},
"to": {
"address": [
"firstname.lastname@othercorp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"foo.key.corp.com",
"othercorp.com"
],
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "foo.key.corp.com",
"domain": "foo.key.corp.com",
"ip": "192.168.1.1",
"registered_domain": "corp.com",
"subdomain": "foo.key",
"top_level_domain": "com"
}
}
{
"message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "filter",
"outcome": "success",
"target": "network-traffic",
"type": "RCPT"
},
"destination": {
"address": "corp2.com",
"domain": "corp2.com",
"registered_domain": "corp2.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"firstname.firstname@subdomain.corp.com"
]
},
"to": {
"address": [
"firstname.lastname@corp2.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"HOSTNAME.key.corp.com",
"corp2.com"
],
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "HOSTNAME.key.corp.com",
"domain": "HOSTNAME.key.corp.com",
"ip": "192.168.1.1",
"registered_domain": "corp.com",
"subdomain": "HOSTNAME.key",
"top_level_domain": "com"
}
}
{
"message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
}
}
{
"message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "triplet found",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"destination": {
"address": "lacomte.net",
"domain": "lacomte.net",
"registered_domain": "lacomte.net",
"top_level_domain": "net"
},
"email": {
"from": {
"address": [
"mechant@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"lacomte.net",
"mordor.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mordor.com",
"domain": "mordor.com",
"ip": "1.1.1.1",
"registered_domain": "mordor.com",
"top_level_domain": "com"
}
}
{
"message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client AAA",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AAA",
"target": "network-traffic"
},
"destination": {
"address": "acme.com",
"domain": "acme.com",
"registered_domain": "acme.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"Coyotte@acme.com"
]
},
"to": {
"address": [
"BIPBIP.NEWMAN@acme.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"acme.com",
"example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.com",
"domain": "example.com",
"ip": "1.2.3.4",
"registered_domain": "example.com",
"top_level_domain": "com"
}
}
{
"message": "E43D43F838: uid=117 from=<no-reply@example.org>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"no-reply@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pickup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN> Reject action: 550 5.7.23 210",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"ops@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "corp.com",
"domain": "corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"noreply@example.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Neutral",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"john.doem@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.mail.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.mail.protection.outlook.com",
"domain": "example.mail.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.mail.protection",
"top_level_domain": "com"
}
}
{
"message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mail.example.org",
"domain": "mail.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mail",
"top_level_domain": "org"
}
}
{
"message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"no-reply@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Softfail",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"noreply@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"prvs=30447fe13=no-reply@example.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.com",
"domain": "mx.example.com",
"ip": "1.2.3.4",
"registered_domain": "example.com",
"subdomain": "mx",
"top_level_domain": "com"
}
}
{
"message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"doe@newsletter.example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mta-11-22-33-44.example.or"
],
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "mta-11-22-33-44.example.or",
"domain": "mta-11-22-33-44.example.or",
"ip": "11.22.33.44",
"subdomain": "mta-11-22-33-44.example"
}
}
{
"message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"username@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.corp.com",
"domain": "mail.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "mail",
"top_level_domain": "com"
}
}
{
"message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"noreply@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"sub.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "sub.corp.com",
"domain": "sub.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "sub",
"top_level_domain": "com"
}
}
{
"message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Softfail",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"username@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "corp.com",
"domain": "corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"2.3.4.5"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "2.3.4.5"
}
}
{
"message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"posta.example.org"
],
"ip": [
"2.3.4.5"
]
},
"source": {
"address": "posta.example.org",
"domain": "posta.example.org",
"ip": "2.3.4.5",
"registered_domain": "example.org",
"subdomain": "posta",
"top_level_domain": "org"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "40.101.136.242",
"domain": "smtp.office365.com",
"ip": "40.101.136.242"
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"EXAMPLE.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"40.101.136.242"
]
},
"source": {
"address": "EXAMPLE.PROD.OUTLOOK.COM",
"domain": "EXAMPLE.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "EXAMPLE.PROD",
"top_level_domain": "COM"
}
}
{
"message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "10.19.65.1",
"domain": "10.19.65.1",
"ip": "10.19.65.1",
"port": 587
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"10.19.65.1"
],
"ip": [
"10.19.65.1"
]
}
}
{
"message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "163.172.55.8",
"domain": "smtp.example.org",
"ip": "163.172.55.8",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"163.172.55.8"
]
}
}
{
"message": "NOQUEUE: client=unknown[10.100.0.3]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "10.100.0.3",
"ip": "10.100.0.3"
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"10.100.0.3"
]
}
}
{
"message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)",
"event": {
"category": [
"email"
],
"reason": "unexpected EOF (Operation now in progress)",
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"port": 10030
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
]
}
}
{
"message": "0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "mail2sms.smsbox.net",
"domain": "mail2sms.smsbox.net",
"registered_domain": "smsbox.net",
"subdomain": "mail2sms",
"top_level_domain": "net"
},
"email": {
"to": {
"address": [
"sms@mail2sms.smsbox.net"
]
}
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail2sms.smsbox.net"
]
}
}
{
"message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "accept",
"outcome": "success",
"target": "network-traffic",
"type": "END-OF-MESSAGE"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org",
"mx.example.org"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"file": {
"name": "image018.png",
"size": 162328
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org"
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix-nospam/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"smtp.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "127.0.0.1",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"newsletter@wine.com"
]
},
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix-nospam/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org",
"smtp.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "127.0.0.1",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "early-retry (10s missing)",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "early-retry (10s missing)",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "new",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "new",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "new",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "new",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4"
}
}
{
"message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client AWL",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AWL",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client whitelist",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client whitelist",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "triplet found",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "whitelisted: mx.example.org[1.2.3.4/32]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "whitelisted: unknown[1.2.3.4/32]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"test1@acme.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/qmgr"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"acme.com"
]
},
"source": {
"address": "acme.com",
"domain": "acme.com",
"registered_domain": "acme.com",
"top_level_domain": "com"
}
}
{
"message": "074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/qmgr"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"hrd.corp.com"
]
},
"source": {
"address": "hrd.corp.com",
"domain": "hrd.corp.com",
"registered_domain": "corp.com",
"subdomain": "hrd",
"top_level_domain": "com"
}
}
{
"message": "CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "srv.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"email": {
"to": {
"address": [
"f.lastname@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"srv.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "1.1.1.1",
"ip": "1.1.1.1",
"port": 10025
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.1.1.1"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"hola@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
"event": {
"category": [
"email"
],
"reason": "SASL LOGIN authentication failed: authentication failure",
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "11.22.33.44",
"ip": "11.22.33.44"
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
"event": {
"category": [
"email"
],
"reason": "<abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "connect to mx.example.org[5.6.7.8]:25: No route to host",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.1.1.1",
"domain": "mail.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "exemple.com",
"ip": "1.1.1.1",
"port": 25
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"exemple.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.com"
],
"ip": [
"192.168.100.124"
]
},
"source": {
"address": "mx.example.com",
"domain": "mx.example.com",
"ip": "192.168.100.124",
"registered_domain": "example.com",
"subdomain": "mx",
"top_level_domain": "com"
}
}
{
"message": "lost connection after BDAT from mx.example.org[192.168.100.124]",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "BDAT"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"192.168.100.124"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "192.168.100.124",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known",
"event": {
"category": [
"email"
],
"reason": "Name or service not known",
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "5.6.7.8",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
"event": {
"category": [
"email"
],
"reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"192.168.100.132"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "192.168.100.132",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "lost connection after AUTH from unknown[1.1.1.1]",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "AUTH"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "connect from unknown[10.1.1.1] 88",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "connect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "10.1.1.1",
"ip": "10.1.1.1"
}
}
{
"message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.outbound.protection.outlook.com",
"domain": "mail.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.1.1.1",
"domain": "mx.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<11111111111111@uexample.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 44944
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45880
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 49594
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "(unknown)"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 46436
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 39504
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 37172
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 56082
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 51336
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 33278
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"test.com"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "test.com",
"domain": "test.com",
"ip": "127.0.0.1",
"port": 33620,
"registered_domain": "test.com",
"top_level_domain": "com"
}
}
{
"message": "spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "127.0.0.1",
"port": 33620,
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "127.0.0.1",
"port": 53684,
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"test.host.test"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "test.host.test",
"domain": "test.host.test",
"ip": "127.0.0.1",
"port": 44702,
"subdomain": "test.host"
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 36236
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 41352
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 42678
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45060
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45920
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 33254
},
"user": {
"name": "debian-spamd"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
action.target |
keyword |
|
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
email.from.address |
keyword |
The sender's email address. |
email.message_id |
wildcard |
Value from the Message-ID header. |
email.to.address |
keyword |
Email address of recipient |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.created |
date |
File creation time. |
file.ctime |
date |
Last time the file attributes or metadata changed. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.size |
long |
File size in bytes. |
network.protocol |
keyword |
Application protocol name. |
postfix.orig_to |
keyword |
|
source.address |
keyword |
Source network address. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
Configure
As of now, the main solution to collect Postfix logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.
Rsyslog
Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.