#!/usr/bin/perl
#-------------------------------------------------------
# Convert a mail log file to a common log file for analyzing with any log
# analyzer.
#-------------------------------------------------------
# Tool built from original work of Odd-Jarle Kristoffersen
# Note 1: QMail must log in syslog format for timestamps to work.
# Note 2: QMail logging is not 100% accurate. Some messages might
# not be logged correctly or completely.
#
# A mail received to 2 different receivers, report 2 records.
# A mail received to a forwarded account is reported as to the original receiver, not the "forwarded to".
# A mail locally sent to a local alias is reported as n mails to all addresses of alias.
#-------------------------------------------------------
use strict;no strict "refs";
#-------------------------------------------------------
# Defines
#-------------------------------------------------------
use vars qw/ $REVISION $VERSION /;
$REVISION='$Revision: 1.34 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
$VERSION="1.2 (build $REVISION)";
use vars qw/
$DIR $PROG $Extension
$Debug
%mail %qmaildelivery
$help
$mode $year $lastmon $Debug
$NBOFENTRYFOFLUSH
$MailType
%MonthNum
/;
$Debug=0;
$NBOFENTRYFOFLUSH=16384; # Nb or records for flush of %entry (Must be a power of 2)
$MailType=''; # Mail server family (postfix, sendmail, qmail)
%MonthNum = (
'Jan'=>1,
'Feb'=>2,
'Mar'=>3,
'Apr'=>4,
'May'=>5,
'Jun'=>6,
'Jul'=>7,
'Aug'=>8,
'Sep'=>9,
'Oct'=>10,
'Nov'=>11,
'Dec'=>12
);
#-------------------------------------------------------
# Functions
#-------------------------------------------------------
sub error {
print "Error: $_[0].\n";
exit 1;
}
sub debug {
my $level = $_[1] || 1;
if ($Debug >= $level) {
my $debugstring = $_[0];
if ($ENV{"GATEWAY_INTERFACE"}) { $debugstring =~ s/^ / /; $debugstring .= "
"; }
print localtime(time)." - DEBUG $level - $. - : $debugstring\n";
}
0;
}
sub CleanVadminUser { $_=shift||'';
s/[#<|>\[\]]//g; # Remove unwanted characters first
s/^(.*?)-//gi; # Strip off unixuser- at beginning
return $_;
}
sub CleanEmail { $_=shift||'';
s/[#<|>\[\]]//g; # Remove unwanted characters first
return $_;
}
# Clean host addresses
# Input: "servername[123.123.123.123]", "servername [123.123.123.123]"
# "root@servername", "[123.123.123.123]"
# Return: servername or 123.123.123.123 if servername is 'unknown'
sub CleanHost {
$_=shift||'';
if (/^\[(.*)\]$/) { $_=$1; } # If [ip] we keep ip
if (/^unknown\s*\[/) { $_ =~ /\[(.*)\]/; $_=$1; } # If unknown [ip], we keep ip
else { $_ =~ s/\s*\[.*$//; }
$_ =~ s/^.*\@//; # If x@y, we keep y
return $_;
}
# Return domain
# Input: host.domain.com, , <>
#
sub CleanDomain { $_=shift;
s/>.*$//; s/[<>]//g;
s/^.*@//;
if (! $_) { $_ = 'localhost'; }
return $_;
}
# Return string without starting and ending space
#
sub trim { $_=shift;
s/^\s+//; s/\s+$//;
return $_;
}
# Write a record
#
sub OutputRecord {
my $year=shift;
my $month=shift; # Jan,Feb,... or 1,2,3...
my $day=shift;
my $time=shift;
my $from=shift;
my $to=shift;
my $relay_s=shift;
my $relay_r=shift;
my $code=shift;
my $size=shift||0;
my $forwardto=shift;
my $extinfo=shift||'-';
# Clean day and month
$day=sprintf("%02d",$day);
$month=sprintf("%02d",$MonthNum{$month}||$month);
# Clean from
$from=&CleanEmail($from);
$from||='<>';
# Clean to
if ($mode eq 'vadmin') { $to=&CleanVadminUser($to); }
else { $to=&CleanEmail($to); }
$to||='<>';
# Clean relay_s
$relay_s=&CleanHost($relay_s);
$relay_s||=&CleanDomain($from);
$relay_s=~s/\.$//;
if ($relay_s eq 'local' || $relay_s eq 'localhost.localdomain') { $relay_s='localhost'; }
# Clean relay_r
$relay_r=&CleanHost($relay_r);
$relay_r||="-";
$relay_r=~s/\.$//;
if ($relay_r eq 'local' || $relay_r eq 'localhost.localdomain') { $relay_r='localhost'; }
#if we don't have info for relay_s, we keep it unknown, awstats might then guess it
# Write line
print "$year-$month-$day $time $from $to $relay_s $relay_r SMTP $extinfo $code $size\n";
# If there was a redirect
if ($forwardto) {
# Redirect to local address
# TODO
# Redirect to external address
# TODO
}
}
#-------------------------------------------------------
# MAIN
#-------------------------------------------------------
# Prepare QueryString
my %param=();
for (0..@ARGV-1) { $param{$_}=$ARGV[$_]; }
foreach my $key (sort keys %param) {
if ($param{$key} =~ /(^|-|&)debug=([^&]+)/i) { $Debug=$2; shift; next; }
if ($param{$key} =~ /^(\d+)$/) { $year=$1; shift; next; }
if ($param{$key} =~ /^(standard|vadmin)$/i) { $mode=$1; shift; next; }
}
if ($mode ne 'standard' and $mode ne 'vadmin') { $help = 1; }
($DIR=$0) =~ s/([^\/\\]*)$//; ($PROG=$1) =~ s/\.([^\.]*)$//; $Extension=$1;
my $starttime=time();
my ($nowsec,$nowmin,$nowhour,$nowday,$nowmonth,$nowyear,$nowwday,$nowyday) = localtime($starttime);
$year||=($nowyear+1900);
# Show usage help
if ($help) {
print "----- $PROG $VERSION -----\n";
print < output
The first parameter specifies what format the mail logfile is :
standard - logfile is standard postfix,sendmail,qmail or mdaemon log format
vadmin - logfile is qmail log format with vadmin multi-host support
The second parameter specifies what year to timestamp logfile with, if current
year is not the correct one (ie. 2002). Always use 4 digits. If not specified,
current year is used.
If no output is specified, it goes to the console (stdout).
HELPTEXT
sleep 1;
exit;
}
#
# Start Processing Input Logfile
#
$lastmon=0;
my $numrecord=0;
my $numrecordforflush=0;
while (<>) {
chomp $_; s/\r//;
$numrecord++;
$numrecordforflush++;
my $mailid=0;
if (/^__BREAKPOINT__/) { last; } # For debug only
### ###
my ($mon)=m/(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s/;
if ($mon) {
$mon = $MonthNum{$mon};
if ($mon==12 && $lastmon==1 ){$year--;}
if ($mon==1 && $lastmon==12){$year++;}
$lastmon=$mon;
}
### ###
if (/^#/) {
debug("Comment record");
next;
}
#
# Get sender host for postfix
#
elsif (/: client=/) {
$MailType||='postfix';
# Example:
# postfix: Jan 01 07:27:32 apollon.com postfix/smtpd[1684]: 2BC793B8A4: client=remt30.cluster1.abcde.net[209.225.8.40]
my ($id,$relay_s)=m/\w+\s+\d+\s+\d+:\d+:\d+\s+[\w\-\.\@]+\s+(?:sendmail|postfix\/(?:local|lmtp|smtpd|smtp|virtual|pipe))\[\d+\]:\s+(.*?):\s+client=(.*)/;
$mailid=$id;
$mail{$id}{'relay_s'}=$relay_s;
debug("For id=$id, found host sender on a 'client' line: $mail{$id}{'relay_s'}");
}
#
# See if we received postfix email reject error
#
elsif (/: reject/) {
$MailType||='postfix';
# Example:
# postfix ?.? : Jan 01 12:00:00 halley postfix/smtpd[9245]: reject: RCPT from unknown[203.156.32.33]: 554 : Recipient address rejected: Relay access denied; from= to=
# postfix 2.1+: Jan 01 12:00:00 localhost postfix/smtpd[11120]: NOQUEUE: reject: RCPT from unknown[62.205.124.145]: 450 Client host rejected: cannot find your hostname, [62.205.124.145]; from= to= proto=ESMTP helo=
# postfix ?.? : Jan 01 12:00:00 apollon postfix/smtpd[26553]: 1954F3B8A4: reject: RCPT from unknown[80.245.33.2]: 450 : User unknown in local recipient table; from= to= proto=ESMTP helo=
my ($mon,$day,$time,$id,$code,$from,$to)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:postfix\/(?:local|lmtp|smtpd|smtp|virtual|pipe))\[\d+\]:\s+(.*?):\s+(.*)\s+from=([^\s,]*)\s+to=([^\s,]*)/;
# postfix: Jan 01 14:10:16 juni postfix/smtpd[2568]: C34ED1432B: reject: RCPT from relay2.tp2rc.edu.tw[163.28.32.177]: 450 : User unknown in local recipient table; from=<> proto=ESMTP helo=
if (! $mon) { ($mon,$day,$time,$id,$code,$from)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:postfix\/(?:local|lmtp|smtpd|smtp|virtual|pipe))\[\d+\]:\s+(.*?):\s+(.*)\s+from=([^\s,]*)/; }
$mailid=($id eq 'reject' || $id eq 'NOQUEUE'?'999':$id); # id not provided in log, we take '999'
if ($mailid) {
# $code='reject: RCPT from unknown[203.156.32.33]: 554 : Recipient address rejected: Relay access denied;'
# or 'reject: RCPT from unknown[62.205.124.145]: 450 Client host rejected: cannot find your hostname, [62.205.124.145]; from= to= proto=ESMTP helo='
# or 'reject: RCPT from unknown[80.245.33.2]: 450 : User unknown in local recipient table;'
if ($code =~ /\s+(\d\d\d)\s+/) { $mail{$mailid}{'code'}=$1; }
else { $mail{$mailid}{'code'}=999; } # Unkown error
if (! $mail{$mailid}{'relay_s'} && $code =~ /from\s+([^\s]+)\s+/) {
$mail{$mailid}{'relay_s'}=&trim($1);
}
$mail{$mailid}{'from'}=&trim($from);
if ($to) {
$mail{$mailid}{'to'}=&trim($to);
}
elsif ($code =~ /<(.*)>/) {
$mail{$mailid}{'to'}=&trim($1);
}
$mail{$mailid}{'year'}=$year; ### ###
$mail{$mailid}{'mon'}=$mon;
$mail{$mailid}{'day'}=$day;
$mail{$mailid}{'time'}=$time;
if (! defined($mail{$mailid}{'size'})) { $mail{$mailid}{'size'}='?'; }
debug("For id=$mailid, found a postfix error incoming message: code=$mail{$mailid}{'code'} from=$mail{$mailid}{'from'} to=$mail{$mailid}{'to'} time=$mail{$mailid}{'time'}");
}
}
#
# See if we received postfix email bounced error
#
elsif (/stat(us)?=bounced/) {
$MailType||='postfix';
# Example:
# postfix: Sep 9 18:24:23 halley postfix/local[22003]: 12C6413EC9: to=, relay=local, delay=0, status=bounced (unknown user: "etavidian")
my ($mon,$day,$time,$id,$to,$relay_r)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:postfix\/(?:local|lmtp|smtpd|smtp|virtual|pipe))\[\d+\]:\s+(.*?):\s+to=([^\s,]*)[\s,]+relay=([^\s,]*)/;
$mailid=($id eq 'reject'?'999':$id); # id not provided in log, we take '999'
if ($mailid) {
$mail{$mailid}{'code'}=999; # Unkown error (bounced)
$mail{$mailid}{'to'}=&trim($to);
$mail{$mailid}{'relay_r'}=&trim($relay_r);
$mail{$mailid}{'year'}=$year; ### ###
$mail{$mailid}{'mon'}=$mon;
$mail{$mailid}{'day'}=$day;
$mail{$mailid}{'time'}=$time;
if (! defined($mail{$mailid}{'size'})) { $mail{$mailid}{'size'}='?'; }
debug("For id=$mailid, found a postfix bounced incoming message: code=$mail{$mailid}{'code'} to=$mail{$mailid}{'to'} relay_r=$mail{$mailid}{'relay_r'}");
}
}
#
# See if we received sendmail reject error
#
elsif (/, reject/) {
$MailType||='sendmail';
# Example:
# sm-mta: Jul 27 04:06:05 androneda sm-mta[6641]: h6RB44tg006641: ruleset=check_mail, arg1=<7ms93d4ms@topprodsource.com>, relay=crelay1.easydns.com [216.220.57.222], reject=451 4.1.8 Domain of sender address 7ms93d4ms@topprodsource.com does not resolve
# sm-mta: Jul 27 06:21:24 androneda sm-mta[11461]: h6RDLNtg011461: ruleset=check_rcpt, arg1=, relay=freedom.myhostdns.com [66.246.77.42], reject=550 5.7.1 ... Relaying denied
# sendmail: Sep 30 04:21:32 halley sendmail[3161]: g8U2LVi03161: ruleset=check_rcpt, arg1=, relay=moon.partenor.fr [10.0.0.254], reject=550 5.7.1 ... Relaying denied
# sendmail: Jan 10 07:37:48 smtp sendmail[32440]: ruleset=check_relay, arg1=[211.228.26.114], arg2=211.228.26.114, relay=[211.228.26.114], reject=554 5.7.1 Rejected 211.228.26.114 found in dnsbl.sorbs.net
# sendmail: Jan 10 07:37:08 smtp sendmail[32439]: ruleset=check_relay, arg1=235.Red-213-97-175.pooles.rima-tde.net, arg2=213.97.175.235, relay=235.Red-213-97-175.pooles.rima-tde.net [213.97.175.235], reject=550 5.7.1 Mail from 213.97.175.235 refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/
# sendmail: Jan 10 17:15:42 smtp sendmail[12770]: ruleset=check_relay, arg1=[63.218.84.21], arg2=63.218.84.21, relay=[63.218.84.21], reject=553 5.3.0 Rejected - see http://spamhaus.org/
my ($mon,$day,$time,$id,$ruleset,$arg,$relay_s,$code)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:sendmail|sm-mta)\[\d+\][:\s]*(.*?):\sruleset=(\w+),\s+arg1=(.*),\s+relay=(.*),\s+(reject=.*)/;
# sendmail: Jan 10 18:00:34 smtp sendmail[5759]: i04Axx2c005759: Milter: data, reject=511 Virus found in email!
if (! $mon) { ($mon,$day,$time,$id,$ruleset,$code)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:sendmail|sm-mta)\[\d+\]:\s+(.*?):\s\w+:\s(\w+),\s+(reject=.*)/; }
$mailid=(! $id && $mon?'999':$id); # id not provided in log, we take '999'
if ($mailid) {
if ($ruleset eq 'check_mail') { $mail{$mailid}{'from'}=$arg; }
if ($ruleset eq 'check_rcpt') { $mail{$mailid}{'to'}=$arg; }
if ($ruleset eq 'check_relay') { }
if ($ruleset eq 'data') { }
$mail{$mailid}{'relay_s'}=$relay_s;
# $code='reject=550 5.7.1 ... Relaying denied'
if ($code =~ /=(\d\d\d)\s+/) { $mail{$mailid}{'code'}=$1; }
else { $mail{$mailid}{'code'}=999; } # Unkown error
$mail{$mailid}{'year'}=$year; ### ###
$mail{$mailid}{'mon'}=$mon;
$mail{$mailid}{'day'}=$day;
$mail{$mailid}{'time'}=$time;
if (! defined($mail{$mailid}{'size'})) { $mail{$mailid}{'size'}='?'; }
debug("For id=$mailid, found a sendmail error incoming message: code=$mail{$mailid}{'code'} from=$mail{$mailid}{'from'} to=$mail{$mailid}{'to'} relay_s=$mail{$mailid}{'relay_s'}");
}
}
#
# See if we send a sendmail (with ctladdr tag) email
#
elsif (/, ctladdr=/) {
$MailType||='sendmail';
#
# Matched outgoing sendmail/postfix message
#
my ($mon,$day,$time,$id,$to,$fromorto)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:sm-mta|sendmail(?:-out|)|postfix\/(?:local|lmtp|smtpd|smtp|virtual|pipe))\[.*?\]:\s+([^:]*):\s+to=(.*?)[,\s]+ctladdr=([^\,\s]*)/;
$mailid=$id;
if (m/\s+relay=([^\s,]*)[\s,]/) { $mail{$id}{'relay_r'}=$1; }
elsif (m/\s+mailer=local/) { $mail{$id}{'relay_r'}='localhost'; }
if (/, stat\=Sent/) { $mail{$id}{'code'}=1; }
elsif (/, stat\=User\s+unknown/) { $mail{$id}{'code'}=550; }
elsif (/, stat\=Local\s+configuration/) { $mail{$id}{'code'}=451; }
elsif (/, stat\=Deferred:\s+(\d*)/) { $mail{$id}{'code'}=$1; }
else { $mail{$id}{'code'}=999; }
$mail{$mailid}{'year'}=$year; ### ###
$mail{$id}{'mon'}=$mon;
$mail{$id}{'day'}=$day;
$mail{$id}{'time'}=$time;
if (&trim($to)=~/^\|/) {
# In particular case of mails are sent to a pipe, the ctladdr contains the to
$mail{$id}{'to'}=&trim($fromorto);
} else {
# In most cases
$mail{$id}{'to'}=&trim($to);
$mail{$id}{'from'}=&trim($fromorto);
}
if (! defined($mail{$id}{'size'})) { $mail{$id}{'size'}='?'; }
debug("For id=$id, found a sendmail outgoing message: to=$mail{$id}{'to'} from=$mail{$id}{'from'} size=$mail{$id}{'size'} relay_r=".($mail{$id}{'relay_r'}||''));
}
#
# Matched incoming qmail message
#
elsif (/info msg .* from/) {
# Example: Sep 14 09:58:09 gandalf qmail: 1063526289.292776 info msg 270182: bytes 10712 from qp 54945 uid 82
$MailType||='qmail';
#my ($id,$size,$from)=m/info msg \d+: bytes (\d+) from <(.*)>/;
my ($id,$size,$from)=m/info msg (\d+): bytes (\d+) from <(.*)>/;
$mailid=$id;
delete $mail{$mailid}; # If 'info msg' found, we start a new mail. This is to protect from wrong file
if (! $mail{$id}{'from'} || $mail{$id}{'from'} ne '<>') { $mail{$id}{'from'}=$from; } # TODO ???
$mail{$id}{'size'}=$size;
if (m/\s+relay=([^\,]+)[\s\,]/ || m/\s+relay=([^\s\,]+)$/) { $mail{$id}{'relay_s'}=$1; }
debug("For id=$id, found a qmail 'info msg' message: from=$mail{$id}{'from'} size=$mail{$id}{'size'}");
}
#
# Matched incoming sendmail or postfix message
#
elsif (/: from=/) {
# sm-mta: Jul 28 06:55:13 androneda sm-mta[28877]: h6SDtCtg028877: from=, size=2556, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=smtp.easydns.com [205.210.42.50]
# postfix: Jul 3 15:32:26 apollon postfix/qmgr[13860]: 08FB63B8A4: from=, size=3302, nrcpt=1 (queue active)
# postfix: Sep 24 14:45:15 wideboy postfix/qmgr[22331]: 7E0E6196: from=, size=1141 (queue active)
my ($id,$from,$size)=m/\w+\s+\d+\s+\d+:\d+:\d+\s+[\w\-\.\@]+\s+(?:sm-mta|sendmail(?:-in|)|postfix\/qmgr|postfix\/nqmgr)\[\d+\]:\s+(.*?):\s+from=(.*?),\s+size=(\d+)/;
$mailid=$id;
if (! $mail{$id}{'code'}) { $mail{$id}{'code'}=1; } # If not already defined, we define it
if (! $mail{$id}{'from'} || $mail{$id}{'from'} ne '<>') { $mail{$id}{'from'}=$from; }
$mail{$id}{'size'}=$size;
if (m/\s+relay=([^\,]+)[\s\,]/ || m/\s+relay=([^\s\,]+)$/) { $mail{$id}{'relay_s'}=$1; }
debug("For id=$id, found a sendmail/postfix incoming message: from=$mail{$id}{'from'} size=$mail{$id}{'size'} relay_s=".($mail{$id}{'relay_s'}||''));
}
#
# Matched exchange message
#
elsif (/^([^\t]+)\t([^\t]+)\t[^\t]+\t([^\t]+)\t([^\t]+)\t([^\t]+)\t[^\t]+\t([^\t]+)\t([^\t]+)\t([^\t]+)\t[^\t]+\t[^\t]+\t([^\t]+)\t[^\t]+\t[^\t]+\t[^\t]+\t[^\t]+\t[^\t]+\t([^\t]+)\t([^\t]+)/) {
# date hour GMT ip_s relay_s partner relay_r ip_r to code id size subject from
# Example: 2003-8-12 0:58:14 GMT 66.218.66.69 n14.grp.scd.yahoo.com - PACKRAT 192.168.1.2 christina@pirnie.org 1019 bh9e3f+5qvo@eGroups.com 0 0 4281 1 2003-8-12 0:58:14 GMT 0 Version: 6.0.3790.0 - [SRESafeHaven] Re: More Baby Stuff jtluvs2cq@wmconnect.com -
$MailType||='exchange';
my $date=$1;
my $time=$2;
my $relay_s=$3;
my $partner=$4;
my $relay_r=$5;
my $to=$6; $to =~ s/\s/%20/g;
my $code=$7;
my $id=$8;
my $size=$9;
my $subject=&trim($10);
my $from=$11; $from =~ s/\s/%20/g;
$id=sprintf("%s_%s_%s",$id,$from,$to);
# Check if record is significant record
my $ok=0;
# Code 1031=SMTP End Outbound Transfer
if ($code == 1031) { # This is for external bound mails
$ok=1;
my $savrelay_s=$relay_s;
$relay_s=$relay_r; $relay_r=$savrelay_s;
#$relay_s=$relay_r;
#$relay_r=$partner;
$code=1;
}
# Code 1028=SMTP Store Driver: Message Delivered Locally to Store
if ($code == 1028) { # This is for local bound mails
$code=1;
$ok=1;
}
# Code 1030=SMTP: Non-Delivered Report (NDR) Generated
if ($code == 1030) { # This is for errors.
$code=999;
$ok=1;
}
if ($ok && !$mail{$id}{'code'} ) {
$mailid=$id;
if ($date =~ /(\d+)-(\d+)-(\d+)/) {
$mail{$id}{'year'}=sprintf("%02s",$1);
$mail{$id}{'mon'}=sprintf("%02s",$2);
$mail{$id}{'day'}=sprintf("%02s",$3);
}
if ($time =~ /^(\d+):(\d+):(\d+)/) {
$mail{$id}{'time'}=sprintf("%02s:%02s:%02s",$1,$2,$3);
}
if ( $from eq '<>' && $subject =~ /^Delivery\s+Status/) {
$from='postmaster@localhost';
}
$mail{$id}{'from'}=$from;
$mail{$id}{'to'}=$to;
$mail{$id}{'code'}=$code;
$mail{$id}{'size'}=$size;
$mail{$id}{'relay_s'}=$relay_s;
$mail{$id}{'relay_r'}=$relay_r;
debug("For id=$id, found an exchange message: year=$mail{$id}{'year'} mon=$mail{$id}{'mon'} day=$mail{$id}{'day'} time=$mail{$id}{'time'} from=$mail{$id}{'from'} to=$mail{$id}{'to'} size=$mail{$id}{'size'} code=$mail{$id}{'code'} relay_s=$mail{$id}{'relay_s'} relay_r=$mail{$id}{'relay_r'}");
}
}
#
# Matched sendmail or postfix "to" message
#
elsif (/: to=.*stat(us)?=sent/i) {
# Example:
# postfix: Jan 01 07:27:38 apollon postfix/local[1689]: 2BC793B8A4: to=, orig_to=, relay=local, delay=6, status=sent ("|/usr/bin/procmail")
my ($mon,$day,$time,$id,$to)=m/(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+[\w\-\.\@]+\s+(?:sm-mta|sendmail(?:-out|)|postfix\/(?:local|lmtp|smtpd|smtp|virtual|pipe))\[.*?\]:\s+(.*?):\s+to=(.*?),/;
$mailid=$id;
$mail{$id}{'code'}='1';
if (m/\s+relay=([^\s,]*)[\s,]/) { $mail{$id}{'relay_r'}=$1; }
elsif (m/\s+mailer=local/) { $mail{$id}{'relay_r'}='localhost'; }
if (m/forwarded as/) {
# If 'forwarded as idnewmail' is found, we discard this mail to avoid counting it twice
debug("For id=$id, mail was forwarded to other id, we discard it");
delete $mail{$id};
}
###########################################
elsif (m/\s*dsn=2.6.0\s*/) {
# if the DSN is not 2.0.0, we discard this mail to avoid counting it twice
# postfix: Aug 29 19:22:38 example postfix/smtp[1347]: D989FD6C302: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.31/0.01/0/2.6, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=01182-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 995DCD6C315)
debug("For id=$id, mail DSN is not 2.0.0, we discard it");
delete $mail{$id};
}
###########################################
else {
if (m/\s+orig_to=([^\s,]*)[\s,]/) {
# If we have a orig_to, we used it as receiver
$mail{$id}{'to'}=&trim($1);
$mail{$id}{'forwardedto'}=&trim($to);
}
else {
$mail{$id}{'to'}=&trim($to);
}
$mail{$mailid}{'year'}=$year; ### ###
$mail{$id}{'mon'}=$mon;
$mail{$id}{'day'}=$day;
$mail{$id}{'time'}=$time;
debug("For id=$id, found a sendmail/postfix record: mon=$mail{$id}{'mon'} day=$mail{$id}{'day'} time=$mail{$id}{'time'} to=$mail{$id}{'to'} relay_r=$mail{$id}{'relay_r'}");
}
}
#
# Matched qmail "to" record
#
elsif (/starting delivery/) {
# Example: Sep 14 09:58:09 gandalf qmail: 1063526289.574100 starting delivery 251: msg 270182 to local spamreport@john.do
# Example: 2003-09-27 11:22:07.039237500 starting delivery 3714: msg 163844 to local name_also_removed@maildomain.com
$MailType||='qmail';
my ($yea,$mon,$day,$time,$delivery,$id,$relay_r,$to)=();
($mon,$day,$time,$delivery,$id,$relay_r,$to)=m/^(\w+)\s+(\d+)\s+(\d+:\d+:\d+)\s+.*\s+\d+(?:\.\d+)?\s+starting delivery (\d+):\s+msg\s+(\d+)\s+to\s+(.*)?\s+(.*)$/;
if (! $id) { ($yea,$mon,$day,$time,$delivery,$id,$relay_r,$to)=m/^(\d+)-(\d+)-(\d+)\s+(\d+:\d+:\d+).*\s+starting delivery (\d+):\s+msg\s+(\d+)\s+to\s+(.*)?\s+(.*)$/; }
$mailid=$id;
if ($relay_r eq 'local') { $mail{$id}{'relay_r'}='localhost'; }
elsif (m/\s+relay=([^\s,]*)[\s,]/) { $mail{$id}{'relay_r'}=$1; }
elsif (m/\s+mailer=local/) { $mail{$id}{'relay_r'}='localhost'; }
$qmaildelivery{$delivery}=$id; # Save mail id for this delivery to be able to get error code
if ($yea) { $mail{$id}{'year'}=$yea; }
$mail{$id}{'mon'}=$mon;
$mail{$id}{'day'}=$day;
$mail{$id}{'time'}=$time;
$mail{$id}{'to'}{$delivery}=&trim($to);
debug("For id=$id, found a qmail 'start delivery' record: year=".($mail{$id}{'year'}||'')." mon=$mail{$id}{'mon'} day=$mail{$id}{'day'} time=$mail{$id}{'time'} to=$mail{$id}{'to'}{$delivery} relay_r=".($mail{$id}{'relay_r'}||'')." delivery=$delivery");
}
#
# Matched qmail status code record
#
elsif (/delivery (\d+): (\w+):/) {
# Example: Sep 14 09:58:09 gandalf qmail: 1063526289.744259 delivery 251: success: did_0+0+1/
# Example: 2003-09-27 11:22:07.070367500 delivery 3714: success: did_1+0+0/
$MailType||='qmail';
my ($delivery,$code)=($1,$2);
my $id=$qmaildelivery{$delivery};
$mailid=$id;
if ($code =~ /success/i) { $mail{$id}{'code'}{$delivery}=1; }
elsif ($code =~ /deferral/i) { $mail{$id}{'code'}{$delivery}=999; }
else { $mail{$id}{'code'}{$delivery}=999; }
debug("For id=$qmaildelivery{$delivery}, found a qmail 'delivery' record: delivery=$delivery code=$mail{$id}{'code'}{$delivery}");
}
#
# Matched qmail end of mail record
#
elsif (/end msg (\d+)/ && scalar %{$mail{$1}{'to'}}) { # If records for mail id are finished and still mails with no delivery status
# Example: Sep 14 09:58:12 gandalf qmail: 1063526292.782444 end msg 270182
$MailType||='qmail';
my ($id)=($1);
$mailid=$id;
foreach my $delivery (keys %{$mail{$mailid}{'to'}}) { $mail{$id}{'code'}{$delivery}||=1; }
debug("For id=$id, found a qmail 'end msg' record. This replace 'delivery' record for delivery=".join(',',keys %{$mail{$id}{'code'}}));
}
#
# Matched MDaemon log file record
#
elsif (/^\"(\d\d\d\d)-(\d\d)-(\d\d) (\d\d:\d\d:\d\d)\",\"[^\"]*\",(\w+),\d+,\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"[^\"]*\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",([\.\d]+),(\d+),(\d+)/) {
# Example: "2003-11-06 00:00:42","2003-11-06 00:00:45",SMTPI,9443,"dillon_fm@aaaaa.net","cpeltier@domain.com","","","10.0.0.16","","",0,4563,1
$MailType||='mdaemon';
my ($id)=($numrecord);
if ($5 eq 'SMTPI' || $5 eq 'SMTPO') {
$mail{$id}{'year'}=$1;
$mail{$id}{'mon'}=$2;
$mail{$id}{'day'}=$3;
$mail{$id}{'time'}=$4;
$mail{$id}{'direction'}=($5 eq 'SMTPI'?'in':'out');
$mail{$id}{'from'}=$6;
$mail{$id}{'to'}=$7||$8;
if ($5 eq 'SMTPI') {
$mail{$id}{'relay_s'}=$9;
$mail{$id}{'relay_r'}='-';
}
if ($5 eq 'SMTPO') {
$mail{$id}{'relay_s'}=$9;
$mail{$id}{'relay_r'}='-';
}
$mail{$id}{'code'}=1;
$mail{$id}{'size'}=$13;
$mail{$id}{'extinfo'}="?virus=$10&rbl=$11&heuristicspam=$12&ssl=$14";
$mail{$id}{'extinfo'}=~s/\s/_/g;
$mailid=$id;
}
}
#
# Write record if all required data were found
#
if ($mailid) {
my $code; my $to;
my $delivery=0;
my $canoutput=0;
debug("ID:$mailid RELAY_S:".($mail{$mailid}{'relay_s'}||'')." RELAY_R:".($mail{$mailid}{'relay_r'}||'')." FROM:".($mail{$mailid}{'from'}||'')." TO:".($mail{$mailid}{'to'}||'')." CODE:".($mail{$mailid}{'code'}||''));
# Check if we can output a mail line
if ($MailType eq 'qmail') {
if ($mail{$mailid}{'code'} && scalar %{$mail{$mailid}{'code'}}) {
# This is a hash variable
foreach my $key (keys %{$mail{$mailid}{'code'}}) {
$delivery=$key;
$code=$mail{$mailid}{'code'}{$key};
$to=$mail{$mailid}{'to'}{$key};
}
$canoutput=1;
}
}
elsif ($MailType eq 'mdaemon') {
$code=$mail{$mailid}{'code'};
$to=$mail{$mailid}{'to'};
$canoutput=1;
}
else {
$code=$mail{$mailid}{'code'};
$to=$mail{$mailid}{'to'};
if ($mail{$mailid}{'from'} && $mail{$mailid}{'to'}) { $canoutput=1; }
if ($mail{$mailid}{'from'} && $mail{$mailid}{'code'} > 1) { $canoutput=1; }
if ($mailid && $mail{$mailid}{'code'} > 1) { $canoutput=1; }
}
# If we can
if ($canoutput) {
&OutputRecord($mail{$mailid}{'year'}?$mail{$mailid}{'year'}:$year,$mail{$mailid}{'mon'},$mail{$mailid}{'day'},$mail{$mailid}{'time'},$mail{$mailid}{'from'},$to,$mail{$mailid}{'relay_s'},$mail{$mailid}{'relay_r'},$code,$mail{$mailid}{'size'},$mail{$mailid}{'forwardto'},$mail{$mailid}{'extinfo'});
# Delete mail with generic unknown id (This id can by used by another mail)
if ($mailid eq '999') {
debug(" Delete mail for id=$mailid",3);
delete $mail{$mailid};
}
# Delete delivery instance for id if qmail (qmail can use same id for several mails with multiple delivery)
elsif ($MailType eq 'qmail') {
debug(" Delete delivery instances for mail id=$mailid and delivery id=$delivery",3);
if ($delivery) {
delete $mail{$mailid}{'to'}{$delivery};
delete $mail{$mailid}{'code'}{$delivery};
}
}
# We flush %mail if too large
if (scalar keys %mail > $NBOFENTRYFOFLUSH) {
debug("We reach $NBOFENTRYFOFLUSH records in %mail, so we flush mail hash array");
#foreach my $id (keys %mail) {
# debug(" Delete mail for id=$id",3);
# delete $mail{$id};
#}
%mail=();
%qmaildelivery=();
}
}
}
else {
debug("Not interesting row");
}
}
#foreach my $key (keys %mail) {
# print ".$key.$mail{$key}{'to'}.\n";
#}
0;