We have a mail user on our postfix server that was using the company mail to send compromising information to the competence.

I've been asked to make a report of the actions for that user in the last time.

There are tools like pflogsumm and others that can extract statistic data, but I haven't so far find anything useful to get all the info for a user because the data is in multiple lines.

I'd like to get something like this:

For the sent mail

11/11/11 00:00:00 [email protected] -> [email protected]
11/11/11 00:00:01 [email protected] -> [email protected]

For the received mail

10/10/11 00:00:00 [email protected] -> [email protected]
10/10/11 00:00:01 [email protected] -> [email protected]

I know I can do a script by myself, but matching the postfix ID for every mail is not something that can be made with a simple grep, and I've a lot of mail history that I have to recheck distributed among diferent files and so on.

The source log is the standard postfix format, for example this one...

Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: from=<[email protected],   size=10755, nrcpt=1 (queue active)
Sep 13 16:15:57 server postfix/smtpd[32099]: disconnect from localhost[127.0.0.1]
Sep 13 16:15:57 server postfix/smtp[32420]: 58C3E5EC9C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.01/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=32697-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B35CB5ED3D)
Sep 13 16:15:57 server postfix/qmgr[18142]: 58C3E5EC9C: removed
Sep 13 16:15:57 server postfix/smtp[32379]: B35CB5ED3D: to=<[email protected]>, relay=mail.anothercompany.com[123.123.123.163]:25, delay=0.06, delays=0.03/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 77D0EB6C025)
Sep 13 16:15:57 server postfix/qmgr[18142]: B35CB5ED3D: removed