Email Header Is Truncated When Logged in /var/log/maillog

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Email Header Is Truncated When Logged in /var/log/maillog

phdam8
Hi,

When Emails are sent, there is a custom application header that gets logged
in /var/log/maillog. However, my issue is that only the first 190 characters
are logged. The rest are truncated. I double-checked to make sure that the
header is present in the message the client receives, so it appears to be a
logging issue somewhere.

I tried searching this issue up but all I got was an unanswered forum post
here:
https://serverfault.com/questions/826400/postfix-mail-server-header-checks-truncating-the-string

Can anyone please advise?

 



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Email Header Is Truncated When Logged in /var/log/maillog

Viktor Dukhovni

> On Oct 6, 2017, at 3:29 PM, phdam8 <[hidden email]> wrote:
>
>
> When Emails are sent, there is a custom application header that gets logged
> in /var/log/maillog. However, my issue is that only the first 190 characters
> are logged. The rest are truncated. I double-checked to make sure that the
> header is present in the message the client receives, so it appears to be a
> logging issue somewhere.

The truncation is intentional.  The mail log is not an archive system.
Sensible limits on the quantity of data logged are needed to reduce
opportunities for DoS attacks.  Postfix allows just short of 200 bytes
for the logging of header data.

https://github.com/vdukhovni/postfix/blob/master/postfix/src/cleanup/cleanup_message.c#L257

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Email Header Is Truncated When Logged in /var/log/maillog

phdam8
Hi Viktor,

Thanks for the link. That makes a lot of sense now.

However, it would still be nice to capture all that data including the
rather long Email header, senderID, destination, timestamp, etc... Do you
have any recommendation for best-practices?





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Email Header Is Truncated When Logged in /var/log/maillog

Viktor Dukhovni

> On Oct 6, 2017, at 4:04 PM, phdam8 <[hidden email]> wrote:
>
> However, it would still be nice to capture all that data including the
> rather long Email header, senderID, destination, timestamp, etc... Do you
> have any recommendation for best-practices?

You can record content with a content filter or a milter.  Postfix
logging will not provide faithful captures of message content.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Email Header Is Truncated When Logged in /var/log/maillog

Bill Cole-3
On 6 Oct 2017, at 16:37, Viktor Dukhovni wrote:

>> On Oct 6, 2017, at 4:04 PM, phdam8 <[hidden email]> wrote:
>>
>> However, it would still be nice to capture all that data including
>> the
>> rather long Email header, senderID, destination, timestamp, etc... Do
>> you
>> have any recommendation for best-practices?
>
> You can record content with a content filter or a milter.  Postfix
> logging will not provide faithful captures of message content.

One good tool for this is the MIMEDefang milter. It will do (or at least
TRY to do) anything you can tell it to do in Perl, including logging far
too much info about a message in the mail log, if that's really what you
want. For example, because users always seem to expect lost mail to be
findable by Subject (not kidding...) I have MIMEDefang log a line with
the Postfix queue ID, SMTP envelope sender & (1st) recipient,
SpamAssassin score, Message-ID, and Subject. With that, if a message has
made it to the DATA phase, I can find it by Subject, see if it was
determined to be spam, and if necessary correlate it to other log lines
with the same queue ID.
Reply | Threaded
Open this post in threaded view
|

Re: Email Header Is Truncated When Logged in /var/log/maillog

phdam8
In reply to this post by Viktor Dukhovni
Hi Viktor,

Thanks for the input. I have asked a couple of my colleagues on the idea and
we decided to work-around it by just ignoring the logged events that exceed
that limit. They are a small fraction anyway.

Thanks for your help today. Greatly appreciate it!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html