I have the following problem: I'm seeing some spam emails being passed through my qmail server. The connections come from an IP address of a linux router masquerading several computers running on a private address space.
I need to identify the private ip of the computer that is sending spam.
My qmail server only shows the public ip that is used for the connection, and blocking it is not possible, as there are legitimate users sending emails from behind that public ip. Using smtp authentication would also not solve the problem completely, as the offender may easily 'borrow' some colleague's password.

The only simple solution that comes to mind would be to dump the headers of every smtp connection on that linux router and analyze them to find the originating ip. Does anyone master iptables enough to help me with the necessary code?

Also, do you see any other method of doing this?

iptables is a (stateful) packet filter and therefore not able to trace and decode L7 protocols. You should take a look on l7filter if you want to trace SMTP traffic in firewall.

A more simple solution would include the usage of a packet capturer on your incoming interface (e.g. with tcpdump, wireshark/tshark or similar). Capture your SMTP traffic to a file, say with tcpdump, and analyze it afterwards:

This may (or may not) solve your problem. It's up to the relaying SMTP server whether or not it is presenting you source IPs. It is very likely that your MTA is not displaying source IPs because they aren't there.