Hi,
I extract (in different file) several informations from Postfix logs.

more /var/log/maillog | grep NOQUEUE > /tmp/estract.txt

this extract looks like this:

Jun 21 00:37:16 PUMA postfix/smtpd[29244]: NOQUEUE: reject: RCPT from unknown[200.141.33.198]: 504 5.5.2 <62.123.142.124>: Helo command rejected: need fully-qualified hostname; from=<bey@brainpod.com> to=<52366@0email.it> proto=SMTP helo=<62.123.142.124>
Jun 21 00:39:51 PUMA postfix/smtpd[29303]: NOQUEUE: reject: RCPT from unknown[92.47.96.48]: 504 5.5.2 <62.123.142.124>: Helo command rejected: need fully-qualified hostname; from=<impeller@lissamail.com> to=<52366@0email.it> proto=SMTP helo=<62.123.142.124>
Jun 21 00:50:26 PUMA postfix/smtpd[29449]: NOQUEUE: reject: RCPT from unknown[190.244.138.229]: 450 4.1.2 <52366@0email.it>: Recipient address rejected: Domain not found; from=<Sascha.Taddeusz@evisibility.com> to=<52366@0email.it> proto=ESMTP helo=<229-138-244-190.fibertel.com.ar>
Jun 21 00:51:27 PUMA postfix/smtpd[29449]: NOQUEUE: reject: RCPT from unknown[190.244.138.229]: 450 4.1.2 <52366@0email.it>: Recipient address rejected: Domain not found; from=<Sascha.Taddeusz@evisibility.com> to=<52366@0email.it> proto=ESMTP helo=<229-138-244-190.fibertel.com.ar>


I would like to extract the IPs. For example from:
Jun 21 00:51:27 PUMA postfix/smtpd[29449]: NOQUEUE: reject: RCPT from unknown[190.244.138.229]: 450 4.1.2 <52366@0email.it>: Recipient address rejected: Domain not found; from=<Sascha.Taddeusz@evisibility.com> to=<52366@0email.it> proto=ESMTP helo=<229-138-244-190.fibertel.com.ar>

I want 190.244.138.229 for furthere handling.

Started to handle it with a PHP script but this is not solved and is becoming a time-consuming job. Though that maybe there is something ready-to-use or a good advice could help.

Hrrm, this will work, but boy is it ugly.

cat /var/log/maillog |grep reject|awk -F : '{print $6}'|cut -d [ -f 2|cut -d ] -f 1


explanation in case you're not familiar with these commands (and for newcomers who find this thread, so the explanation will cover things you know.)

cat /var/log/maillog just echoes the whole maillog. Then it's piped to grep reject, only getting the lines that have reject in them.
Then, send that to awk, using a : as a delinator. (After some experimentation, that seemed the easiest and got the least amount of extra stuff.) Get the 6th field which gives us
RECEIPT from unknown[78.93.134.157]
Then, using cut (at this point, there's probably a better way to just get the numbers, but it's early in the morning) using [ as delinator and taking the second field, which gives us the 78.93.134.157 with the ] on the end. The last pipe to cut gets rid of that.

There has to be a better way, and I'm sure one of the more skilled people will have a suggestion, but this could get you started. I can't think clearly yet.

Edit: I know you said php or perl, but I don't know either of them. :) I have a feeling perl would be the best choice.

perl -ne 'print "$1\n" if /NOQUEUE:.*?\[(\d+?\.\d+?\.\d+?\.\d+?)\]/' /var/log/maillog

Tks to both.
Will use the second one that I can even schedule with a cron job. TKU

Ciao
Marco