113

I know this has been asked a hundred times. But I've done a lot of Google searching without success. My question: I want to log every activity of my postfix server. Neither the default file /var/log/mail nor any other concerning mail or postfix exists.

  1. What's the exact string to put into the configuration file /etc/postfx/main.cf to enable logging?
  2. Where can i see which configuration file postfix uses? (according to my hint below)

Thanks for your answers.

Hint: I use postfix together with dovecot. I installed meta package some months ago.

Output for postconf -n:

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    home_mailbox = Maildir/
    inet_interfaces = all
    mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-dovecot-postfix.conf -n -m "${EXTENSION}"
    mailbox_size_limit = 0
    mydestination = mydomain.de localhost
    myhostname = mydomain.de
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    myorigin = /etc/mailname
    readme_directory = no
    recipient_delimiter = +
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_path = private/dovecot-auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sender_restrictions = reject_unknown_sender_domain
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
    smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    virtual_alias_maps = hash:/etc/postfix/virtual
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/mail/vhosts
    virtual_mailbox_domains = mydomain2.de
    virtual_mailbox_maps = hash:/etc/postfix/vmailbox
    virtual_minimum_uid = 100
    virtual_uid_maps = static:5000

Output for /etc/syslog.conf

#  /etc/syslog.conf Configuration file for syslogd.
#
#           For more information see syslog.conf(5)
#           manpage.

#
# First some standard logfiles.  Log by facility.
#

auth,authpriv.*      -/var/log/auth.log
*.*;auth,authpriv.none;local0.none;local1.none      -/var/log/syslog
#cron.*          -/var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
user.*              -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#

# Logging for INN news system
#
news.crit        -/var/log/news/news.crit
news.err         -/var/log/news/news.err
news.notice         -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
    auth,authpriv.none;\
    news.none   -/var/log/debug
*.=info;*.=notice;*.=warning;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg             *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#   news.=crit;news.=err;news.=notice;\
#   *.=debug;*.=info;\
#   *.=notice;*.=warning    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warning    |/dev/xconsole
Braiam
  • 67,791
  • 32
  • 179
  • 269
Steve Rakebrandt
  • 1,233
  • 2
  • 8
  • 5
  • 4
    Ubuntu's package of Postfix just logs to /var/log/mail.log by default. If that's not present or it does not log there, then please clarify what you changed to your system. Without providing such details of what you tried/found we can't really help you. Maybe it's as simple as a modified rsyslog configuration. We don't have access to your system and we can't see your screens, so we rely on what you provide in your question. And to print the current Postfix configuration, use postconf -n. – gertvdijk Dec 23 '13 at 12:53
  • Please edit your question to include details. That's how this site works. Comments aren't fit for that. – gertvdijk Dec 23 '13 at 13:36
  • Hi. I've added the output of postconf. I've changed nothing in the past. I just installed the meta package. Well, i could be possible that someone occupied the server and removed the logs :-D. There were a lot of messages send from this server the last days, which seem to be spam... – Steve Rakebrandt Dec 23 '13 at 13:41
  • If you suspect somebody just bluntly removed logfiles, then they might not be rotated properly anymore and a file descriptor is still open to an older (unlinked) logfile. Did you try to restart Postfix and rsyslog? – gertvdijk Dec 23 '13 at 13:45
  • Yes, if've already restarted postfix a few times. I've also restarted the server some minutes ago. No changes. Files are still missing. As far as i know, all the active logs will be compressed after a period, so i think these are all the active ones: aptitude, auth, daemon, dovecot, dpkg, mysql, vsftpd. Well, if i didn't get any results today evening, i will make a backup and start the reinstall-process (provider function). And btw, i cannot restart rsyslog(d) -> unrecognized service. – Steve Rakebrandt Dec 23 '13 at 14:38
  • Are you running a provider-image on your server? It may be modified and having non-Ubuntu default settings. If so, that's important information as we may be looking at changes your provider made to Ubuntu. Make sure you have rsyslog running and configured for mail.* in /etc/rsyslog.d/50-default.conf. If that's missing, then ask your provider what else they changed to the image or even better, make sure they install a regular Ubuntu image for you. (See also this linuxquestions.org post). – gertvdijk Dec 23 '13 at 14:45
  • I think they used a default ubuntu image, but i cannot guarantee that they have not made any changes to it. Ps aux returns:

    syslog 1289 0.0 0.0 12468 796 ? Ss 15:29 0:00 /sbin/syslogd -u syslog

    So syslog is running, not rsyslog. Theres also a config file directly in /etc. /etc/rsyslog doesn't exists. Well, ok, maybe seems to be not a default image :-D. I posted the syslog.conf above.

     – Steve Rakebrandt Dec 23 '13 at 15:17
  • Ok. Uninstalled syslog and installed rsyslog. Now i can found some mail.* files in /var/log. mail.info and mail.log have a small content (197 bytes), so i think are my new log files for mail now. There's also a new /var/log/messages file. I'll inspect them the next two days. Maybe its working now like expected. Thanks for your help, Gert :-) – Steve Rakebrandt Dec 23 '13 at 15:46
  • check the perms of /var/log/mail.log # ls -l /var/log/mail.log -rw-r----- 1 syslog adm 3066 Oct 16 00:40 /var/log/mail.log –  Oct 16 '15 at 04:24

4 Answers4

110

They should be in /var/log/mail.log. However, it appears that your syslog facility configuration was changed by you (or your provider). Using the plain syslogd instead of rsyslogd is very much possible, but then you can expect things to work different to your expectation.

As already mentioned in the comments, by installing rsyslog, the files reappeared.

gertvdijk
  • 67,947
  • 1
    Yes, in my case I just had to run "apt-get install rsyslog" and "service postfix restart" and my /var/log/mail.log appeared – Mike Jun 17 '16 at 12:50
14

On Ubuntu 16.04, I found postfix logs in /var/log/syslog:

grep postfix /var/log/syslog

You can view the stream of postfix logs:

tail -f /var/log/syslog | grep postfix
A.L
  • 478
  • 7
  • 20
9

I had to use journalctl -t postfix/smtpd -t postfix/smtp to find the email logs, where

  • smtpd is for incoming emails (the d stands for daemon which clients talk to),
  • smtp for outgoing emails, and
  • by specifying both, you see both in a combined log view.

You can also use journalctl without arguments to see all logs, without filtering for a topic.

In /var/log there is now a README file that says to stop looking there for systemd-based systems.

Luc
  • 993
6

To be explicit: postfix logs to syslog and uses the mail facility of syslog.

You will have to check which syslog server you run, but the default in Ubuntu up to the current 20.04 LTS release is rsyslogd. If you change the syslog daemon you will need to configure that for the mail facility of syslog.

Check if mail is logged to any particular file by searching for mail. (without any preceding comment/hash char) but also include all "catch all rules" *.:

grep -E "^[^#]*(mail|\*)\." /etc/rsyslog.conf /etc/rsyslog.d/*.conf

Example output from Ubuntu 20.04

# We see that "/etc/rsyslog.conf" includes files from "/etc/rsyslog.d"
/etc/rsyslog.conf:$IncludeConfig /etc/rsyslog.d/*.conf

"." means that all events except "authpriv" is logged to /var/log/syslog


/etc/rsyslog.d/50-default.conf:.;auth,authpriv.none -/var/log/syslog


Here goes "mail"


/etc/rsyslog.d/50-default.conf:mail.*                 -/var/log/mail.log


In addition "mail.err" goes here


/etc/rsyslog.d/50-default.conf:mail.err                /var/log/mail.err


And in the event of an "emerg" priority message..


/etc/rsyslog.d/50-default.conf:.emerg                 :omusrmsg:

Rsyslog reads the configuration files in order, and all events (log lines) pass through all configuration items unless any configuration discards or filters away the event.

Another example, where mail.* is suppressed from going into the general messages file, then sent to both a file and an external UDP syslog server:

*.info;mail.none;authpriv.none;cron.none  /var/log/messages
mail.*                                   -/var/log/maillog
mail.*                                    @127.0.0.1:50514

So mind the order of files when you change things (number or char sorting), and use the rsyslog.d directory instead of messing with rsyslog.conf.

sastorsl
  • 463