Home / ubuntu / Questions / 394724
Accepted
Steve Rakebrandt
Asked: 2013-12-24 04:44:07 +0800 CST

Where are the postfix log files?

  • 772

I know this has been asked a hundred times. But I've done a lot of Google searching without success. My question: I want to log every activity of my postfix server. Neither the default file /var/log/mail nor any other concerning mail or postfix exists.

  1. What's the exact string to put into the configuration file /etc/postfx/main.cf to enable logging?
  2. Where can i see which configuration file postfix uses? (according to my hint below)

Thanks for your answers.

Hint: I use postfix together with dovecot. I installed meta package some months ago.

Output for postconf -n:

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    home_mailbox = Maildir/
    inet_interfaces = all
    mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-dovecot-postfix.conf -n -m "${EXTENSION}"
    mailbox_size_limit = 0
    mydestination = mydomain.de localhost
    myhostname = mydomain.de
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    myorigin = /etc/mailname
    readme_directory = no
    recipient_delimiter = +
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_path = private/dovecot-auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sender_restrictions = reject_unknown_sender_domain
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
    smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    virtual_alias_maps = hash:/etc/postfix/virtual
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/mail/vhosts
    virtual_mailbox_domains = mydomain2.de
    virtual_mailbox_maps = hash:/etc/postfix/vmailbox
    virtual_minimum_uid = 100
    virtual_uid_maps = static:5000

Output for /etc/syslog.conf

#  /etc/syslog.conf Configuration file for syslogd.
#
#           For more information see syslog.conf(5)
#           manpage.

#
# First some standard logfiles.  Log by facility.
#

auth,authpriv.*      -/var/log/auth.log
*.*;auth,authpriv.none;local0.none;local1.none      -/var/log/syslog
#cron.*          -/var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
user.*              -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#

# Logging for INN news system
#
news.crit        -/var/log/news/news.crit
news.err         -/var/log/news/news.err
news.notice         -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
    auth,authpriv.none;\
    news.none   -/var/log/debug
*.=info;*.=notice;*.=warning;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg             *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#   news.=crit;news.=err;news.=notice;\
#   *.=debug;*.=info;\
#   *.=notice;*.=warning    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warning    |/dev/xconsole
postfix

3 Answers

  1. Best Answer

    They should be in /var/log/mail.log. However, it appears that your syslog facility configuration was changed by you (or your provider). Using the plain syslogd instead of rsyslogd is very much possible, but then you can expect things to work different to your expectation.

    As already mentioned in the comments, by installing rsyslog, the files reappeared.

    • 97

  2. On Ubuntu 16.04, I found postfix logs in /var/log/syslog:

    grep postfix /var/log/syslog

    You can view the stream of postfix logs:

    tail -f /var/log/syslog | grep postfix
    • 13

  3. To be explicit: postfix logs to syslog and uses the mail facility of syslog.

    You will have to check which syslog server you run, but the default in Ubuntu up to the current 20.04 LTS release is rsyslogd. If you change the syslog daemon you will need to configure that for the mail facility of syslog.

    Check if mail is logged to any particular file by searching for mail. (without any preceding comment/hash char) but also include all "catch all rules" *.:

    grep -E "^[^#]*(mail|\*)\." /etc/rsyslog.conf /etc/rsyslog.d/*.conf

    Example output from Ubuntu 20.04

    # We see that "/etc/rsyslog.conf" includes files from "/etc/rsyslog.d"
/etc/rsyslog.conf:$IncludeConfig /etc/rsyslog.d/*.conf

# "*.*" means that _all_ events _except_ "authpriv" is logged to /var/log/syslog
/etc/rsyslog.d/50-default.conf:*.*;auth,authpriv.none -/var/log/syslog

# Here goes "mail"
/etc/rsyslog.d/50-default.conf:mail.*                 -/var/log/mail.log

# In _addition_ "mail.err" goes here
/etc/rsyslog.d/50-default.conf:mail.err                /var/log/mail.err

# And in the event of an "emerg" priority message..
/etc/rsyslog.d/50-default.conf:*.emerg                 :omusrmsg:*

    Rsyslog reads the configuration files in order, and all events (log lines) pass through all configuration items unless any configuration discards or filters away the event.

    Another example, where mail.* is suppressed from going into the general messages file, then sent to both a file and an external UDP syslog server:

    *.info;mail.none;authpriv.none;cron.none  /var/log/messages
mail.*                                   -/var/log/maillog
mail.*                                    @127.0.0.1:50514

    So mind the order of files when you change things (number or char sorting), and use the rsyslog.d directory instead of messing with rsyslog.conf.

    • 3