Computer Security
 » 
Encryption and Cryptography
 » 
cr.yp.to
 » 
cr.yp.to - qmail

qmail-smtpd => missing link => qmail-send

View: New views
2 Messages — Rating Filter:   Alert me  

qmail-smtpd => missing link => qmail-send

by CoyoteTM-INC-Szeki :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi folks,

I am using qmail with tcpserver/multilog.  I need to keep record  from
every mail, witch comes-in or out.
I have to gather these info-s from every delivery:

message_received_time
src_IP
to_address
from_address
action (success, delivered to, ....)
size

I have everything, but src_IP. It is located in qmail-smtpd log. I cant
find link between send and smtpd programs.
I understand, that qmail-smtpd after succeeds, passing the mail to
qmail-queue.
The qmail-queue PID gets recorded in qmail-send. And thats it. I don't
know wich process called the qmail-queue form the logs.

-It is possible to log into qmail-smtpd the qmail-queue PID wich was
created? (I know sounds wierd...)
-Maye log in qmail-send the originating qmail-smtpd PID, wich called
qmail-queue? (little better, but wierd also..)
-Log sender IP into qmail-send. (This could be prefered, maybe workable...)

Is there a solution for this? (from the logs?)

There is only two link between them, but these are not precise. One is
the TO address (extra info in qmail-smtpd, comes from validrcptto), wich
is in qmail-send and qmail-smtpd, and the other is time, when the log
entry was created. It is hard to make an accurate script from these for
this harvesting.


Regards,

Peter, Szekeres


Re: qmail-smtpd => missing link => qmail-send

by Bruce Guenter-4 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, Nov 11, 2009 at 12:20:39AM +0100, CoyoteTM-INC-Szeki wrote:
> I have everything, but src_IP. It is located in qmail-smtpd log. I cant
> find link between send and smtpd programs.
> I understand, that qmail-smtpd after succeeds, passing the mail to
> qmail-queue.
> The qmail-queue PID gets recorded in qmail-send. And thats it. I don't
> know wich process called the qmail-queue form the logs.

You can't find a missing link because there isn't one.  qmail-smtpd
invokes qmail-queue directly, since qmail-queue is the mechanism that
inserts new messages into the queue.

> -It is possible to log into qmail-smtpd the qmail-queue PID wich was
> created? (I know sounds wierd...)

Easily, and not very weird.  I do it in mailfront.  Add code to dump the
accept_buf to stderr in acceptmessage() in qmail-smtpd.c

> -Maye log in qmail-send the originating qmail-smtpd PID, wich called
> qmail-queue? (little better, but wierd also..)
> -Log sender IP into qmail-send. (This could be prefered, maybe workable...)

Hard to do, and probably even harder to do securely, since the only
information qmail-send would have about IP addresses would come from
parsing the Received: headers.  Finding out the qmail-smtpd PID would be
even harder, since qmail-smtpd doesn't record it anywhere.

--
Bruce Guenter <bruce@...>                http://untroubled.org/
        I do custom software development.  Email me for details.


attachment0 (205 bytes) Download Attachment
Free embeddable forum powered by Nabble Forum Help