How to read maillog

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to read maillog

Velvet Pixel
How can I tell from looking at my maillog file what emails have been
sent from my system?

I don't care about local deliveries.
I just want to know what was sent from my server to other servers.

Thanks!
Cameron

Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

Sahil Tandon
Velvet Pixel <[hidden email]> wrote:

> How can I tell from looking at my maillog file what emails have been sent
> from my system?
>
> I don't care about local deliveries.
> I just want to know what was sent from my server to other servers.

Without any more information about your system, you can start by grepping for
'smtp' in your logs (excluding smtpd).

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

Velvet Pixel
Thank you for your help Sahil!

A grep of smtp returns two types of entries. A postfix/smtp and a
postfix/anvil.

When I grep the ID of a sample of each they look like this:

postfix/smtp:
Jul 29 20:14:11 vps postfix/smtp[21650]: A85225A08723:
to=<[hidden email]>,
relay=gmail-smtp-in.l.google.com[209.85.199.27]:25, delay=1.2,
delays=0.02/0.06/0.09/1, dsn=2.0.0, status=sent (250 2.0.0 OK
1217387662 k2si695106rvb.4)
Jul 29 20:14:17 vps postfix/smtp[21650]: DDC695A087F7:
to=<[hidden email]>,
relay=gmail-smtp-in.l.google.com[209.85.199.27]:25, delay=1.3,
delays=0.56/0/0.09/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK
1217387667 l31si709029rvb.6)

postfix/anvil:
Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max connection
rate 1/60s for (smtp:81.12.170.122) at Jul 29 21:04:42
Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max connection
count 1 for (smtp:81.12.170.122) at Jul 29 21:04:42
Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max cache size 2
at Jul 29 21:08:09

There are quite a few of the anvil types of entries. Are they just
connection attempts that were denied but not successful?

The postfix/smtp type seem accurate for what should be the results of
what is being sent by my system so is that the correct info to keep an
eye on if I want to make sure my system is not sending anything it
shouldn't?

Thanks :)
Cameron Smith

On Jul 29, 2008, at 9:01 PM, Sahil Tandon wrote:

> Velvet Pixel <[hidden email]> wrote:
>
>> How can I tell from looking at my maillog file what emails have been
>> sent
>> from my system?
>>
>> I don't care about local deliveries.
>> I just want to know what was sent from my server to other servers.
>
> Without any more information about your system, you can start by
> grepping for
> 'smtp' in your logs (excluding smtpd).
>
> --
> Sahil Tandon <[hidden email]>
>

Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

MrC-7
Velvet Pixel wrote:

>
> A grep of smtp returns two types of entries. A postfix/smtp and a
> postfix/anvil.
>
> When I grep the ID of a sample of each they look like this:
>
> postfix/smtp:
> Jul 29 20:14:11 vps postfix/smtp[21650]: A85225A08723:
> to=<[hidden email]>,
> relay=gmail-smtp-in.l.google.com[209.85.199.27]:25, delay=1.2,
> delays=0.02/0.06/0.09/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1217387662
> k2si695106rvb.4)

You are seeing:

 - message queue id
 - the recipient (to),
 - relay (in this case, remote MTA),
 - time delay(s),
 - delivery status notification (2.0.0 = successful delivery,
    4xx = tmp reject, 5xx = perm reject)
 - status of message (sent, bounced, deferred)
 - remote mta's reply (250 ...)

>
> postfix/anvil:
> Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max connection
> rate 1/60s for (smtp:81.12.170.122) at Jul 29 21:04:42
> Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max connection
> count 1 for (smtp:81.12.170.122) at Jul 29 21:04:42
> Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max cache size 2
> at Jul 29 21:08:09
>
These are anvil's stats.  Anvil is used for rate control. See man anvil.

> There are quite a few of the anvil types of entries. Are they just
> connection attempts that were denied but not successful?

No, not denied.  You're seeing the max rate of connections, and count of
connections, and the client that hit the max rate shown.  Eg: client
81.12.170.122 connected at most 1 per 60 seconds, and connected at most
1 time simultaneously.

>
> The postfix/smtp type seem accurate for what should be the results of
> what is being sent by my system so is that the correct info to keep an
> eye on if I want to make sure my system is not sending anything it
> shouldn't?
>
> Thanks :)
> Cameron Smith
>
Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

Velvet Pixel
On Jul 29, 2008, at 10:32 PM, MrC wrote:

> Velvet Pixel wrote:
>>
>> A grep of smtp returns two types of entries. A postfix/smtp and a
>> postfix/anvil.
>>
>> When I grep the ID of a sample of each they look like this:
>>
>> postfix/smtp:
>> Jul 29 20:14:11 vps postfix/smtp[21650]: A85225A08723:
>> to=<[hidden email]>,
>> relay=gmail-smtp-in.l.google.com[209.85.199.27]:25, delay=1.2,
>> delays=0.02/0.06/0.09/1, dsn=2.0.0, status=sent (250 2.0.0 OK
>> 1217387662
>> k2si695106rvb.4)
>
> You are seeing:
>
>  - message queue id
>  - the recipient (to),
>  - relay (in this case, remote MTA),
>  - time delay(s),
>  - delivery status notification (2.0.0 = successful delivery,
>     4xx = tmp reject, 5xx = perm reject)
>  - status of message (sent, bounced, deferred)
>  - remote mta's reply (250 ...)
>
>>
>> postfix/anvil:
>> Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max connection
>> rate 1/60s for (smtp:81.12.170.122) at Jul 29 21:04:42
>> Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max connection
>> count 1 for (smtp:81.12.170.122) at Jul 29 21:04:42
>> Jul 29 21:11:31 vps postfix/anvil[17821]: statistics: max cache size 2
>> at Jul 29 21:08:09
>>
> These are anvil's stats.  Anvil is used for rate control. See man
> anvil.
>
>> There are quite a few of the anvil types of entries. Are they just
>> connection attempts that were denied but not successful?
>
> No, not denied.  You're seeing the max rate of connections, and count
> of
> connections, and the client that hit the max rate shown.  Eg: client
> 81.12.170.122 connected at most 1 per 60 seconds, and connected at most
> 1 time simultaneously.
>
>>
>> The postfix/smtp type seem accurate for what should be the results of
>> what is being sent by my system so is that the correct info to keep an
>> eye on if I want to make sure my system is not sending anything it
>> shouldn't?
>>
>> Thanks :)
>> Cameron Smith
>>
>


>
> Thanks MrC :)

>
> So to be clear, In the example I posted
>
>

Thanks MrC!

I think I understand what anvil is now.

So to be clear, all listings in postfix/anvil are clients trying to
connect to use my system to send and has nothing to do with messages
received (such as spam) by my system or is it both?

Cameron

Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

MrC-7
Velvet Pixel wrote:

> I think I understand what anvil is now.
>
> So to be clear, all listings in postfix/anvil are clients trying to
> connect to use my system to send and has nothing to do with messages
> received (such as spam) by my system or is it both?
>

Right, clients connecting to your system.  See log lines such as:

... postfix/smtpd[26704]: connect from example.com[10.0.0.1]

Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

Velvet Pixel

On Jul 29, 2008, at 10:56 PM, MrC wrote:

> Velvet Pixel wrote:
>
>> I think I understand what anvil is now.
>>
>> So to be clear, all listings in postfix/anvil are clients trying to
>> connect to use my system to send and has nothing to do with messages
>> received (such as spam) by my system or is it both?
>>
>
> Right, clients connecting to your system.  See log lines such as:
>
> ... postfix/smtpd[26704]: connect from example.com[10.0.0.1]
>
>

Whoa that's a lot of unauthorized people trying to connect!
Is it normal to have tons of unauthorized connect attempts in this
wonderful world of spammers looking for a hole?
I have hundreds of groupings like this which add up to thousands of
attempts per day:

Jul 29 10:42:05 vps postfix/smtpd[28365]: warning: 91.196.61.254:
hostname vpn-91.196.61.254.uch.net verification failed: Name or service
not known
Jul 29 10:42:05 vps postfix/smtpd[28365]: connect from
unknown[91.196.61.254]
Jul 29 10:42:07 vps postfix/smtpd[28365]: 011185A087AC:
client=unknown[91.196.61.254]
Jul 29 10:42:09 vps postfix/smtpd[28365]: disconnect from
unknown[91.196.61.254]
Jul 29 10:42:12 vps postfix/smtpd[28365]: warning: 189.7.164.159:
hostname bd07a49f.virtua.com.br verification failed: Name or service
not known
Jul 29 10:42:12 vps postfix/smtpd[28365]: connect from
unknown[189.7.164.159]
Jul 29 10:42:13 vps postfix/smtpd[28365]: 4B7D75A0866F:
client=unknown[189.7.164.159]
Jul 29 10:42:14 vps postfix/smtpd[28365]: disconnect from
unknown[189.7.164.159]
Jul 29 10:42:44 vps postfix/smtpd[28365]: connect from
unknown[222.212.103.114]
Jul 29 10:42:44 vps postfix/smtpd[28365]: lost connection after CONNECT
from unknown[222.212.103.114]
Jul 29 10:42:44 vps postfix/smtpd[28365]: disconnect from
unknown[222.212.103.114]
Jul 29 10:43:34 vps postfix/smtpd[28365]: connect from
unknown[81.222.204.179]
Jul 29 10:43:34 vps postfix/smtpd[28365]: 8CB5A5A0866F:
client=unknown[81.222.204.179]
Jul 29 10:43:36 vps postfix/smtpd[28365]: disconnect from
unknown[81.222.204.179]
Jul 29 10:43:49 vps postfix/smtpd[28365]: connect from
82.213.191.32.dyn.user.ono.com[82.213.191.32]
Jul 29 10:43:58 vps postfix/smtpd[28365]: 726805A0866F:
client=82.213.191.32.dyn.user.ono.com[82.213.191.32]
Jul 29 10:44:01 vps postfix/smtpd[28365]: disconnect from
82.213.191.32.dyn.user.ono.com[82.213.191.32]
Jul 29 10:44:53 vps postfix/smtpd[28365]: connect from
82.213.191.32.dyn.user.ono.com[82.213.191.32]
Jul 29 10:44:55 vps postfix/smtpd[28365]: E78495A0866F:
client=82.213.191.32.dyn.user.ono.com[82.213.191.32]

Should I just ignore these or is there something I can do to block them?

Cameron

Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

MrC-7
Velvet Pixel wrote:
>
> Whoa that's a lot of unauthorized people trying to connect!

If you run a publicly available mail server, you've authorized the world
connect.

> Is it normal to have tons of unauthorized connect attempts in this
> wonderful world of spammers looking for a hole?

Yes sadly, and yes.

> I have hundreds of groupings like this which add up to thousands of
> attempts per day:

Isn't mail fun.

>
> Jul 29 10:42:05 vps postfix/smtpd[28365]: warning: 91.196.61.254:
> hostname vpn-91.196.61.254.uch.net verification failed: Name or service
> not known
> Jul 29 10:42:05 vps postfix/smtpd[28365]: connect from
> unknown[91.196.61.254]
> Jul 29 10:42:07 vps postfix/smtpd[28365]: 011185A087AC:
> client=unknown[91.196.61.254]
> Jul 29 10:42:09 vps postfix/smtpd[28365]: disconnect from
> unknown[91.196.61.254]

>
> Should I just ignore these or is there something I can do to block them?
>

Post output from postconf -n and you'll get lots of good feedback about
how to configure your anti-spam measures.

MrC
Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

Velvet Pixel

On Jul 30, 2008, at 12:37 AM, MrC wrote:
>>
>
> Isn't mail fun.
>>

YEAH! :)


>
> Post output from postconf -n and you'll get lots of good feedback about
> how to configure your anti-spam measures.
>
> MrC
>
>

Here is my postconf output:

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,
vps.velvetpixel.net
newaliases_path = /usr/bin/newaliases.postfix
qmgr_message_active_limit = 4000
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Thanks!

Cameron

Reply | Threaded
Open this post in threaded view
|

Re: How to read maillog

mouss-2
Velvet Pixel wrote:

>
> On Jul 30, 2008, at 12:37 AM, MrC wrote:
>>>
>>
>> Isn't mail fun.
>>>
>
> YEAH! :)
>
>
>>
>> Post output from postconf -n and you'll get lots of good feedback about
>> how to configure your anti-spam measures.
>>
>> MrC
>>
>>
>
> Here is my postconf output:
>
> # postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = no
> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, localhost.$mydomain, localhost,
> vps.velvetpixel.net
> newaliases_path = /usr/bin/newaliases.postfix
> qmgr_message_active_limit = 4000
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sender_bcc_maps = hash:/etc/postfix/bcc
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>


you could start from something like:

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_non_fqdn_sender
         reject_non_fqdn_recipient
         reject_invalid_helo_hostname
        warn_if_reject reject_non_fqdn_helo_hostname
         reject_unlisted_recipient
         reject_unlisted_sender
        reject_rbl_client zen.spamhaus.org

reject_non_fqdn_helo_hostname may reject mail from misconfigured sites.
try it with the warn_if_reject first (so that it logs a warning instead
of rejecting).