software:postfix:quickreference
This is an old revision of the document!
Postfix Quick Reference
This is just some notes on things I do in Postfix.
Finding User who has been hacked
- look for messages that are sending to multiple recipients
grep 'postfix/smtp' /var/log/mail.log | cut -d ':' -f4 | grep -v 'connect' | grep -v warning | grep -v SSL | sort | uniq -c | sort -nr | head
- Grab one of the identifiers and look at where it originated. This returned 47B5F826C2
grep 47B5F826C2 /var/log/mail.log | grep 'from=' | cut -d':' -f5 | cut -d'<' -f2 | cut -d'>' -f1
- Choose a username. This returned mail.brakzijn.nl@my.server
grep mail.brakzijn.nl mail.log | grep RCPT | cut -d'[' -f3 | cut -d']' -f1 | sort | uniq -c | sort -rn | head
- see the IP they are coming from, then look for the login that is associated with it
grep 129.205.113.219 /var/log/mail.log | grep 'sasl_method=LOGIN' | cut -d'=' -f4 | sort | uniq -c | sort -rn
- That is the user that has been hacked
software/postfix/quickreference.1600131626.txt.gz · Last modified: 2020/09/14 20:00 by rodolico