Logging auth information in sendmail - Follow up

Question

I'd like to log the message id, client ip address & authenticated sender with each SMTP transaction, pretty much as discussed here:

Logging auth information in sendmail

I've implemented the solution, however, it logs all transactions, not just ones that used authentication. I would prefer to log only entries where authentication was used.

My goal is to be able to detect phished email accounts by log analysis.

Entries I'd like to keep look like this:

Sep 23 06:31:40 mail sm-mta[20443]: r8NDVdM3020443: Authenticated-by:LOGIN,username,0,,[192.168.1.10]

Entries I want to skip are missing the mechanism and username (,,,,):

Sep 23 06:31:44 mail sm-mta[20475]: r8NDVh3m020475: Authenticated-by:,,,,messagent.computerdealernews.com.

What I'm mainly looking for is the message id, auth username, and the sender's IP address, on one line. It doesn't seem to have the right IP address.

If you could point me to any reference information on this, that would help.

Working Configuration

This configuration prints out what I want.

Scheck_data
R$* $: <$&{auth_authen}> $1
R<$+> $*    $: <$1> $2 $(log Authenticated-by: $&{auth_type}, $&{auth_authen}, $&{client_addr}, $&{f} $)
R<$*> $*    $: $2

I found the client_addr and other macros on an IBM sendmail site.

Thanks.

Answer 1

The code below should generetae log entries only when ${auth_authen} is not empty.
WARNING: Put tabs (\t) before $: [I could not do it]

LOCAL_RULESETS
Scheck_data
R$*       $: <$&{auth_authen}> $1
R<$+> $*  $: <$1> $2 $(log Authenticated-by: $&{auth_type}, $&{auth_authen}, $&{auth_ssf}, $&{auth_author}, $&{mail_mailer}, $&{mail_host}, $&{mail_addr} $)
R<$*> $*  $: $2