What about tcpdump capture?, then you can reasemble te tcp stream and see whats going on.
You can save the capture to a file, then with wireshark you can reasemble the tcpstream looking to those emails like in postfix. You can capture traffic before your mta gets it. Regards. Saludos Ing. Alfonso Alejandro Reyes Jimenez Coordinador de Seguridad - SASI E-mail: aare...@scitum.com.mx Telefono: 91507489 Movil: (044) 55 85 81 04 62 ----- Mensaje original ----- De: Michael Weissenbacher [mailto:m...@dermichi.com] Enviado: Thursday, December 15, 2011 11:14 AM Para: Postfix users <postfix-users@postfix.org> Asunto: Re: Possibility to store all incoming mail (pre-content_filter) -------- Original Message -------- Subject: Re: Possibility to store all incoming mail (pre-content_filter) From: Mark Goodge <m...@good-stuff.co.uk> To: postfix-users@postfix.org Date: Thu Dec 15 2011 18:04:06 GMT+0100 (CET) > On 15/12/2011 16:58, Michael Weissenbacher wrote: >> schrieb Mark Goodge: >>> On 15/12/2011 16:24, Michael Weissenbacher wrote: >>>> Hi! >>>>> >>>>> You can do this with recpients_bcc_maps >>>>> >>>> Well, as far as i know this just adds a "bcc" address to the message >>>> and >>>> as a result the mail would still pass through amavis and through the >>>> smarthost before leaving the system, thus it would get altered (and >>>> destroyed if i hit the bug). >>> >>> Set up a user on the local system, and bcc to that. That way it won't go >>> out through the smarthost. >>> >> Hm, but this still won't bypass amavis which i call with >> content_filter = smtp-amavis:[127.0.0.1]:10024 > > It's unlikely that amavis is your problem. And if it is, you can > diagnose that simply by turning amavis off temporarily to see if that > makes the problem go away. > Yeah, unlikely but possible. In fact the mail passes through 2 filters before being returned to postfix: postfix:25 -> amavis:10024 -> apache-james:10025 -> postfix:10026 -> smarthost All i can tell is that some mails (like 1 out of 20000) get corrupted in the process and end up being unusable. I cannot disable amavis completely as spam hell would break lose. I cannot disable apache-james because it contains some custom filters. The most likely culprit here is apache-james because it contains some custom code. But if i disable it i cannot tell which mails would have triggered the bug and which ones didn't. That's why i want to store mails at postfix:25 before they get altered. cheers, Michael
