Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2004
    Posts
    3

    Lightbulb Unanswered: Need some help, please. . .

    I have an interesting problem that I have not been able to solve myself. I need to strip out ip addresses from a mail server log file from authenticated POP3 and IMAP connections and save them to a file. Reason for this is that I just installed assp (anti spam smtp proxy) and I want to plug these ip addresses into the relayhosts file. This way anyone who successfully logs in by POP3 or IMAP will have full relaying priveledges.

    Now this script should recognize duplicate ip addresses and not add them to the file.

    Here is a sample of successful POP3 and IMAP logins:

    02:24:21.14 2 POP-24199 ([10.0.0.1]) 'user@domain' connected from [10.0.0.1:60765](temp client)

    15:00:06.33 2 IMAP-01201([10.0.0.1]) 'user@domain' connected from [10.0.0.1:32055](temp client)

    Any help would be greatly appreciated! Thank You.

  2. #2
    Join Date
    Jan 2004
    Location
    Bordeaux, France
    Posts
    320
    Something like this ?
    Code:
    HOSTS=relayhosts.dat
    LOG=mail.log
    
    awk '
    NF>1 {
       sub(/.*\[/,"") ;
       sub(/].*/,"") ;
      if ($1 != "") print
    } ' $LOG | \
    sort -u -o $HOSTS $HOSTS -
    If you don't want to keep the port number, replace :
    sub(/].*/,"") ;
    By
    sub(/:.*/,"") ;
    Jean-Pierre.

  3. #3
    Join Date
    Mar 2004
    Posts
    3
    Ah thank you so much. . .I'll give it a try

    EDIT: Not the exact results I'm looking for, but its close. Using the : instead of the ] gives me a line that starts with an IP addy but has unfiltered data behind it, example:

    170.215.88.150]) 0 {980} retrieved, 44187 bytes

    But also it appears to pick up other weird info from the log, which is not what I need, example:

    18595] SMTP(hotmail.com)hz220fnco@hotmail.com failed

    It would seem to me that at the begin of the script, we need to some how filter for data pertaining to 'POP-' and 'IMAP-' first. Otherwise I get lists of ip addy's for rejected messages/etc.
    Last edited by josherz01; 03-11-04 at 18:14.

  4. #4
    Join Date
    Feb 2004
    Posts
    17
    You can grep the POP- and IMAP- lines and pipe them into the awk command suggested by aigles:
    # grep -E POP-\|IMAP- | thatawkcommand
    You can also pipe the output of that into a cut command that will remove everything after the square bracket, sort it and eliminate duplicates:
    # thatgrepcommand | thatawkcommand | cut -f1 -d\] | sort | uniq

    Personally, I avoid awk because I know only a few awk commands.
    # grep -E POP-\|IMAP- filename.log | cut -f2 -d\[ | cut -f1 -d\] | sort | uniq
    should select the lines containing POP- or IMAP-, cut away everything before the opening square bracket, then everything behind the closing one, then sort and eliminate duplicate IPs. Might be slower than awk though.

  5. #5
    Join Date
    Mar 2004
    Posts
    3
    Ahh that makes sense. . .I'll give that a try as well.

    That actually looks like it might have worked! Thank You!
    Last edited by josherz01; 03-11-04 at 18:33.

  6. #6
    Join Date
    Jan 2004
    Location
    Bordeaux, France
    Posts
    320
    A new version of my script :
    - Selects lines POP- and IMAP-
    - The ip address is all time the second [xxx] field
    - The port number is removed
    - The file $HOST which contains already known ip addresses is updated.

    Code:
    HOSTS=relayhosts.dat
    LOG=mail.log
    
    awk '
    /POP-|IMAP-/ {          # Select input lines lines
       sub(/.*\[.*\[/,"") ; # remove chars from start to second [
       sub(/].*/,"") ;      # remove chars from [ to end
       sub(/:.*/,"");       # remove port number
       print                # print ip address
    } ' $LOG | \
    sort -u -o $HOSTS $HOSTS -
    Jean-Pierre.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •