Is there a way to log all SMTP traffic?



  • Our outgoing email traffic seems to be blocked by our ISP and/or by Google, ie. we cannot send to any gmail address. We would like to verify/monitor that none of our company computers is sending spam. I'm looking for advice on getting SMTP traffic logs in our pfSense box. If that needs paid support, we will probably buy it - boss said.

    Thanks in advance for any information.


  • Galactic Empire

    Is the switch that connects to your router able to port mirror / span ?

    If it is set it up connect a laptop to the mirror / span port and do a wireshark capture.


  • Rebel Alliance Global Moderator

    you sure do not need to do this with a spam port.. If you want to log all outbound traffic to smtp (25) then you could either just do the packet capture on pfsense directly.  Or you could just setup a rule that logs smtp 25 and either blocks it which would be the best thing.  Its rare that clients in a work setup would directly need to talk outbound on 25.

    So on your interface(s) that clients talk to pfsense to go to the internet just setup a rule on the top that blocks 25 and logs it.



  • @johnpoz:

    you sure do not need to do this with a spam port.. If you want to log all outbound traffic to smtp (25) then you could either just do the packet capture on pfsense directly.  Or you could just setup a rule that logs smtp 25 and either blocks it which would be the best thing.  Its rare that clients in a work setup would directly need to talk outbound on 25.

    So on your interface(s) that clients talk to pfsense to go to the internet just setup a rule on the top that blocks 25 and logs it.

    Thank you! Added rules: block+log :25, log :587.


  • Galactic Empire

    I assumed you had a server on site that used SMTP.

    Mentioned a span port as wireshark could just be left to run and save multiple files, you could just leave it running for a week or more.

    But yes blocking and logging will work.


  • Rebel Alliance Global Moderator

    "log :587."

    I find it highly unlikely that spam would be using port 587.. Unless the user was sending it on purpose through a smart host and authing to the smart host as well.  This would not be tracked back to your IP.