Mail server log analyzing

From Oxxus Wiki

Jump to: navigation, search

All mail services log their activities in /var/log/maillog. Here are few useful tips on how to analyze your mail service logs:

Contents

Realtime mail log following

Use tail -f command to watch real time logging of all mail services. Type on your shell prompt: 

 tail -f /var/log/maillog

Use CTRL + C to cancel the output.

You should be able to see that mail is being received and dropped to your mailbox. It is useful for debugging mail services when you are locating the problem with receiving or sending emails.

Using grep to list rejected, sent or e-mail based postfix log entries

Usually mail is rejected for either open-relay test from some remote user who tries to use your mail server to deliver spam, or from your computer if you didn't properly authenticate, hence you got relay denied. If your mail server is configured to reject blacklisted IP addresses, then they should log as rejected as well.

You can use grep to find those log entries in the log file. 

[12:40:07 root@gw1 log]# grep reject /var/log/maillog
May 11 04:02:33 gw1 postfix/smtpd[26897]: NOQUEUE: reject: RCPT from unknown[118.96.243.81]: 554 5.7.1 Service unavailable; Client host [118.96.243.81] bloc
ked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=118.96.243.81; from=<[email protected]> to=<[email protected]> prot
o=ESMTP helo=<81.static.118-96-243.astinet.telkom.net.id>
May 11 04:02:34 gw1 postfix/smtpd[26834]: NOQUEUE: reject: RCPT from unknown[125.164.34.194]: 554 5.7.1 Service unavailable; Client host [125.164.34.194] bl
ocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=125.164.34.194; from=<[email protected]> to=<[email protected]> 
proto=ESMTP helo=<37.subnet110-139-19.speedy.telkom.net.id>
May 11 04:02:34 gw1 postfix/smtpd[27005]: NOQUEUE: reject: RCPT from unknown[94.50.102.148]: 554 5.7.1 Service unavailable; Client host [94.50.102.148] bloc
ked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=94.50.102.148; from=<[email protected]> to=<rbiflorida@chacal
.com> proto=ESMTP helo=<90.151.196.238>

Using grep, you can list sent emails or e-mails from a specific e-mail address using: 

grep "[email protected]" /var/log/maillog
or
grep "status=sent" /var/log/maillog


Counting maillog entries

Depending on what information you need, you can use shell commands to display different frequencies of e-mails sent from your mail server. In this example we will use grep, uniq and awk to display statistics 


 
[root@somedomain log]# grep "status=sent" /var/log/maillog |cut -d "=" -f 2 |cut -d ">" -f 1 |cut -d "<" -f 2 |sort -n |uniq -c
      2 [email protected]
      1 [email protected]

Finding brute-force logins and blocking them

In a similar way, you can list IP addresses attacking your network for brute-force password cracking and add them to firewall. 

[root@somedomain /]# grep "dovecot" /var/log/maillog |grep "Aborted login" |cut -d "," -f 3 |cut -d ":" -f 4 |sort -n |uniq -c
     23 74.2.244.131
  24263 178.162.150.231

As seen, the IP 178.162.150.231 in this case tried to login to the mail server 24263 times. You can block access to the server, for example, for this ip with:

iptables -I INPUT -s 178.162.150.231 -p tcp -j DROP

BFD project scans for unauthorized logins automatically, and you can download the script from this url: BFD project

Note: Unauthorized brute-force logins can sometimes raise huge load on your VPS server and it's recommended to have a protection against it.

Retrieved from "http://www.oxxus.net/wiki/Mail_server_log_analyzing"
Contact About Us Support Network Servers Java Hosting Oxxus.net Order Now! Dedicated Servers VPS Hosting Tomcat Hosting Java Hosting Money Back Guarantee Privacy Policy Oxxus.net Terms of Service Contact About Us Servers Networks Support Domain Names SSL Certificates Java Wiki Tutorials E-learning Platforms