smtpd: no logging on "message to big"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd: no logging on "message to big"

A. Schulze

Hello,

usually I expect any smtp connection to be logged. That way I may find  
any sender or recipient addresses
a user may know if complaining about missing messages. This is not  
true if a message is rejected because it's to big.

SMTP-Reply is "552 5.3.4 Error: message file too big". But no  
sender/recipient is logged.

Jul  8 10:55:51 spider postfix/smtpd[26755]: connect from localhost[::1]
Jul  8 10:56:03 spider postfix/smtpd[26755]: 3mRDxv3FrfzYrRcj:  
client=localhost[::1]
Jul  8 10:56:08 spider postfix/smtpd[26755]: warning:  
3mRDxv3FrfzYrRcj: queue file size limit exceeded
Jul  8 10:56:15 spider postfix/smtpd[26755]: disconnect from  
localhost[::1] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5

$ postconf mail_version
mail_version = 3.0.1

I don't expect there is a separate paramater making the log more  
verbose in this case.
Was the logging just forgotten?

Andreas




Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

Wietse Venema
A. Schulze:

>
> Hello,
>
> usually I expect any smtp connection to be logged. That way I may find  
> any sender or recipient addresses
> a user may know if complaining about missing messages. This is not  
> true if a message is rejected because it's to big.
>
> SMTP-Reply is "552 5.3.4 Error: message file too big". But no  
> sender/recipient is logged.
>
> Jul  8 10:55:51 spider postfix/smtpd[26755]: connect from localhost[::1]
> Jul  8 10:56:03 spider postfix/smtpd[26755]: 3mRDxv3FrfzYrRcj:  
> client=localhost[::1]
> Jul  8 10:56:08 spider postfix/smtpd[26755]: warning:  
> 3mRDxv3FrfzYrRcj: queue file size limit exceeded

You can use 3mRDxv3FrfzYrRcj to locate the resord with clientxxx[yyyy].

This error like many other non-SMTP errors was implemented long
before the cleanup server had access to SMTP session context.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

Wietse Venema
Wietse Venema:

> A. Schulze:
> >
> > Hello,
> >
> > usually I expect any smtp connection to be logged. That way I may find  
> > any sender or recipient addresses
> > a user may know if complaining about missing messages. This is not  
> > true if a message is rejected because it's to big.
> >
> > SMTP-Reply is "552 5.3.4 Error: message file too big". But no  
> > sender/recipient is logged.
> >
> > Jul  8 10:55:51 spider postfix/smtpd[26755]: connect from localhost[::1]
> > Jul  8 10:56:03 spider postfix/smtpd[26755]: 3mRDxv3FrfzYrRcj:  
> > client=localhost[::1]
> > Jul  8 10:56:08 spider postfix/smtpd[26755]: warning:  
> > 3mRDxv3FrfzYrRcj: queue file size limit exceeded
>
> You can use 3mRDxv3FrfzYrRcj to locate the resord with clientxxx[yyyy].
>
> This error like many other non-SMTP errors was implemented long
> before the cleanup server had access to SMTP session context.

If you find the reference to the cleanup server puzzling, this
error message was copied literally from the cleanup server, when
the smtpd_proxy_filter feature was implemented.

It is theoretically possible to update lots of Postfix messages
with SMTP envelope information, but the price is that it instantly
obsoletes logfile analyzers. Does the price exceed the benefit?

        Wietse

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

A. Schulze

wietse:

> It is theoretically possible to update lots of Postfix messages
> with SMTP envelope information, but the price is that it instantly
> obsoletes logfile analyzers. Does the price exceed the benefit?

(at least for me) it's more valuable to get as many as possible  
details logged.
So my answer is NO:-)

an example:

smtp:
telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP
ehlo localhost
250-localhost
250 SIZE 10
mail from:<some_external_that_my_user_know@external_domain>
250 2.1.0 Ok
rcpt to:<my_user@mydomain>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: longer_then_10

body
.
552 5.3.4 Error: message file too big, servertime=Jul 08 17:02:36,  
server=localhost, client=::1
quit
221 2.0.0 Bye
Connection closed by foreign host.

log:
Jul  8 17:01:48 mail postfix/smtpd[18193]: connect from localhost[::1]
Jul  8 17:02:07 mail postfix/smtpd[18193]: 3mRP4H3mJMz373gD:  
client=localhost[::1]
Jul  8 17:02:31 mail postfix/smtpd[18193]: warning: 3mRP4H3mJMz373gD:  
queue file size limit exceeded
Jul  8 17:02:41 mail postfix/smtpd[18193]: disconnect from  
localhost[::1] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5

my_user call the help desk "I miss a message from @external_domain"
grep '@external_domain' mail.log
<nothing>

that's the pain ...

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

Wietse Venema
A. Schulze:

>
> wietse:
>
> > It is theoretically possible to update lots of Postfix messages
> > with SMTP envelope information, but the price is that it instantly
> > obsoletes logfile analyzers. Does the price exceed the benefit?
>
> (at least for me) it's more valuable to get as many as possible  
> details logged.
> So my answer is NO:-)
>
> an example:

Sorry, it is unwise to log the details of every SMTP error, let
alone log it with the full envelope information.  That would make
Postfix unnecessarily vulnerable to logfile flooding.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

A. Schulze

wietse:

> Sorry, it is unwise to log the details of every SMTP error, let
> alone log it with the full envelope information.  That would make
> Postfix unnecessarily vulnerable to logfile flooding.

maybe I expressed myself wrong.
I simply would like to see such a hypotetic log:

Jul  8 17:46:08 mail postfix/smtp[14519]: 3mRP4H3mJMz373gD: reject:  
END_OF_DATA from mail.external.org[192.0.2.25]: queue file size limit  
exceeded; from=<external_sender>, to=<my_user@mydomain>, proto=ESMTP,  
helo=<mail.external.org>

as a replacement for the existing

Jul  8 17:02:31 mail postfix/smtpd[18193]: warning: 3mRP4H3mJMz373gD:  
queue file size limit exceeded

I see that in the same category like this:

NOQUEUE: reject: RCPT from unknown[192.0.2.26]: 450 4.1.8  
<[hidden email]>: Sender address rejected: Domain not found
NOQUEUE: reject: RCPT from 139-80-ftth.on.nl[88.159.80.139]: 550 5.1.1  
<[hidden email]>: Recipient address rejected: undeliverable  
address
NOQUEUE: reject: RCPT from unknown[192.126.123.156]: 550 5.7.1 Client  
host rejected: cannot find your reverse hostname
NOQUEUE: reject: RCPT from [72.29.72.39]:51201: 550 5.7.1 Service  
unavailable; client [72.29.72.39] blocked using sbl-xbl.spamhaus.org

message was rejected but logged. That would help...
Andreas

Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

Wietse Venema
A. Schulze:

>
> wietse:
>
> > Sorry, it is unwise to log the details of every SMTP error, let
> > alone log it with the full envelope information.  That would make
> > Postfix unnecessarily vulnerable to logfile flooding.
>
> maybe I expressed myself wrong.
> I simply would like to see such a hypotetic log:
>
> Jul  8 17:46:08 mail postfix/smtp[14519]: 3mRP4H3mJMz373gD: reject:  
> END_OF_DATA from mail.external.org[192.0.2.25]: queue file size limit  
> exceeded; from=<external_sender>, to=<my_user@mydomain>, proto=ESMTP,  
> helo=<mail.external.org>

Yes I know already that you are not interested in the stability of
logfile messages.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: smtpd: no logging on "message to big"

Rosenbaum, Larry M.
In reply to this post by A. Schulze
>
> wietse:
>
> > Sorry, it is unwise to log the details of every SMTP error, let
> > alone log it with the full envelope information.  That would make
> > Postfix unnecessarily vulnerable to logfile flooding.
>
> maybe I expressed myself wrong.
> I simply would like to see such a hypotetic log:
>
> Jul  8 17:46:08 mail postfix/smtp[14519]: 3mRP4H3mJMz373gD: reject:
> END_OF_DATA from mail.external.org[192.0.2.25]: queue file size limit
> exceeded; from=<external_sender>, to=<my_user@mydomain>, proto=ESMTP,
> helo=<mail.external.org>

If the client looks at the SIZE line of the EHLO response, it may determine at that point that the message is too big and abort the attempt. In that case the server doesn't have any envelope data to log, and might not even know why the client gave up.

Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

Viktor Dukhovni
On Wed, Jul 08, 2015 at 08:58:38PM +0000, Rosenbaum, Larry M. wrote:

> > Jul  8 17:46:08 mail postfix/smtp[14519]: 3mRP4H3mJMz373gD: reject:
> > END_OF_DATA from mail.external.org[192.0.2.25]: queue file size limit
> > exceeded; from=<external_sender>, to=<my_user@mydomain>, proto=ESMTP,
> > helo=<mail.external.org>
>
> If the client looks at the SIZE line of the EHLO response, it may determine
> at that point that the message is too big and abort the attempt. In that
> case the server doesn't have any envelope data to log, and might not even
> know why the client gave up.

This is increasingly the most common case.  SMTP clients that don't
support "SIZE=<limit>" are rare and getting more so.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: smtpd: no logging on "message to big"

A. Schulze
In reply to this post by Rosenbaum, Larry M.

Rosenbaum, Larry M.:

> If the client looks at the SIZE line of the EHLO response, it may  
> determine at that point that the message is too big and abort the  
> attempt. In that case the server doesn't have any envelope data to  
> log, and might not even know why the client gave up.

yes, that's the right argument to finish this discussion...
Thanks!

Andreas