Mail server log analyzing
From Oxxus Wiki
All mail services log their activities in /var/log/maillog. Here are few useful tips on how to analyze your mail service logs:
Realtime mail log following
Use tail -f command to watch real time logging of all mail services. Type on your shell prompt:
tail -f /var/log/maillog
Use CTRL + C to cancel the output.
You should be able to see that mail is being received and dropped to your mailbox. It is useful for debugging mail services when you are locating the problem with receiving or sending emails.
Using grep to list rejected, sent or e-mail based postfix log entries
Usually mail is rejected for either open-relay test from some remote user who tries to use your mail server to deliver spam, or from your computer if you didn't properly authenticate, hence you got relay denied. If your mail server is configured to reject blacklisted IP addresses, then they should log as rejected as well.
You can use grep to find those log entries in the log file.
[12:40:07 root@gw1 log]# grep reject /var/log/maillog May 11 04:02:33 gw1 postfix/smtpd: NOQUEUE: reject: RCPT from unknown[126.96.36.199]: 554 5.7.1 Service unavailable; Client host [188.8.131.52] bloc ked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=184.108.40.206; from=<email@example.com> to=<firstname.lastname@example.org> prot o=ESMTP helo=<81.static.118-96-243.astinet.telkom.net.id> May 11 04:02:34 gw1 postfix/smtpd: NOQUEUE: reject: RCPT from unknown[220.127.116.11]: 554 5.7.1 Service unavailable; Client host [18.104.22.168] bl ocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=22.214.171.124; from=<email@example.com> to=<firstname.lastname@example.org> proto=ESMTP helo=<37.subnet110-139-19.speedy.telkom.net.id> May 11 04:02:34 gw1 postfix/smtpd: NOQUEUE: reject: RCPT from unknown[126.96.36.199]: 554 5.7.1 Service unavailable; Client host [188.8.131.52] bloc ked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=184.108.40.206; from=<email@example.com> to=<rbiflorida@chacal .com> proto=ESMTP helo=<220.127.116.11>
Using grep, you can list sent emails or e-mails from a specific e-mail address using:
grep "firstname.lastname@example.org" /var/log/maillog or grep "status=sent" /var/log/maillog
Counting maillog entries
Depending on what information you need, you can use shell commands to display different frequencies of e-mails sent from your mail server. In this example we will use grep, uniq and awk to display statistics
[root@somedomain log]# grep "status=sent" /var/log/maillog |cut -d "=" -f 2 |cut -d ">" -f 1 |cut -d "<" -f 2 |sort -n |uniq -c 2 email@example.com 1 firstname.lastname@example.org
Finding brute-force logins and blocking them
In a similar way, you can list IP addresses attacking your network for brute-force password cracking and add them to firewall.
[root@somedomain /]# grep "dovecot" /var/log/maillog |grep "Aborted login" |cut -d "," -f 3 |cut -d ":" -f 4 |sort -n |uniq -c 23 18.104.22.168 24263 22.214.171.124
As seen, the IP 126.96.36.199 in this case tried to login to the mail server 24263 times. You can block access to the server, for example, for this ip with:
iptables -I INPUT -s 188.8.131.52 -p tcp -j DROP
BFD project scans for unauthorized logins automatically, and you can download the script from this url: BFD project
Note: Unauthorized brute-force logins can sometimes raise huge load on your VPS server and it's recommended to have a protection against it.