We host an intermediate email greylister for our clients.
We also log all inbound attachments, and generate reports from that.
I need to show essentially the source mail-server for these attachments.
However, our postfix logs only log the last hop, which is our greylister. Therefore, all attachment logs appear to come from our greylister.
I am wondering if splunk can query MX records from an email address, convert that to an IP which I can then geoip?
For the record, here are our postfix logging config for header_checks:
/^Content-(Disposition|Type).name\s=\s*?(.(.|=2E)(.))/ WARN AttachmentFound: "$2"
Any help would be appreciated.
You should be able to do it with the script-based lookup:
Something as simple as a bash script with nslookup/dig would do the trick.
Exactly. Just make sure that your python script only returns a single MX record and nothing else and you should be good to go.
That looks pretty much spot on.
So I will have to create a python script that will grab the MX record? As long as that is the case, the rest should be quite easy. Thanks.