Is there a quick way to determine the source of a message?

[jbuell]

Going through our zimbra.log today and looking for potential problems, I noticed a number of messages being queued up for unreachable servers in places where I doubt we have any legitimate business activity. Using grep, I can see all of the resend attempts and disconnection by hex characters, or by the questionable domains. What I would LIKE to be able to figure out is how to trace which machine might possibly be sending messages, preferably by internal IP address. Is it necessary to install additional logging tools? Any ideas?

[ewilen]

Usually you can search by messageID or other details, to locate the original injection of the message. However, if the messages have been sitting in the queue for a while, you might have to look at older logs, or the logs may even have been rotated out of existence. You might find some older info in /var/log/maillog or in /opt/zimbra/log/mailbox.log.

Also if you can locate the actual message (not sure where it's stored, shouldn't be hard to find, though), you can read the Received: headers assuming it was injected via SMTP. If it was injected via ZCO or ZWC, it *may* have have an X-Originating-IP header, provided you don't haven't turned it off in the Admin console.