Hey Guys,
We host an intermediate email greylister for our clients.
We also log all inbound attachments, and generate reports from that.
I need to show essentially the source mail-server for these attachments.
However, our postfix logs only log the last hop, which is our greylister. Therefore, all attachment logs appear to come from our greylister.
I am wondering if splunk can query MX records from an email address, convert that to an IP which I can then geoip?
For the record, here are our postfix logging config for header_checks:
/^Content-(Disposition|Type).names=s?(.(.|=2E)(.*))/ WARN AttachmentFound: "$2"
Any help would be appreciated.