Sunday, April 8, 2018

qmail-spp plugin for getting more information in logs

This was a little script which I used with now defunct H-Sphere mail server. But it should work on other servers where qmail-spp plugin is used. Copy the simple C program below and save it as moreinfo.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv) {
  char *user = getenv("SMTPAUTHUSER");
  char *ip = getenv("TCPREMOTEIP");
  char *mailfrom = getenv("SMTPMAILFROM");
  char *rcptto = getenv("SMTPRCPTTO");
  char *tempcount = getenv("SMTPRCPTCOUNTALL");
  int rcptcount = atoi(tempcount);
  int ppid = getppid();

  if (user != NULL && strlen(user) > 0 && rcptcount < 2) {
    fprintf(stderr, "auth: pid: %d ip: %s user: %s\n", ppid, ip, user);
  }
  fprintf(stderr, "info: pid: %d ip: %s from: %s to: %s count: %d\n", ppid, ip, mailfrom, rcptto, rcptcount);

  return 0;
}

Then compile it using the following command gcc moreinfo.c -o /var/qmail/control/plugins/moreinfo

To activate it, add the following line to /var/qmail/control/smtpplugins file under the [rcpt] section /var/qmail/control/plugins/moreinfo

Restart qmail and you will see similar output to below in /var/log/maillog

#tail -F /var/log/maillog | grep -e smtpd | grep -e info -e auth
Jun 29 02:13:13 mail smtpd: 1183072393.562254 auth: pid: 29986 ip: X.Y.U.Z user: sender@domain1.net
Jun 29 02:13:13 mail smtpd: 1183072393.562344 info: pid: 29986 ip: X.Y.U.Z from: sender@domain1.net to: receiver1@domain2.net count: 1
Jun 29 02:13:13 mail smtpd: 1183072393.902115 info: pid: 29986 ip: X.Y.U.Z from: sender@domain1.net to: receiver2@domain2.net count: 2

Here the auth section gives the smtp auth information if this section is missing then probably there is data going from server to server or your users might be using pop before smtp. The count number shows the recipient numbers, if message was sent to 3 people then count will be from 1 to 3.