How to determine which user sent a specific email with postfix?

We have a postfix server that requires authentication to SMTP relay through it. We use virtual mailboxes in MySQL database.

A message was relayed through our system, and we need to determine which one of our user accounts was used to send it.

The message headers contains:

Received: from User (c-76-109-241-139.hsd1.fl.comcast.net [xx.109.xxx.139]) 
    by ourserver.com (Postfix) with ESMTPA id 7BA184B4AD4; 
    Tue,  3 Jul 2012 05:42:59 -0400 (EDT)

We don't have a user called "User", and the IP address is not one that we would be sending mail from. I'd like to find out which of our user accounts the sender authenticated as when sending the message.

Is there a way to track this?

Solution 1:

If you grep for the message ID (7BA184B4AD4 in your case) in /var/log/mail.log you should find a log line indicating the sasl_username. For example:

% zgrep 07A1753F /var/log/mail.log*
Jul  4 19:47:58 mammon postfix/smtpd[4936]: 07A1753F: client=c-69-181-123-456.hsd1.ca.comcast.net[69.181.123.456], sasl_method=PLAIN, sasl_username=mgorven

Edit: If you set the smtpd_sasl_authenticated_header option in /etc/postfix/main.cf Postfix will add the SASL username to the Received header in mails. Note that this header can be tampered with, so the above is the only reliable way to determine which user submitted the message.

smtpd_sasl_authenticated_header = yes