Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to use Message FIlter to log postfix authenticated sender header

I'm trying to log the username from the postfix authenticated sender header information.

Here is an example of the header:

Received: from [123.123.123.123] (client.domain.edu [234.234.234.234])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client
 certificate requested) (Authenticated sender: username@ad.domain.edu) by
 postfix.domain.edu (Postfix) with ESMTPSA id DE8A3E9429 for
 <username@domain.edu>; Thu, 12 Jun 2014 12:16:56 -0700 (PDT)
 
And here is the message filter I'm working on:
if (recv-int == "OutboundIP") {
if(header('Received') == '\\(Authenticated sender: .+@ad\\.domain\\.edu\\)') {
log-entry("Authenticated Sender: '$MatchedContent'");
}
}
 
Everything is working except for the $MatchedContent variable.  It is creating the custom log entry but it is only showing as "Authenticated Sender: "
 
Does anyone have any ideas on how to get the $MatchedContent variable to work or another way to log that username?
 
Everyone's tags (1)
2 REPLIES
Cisco Employee

Try taking out the ' from

Try taking out the ' from around your '$MatchedContent'...

My example:

dictionary_match:
if (dictionary-match('not_allowed_words')){
edit-header-text ("Subject", "^", "Notice Content Matched on: $MatchedContent");
log-entry("#---# This email had: $MatchedContent #---#");
notify('robsherw@cisco.com');
}

Sent an email with a known "secret" in the email body... and "secret" is in my "not_allowed_words" dictionary... so it'll trip my "dictionary_match" message filter...

Mail logs --->

Thu Jun 12 23:10:46 2014 Info: New SMTP ICID 181 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
Thu Jun 12 23:10:46 2014 Info: ICID 181 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Thu Jun 12 23:10:46 2014 Info: Start MID 105 ICID 181
Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 From: <robsherw.cisco@gmail.com>
Thu Jun 12 23:10:46 2014 Info: MID 105 ICID 181 RID 0 To: <robsherw_cisco@yahoo.com>
Thu Jun 12 23:10:46 2014 Info: MID 105 Message-ID '<4DFE4A57-854D-4490-8C36-7ED27DD91F55@gmail.com>'
Thu Jun 12 23:10:46 2014 Info: MID 105 Subject 'This email has an issue'
Thu Jun 12 23:10:46 2014 Info: MID 105 ready 561 bytes from <robsherw.cisco@gmail.com>
Thu Jun 12 23:10:46 2014 Info: MID 105 Custom Log Entry: #---# This email had: secret #---#
Thu Jun 12 23:10:46 2014 Info: Start MID 106 ICID 0
Thu Jun 12 23:10:46 2014 Info: MID 106 was generated based on MID 105 by notify filter 'dictionary_match'
Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 From: <MAILER-DAEMON@myesa.local>
Thu Jun 12 23:10:46 2014 Info: MID 106 ICID 0 RID 0 To: <robsherw@cisco.com>
Thu Jun 12 23:10:46 2014 Info: MID 106 DomainKeys: cannot sign - no profile matches MAILER-DAEMON@myesa.local
Thu Jun 12 23:10:46 2014 Info: MID 106 DKIM: cannot sign - no profile matches MAILER-DAEMON@myesa.local
Thu Jun 12 23:10:46 2014 Info: MID 106 ready 970 bytes from <MAILER-DAEMON@myesa.local>
Thu Jun 12 23:10:46 2014 Info: MID 106 queued for delivery
Thu Jun 12 23:10:46 2014 Info: MID 105 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Thu Jun 12 23:10:46 2014 Info: MID 105 queued for delivery
Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 53 interface 172.16.6.165 address 173.36.13.143 port 25
Thu Jun 12 23:10:46 2014 Info: New SMTP DCID 54 interface 172.16.6.165 address 173.36.13.143 port 25
Thu Jun 12 23:10:46 2014 Info: Delivery start DCID 54 MID 105 to RID [0]
Thu Jun 12 23:10:47 2014 Info: DCID 53 TLS success protocol TLSv1 cipher RC4-SHA 
Thu Jun 12 23:10:47 2014 Info: Delivery start DCID 53 MID 106 to RID [0]
Thu Jun 12 23:10:47 2014 Info: Message done DCID 54 MID 105 to RID [0] 
Thu Jun 12 23:10:47 2014 Info: MID 105 RID [0] Response '2.0.0 s5D3Aobe022251 Message accepted for delivery'
Thu Jun 12 23:10:47 2014 Info: Message finished MID 105 done
Thu Jun 12 23:10:47 2014 Info: Message done DCID 53 MID 106 to RID [0] 
Thu Jun 12 23:10:47 2014 Info: MID 106 RID [0] Response '2.0.0 s5D3AoFH012632 Message accepted for delivery'
Thu Jun 12 23:10:47 2014 Info: Message finished MID 106 done
Thu Jun 12 23:10:52 2014 Info: DCID 54 close
Thu Jun 12 23:10:52 2014 Info: DCID 53 close

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

New Member

Same result after removing

Same result after removing the single quotes.   Is it possible that the Header function doesn't use the $MatchedContent variable ?  I am successfully using $MatchedContent in other filters but they aren't using Header().

189
Views
0
Helpful
2
Replies
CreatePlease login to create content