How to analyze Postfix mail logs
Do you use Postfix for your mail processing? The Postfix engine will send logging information to the maillog file, typically located in the /var/log directory. Understanding how to read the logs will help if problems ever arise. This process is great for analyzing the mail queues as well as digging for details when mail service isn't working as expected.
|DIFFICULTY||Basic - 1 | Medium - 2 | Advanced - 3|
|TIME REQUIRED||15-30+ min|
|RELATED PRODUCTS||Linux-based VPS or dedicated servers|
Before understanding the records in the log file, it is important to know that you can configure the amount of information logged. By default, the logging level is set of normal. You can modify the master.cf file to increase the logigng level. Adding -v, -vv, or -vvv to the startup command will increase the logging level to verbose, very verbose, and very very verbose, respectively. If your mail server is heavily used, you won't want to leave these configuration options in place for long without fear of using up enormous amounts of disk space.
There are four daemons, and thus four record formats, you'll find in the file:
The postfix/qmgr records represent messages moving within Postfix's internal queues. If removed is part of the record, the log record contains when a message was removed from the mail queue. The other type of record includes from, size, and nrcpt information, where nrcpt stands for number of recipients.
The postfix/smtp entries record information related to mail delivery. The relay attribute represents if a message was inbound or outbound. A relay value of localhost or 127.0.0.1 means the message was inbound as it identifies the MTA server that received the message. The other important bits of information are the identity of the sender and recipient. The delay field indicates the total amount of time Postfix spent processing the message, whereas delays is the time each daemon spent processing the message. There are four values for delays, in order they represent the smtpd, cleanup, qmgr, and smtp daemons.
Your postfix/smtpd records identify the host or ip address that connected to the SMTP daemon. For outgoing mail, the host specified will be localhost or 127.0.0.1, With inbound mail, it is the connected client.
The final daemon record is for postfix/cleanup. Here you'll just find the identity of the message just processed. 1234567890A represents message id and is also used as the temporary filename while the message is being processed.
Searching the log file
Creating regular expressions and grepping the log file will allow you to analyze your Postfix mail logs and pull out detailed information. What you do with it after extracting is totally up to you. For example, you could consider adding the records to a database for further analysis or graphing the information to perhaps show peak usage times.
Note: As a courtesy, we provide information about how to use certain third-party products, but we do not endorse or directly support third-party products and we are not responsible for the functions or reliability of such products. Third-party marks and logos are registered trademarks of their respective owners. All rights reserved.