Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Sendmail Log Formats

What can be done with that log ? I have been trying to send mail from PHP using PEAR to call sendmail. But after your page has confirmed, you don't know what happened unless you have a look at the /var/log/maillog

 

Literature references

[1] Bryan Costales and Eric Allman, Sendmail, copyright 1997, 1993
    O'Reilly & Associates, Inc.
[2] David H. Crocker, Standard for the format of Internet text
    messages, RFC822, Aug. 13, 1982.
[3] Eric Allman, Sendmail Installation and Operation Guide For Sendmail
    Version 8.10, April 7, 2000.

Log format for message logging

The sendmail log file format is described in [1, page 435], which is updated by [3, page 13]. This section describes sendmail message logging, exclusive Delivery Status Notifications (DSN's). Those, and other forms of sendmail logging are discussed in the next section.

Sendmail uses the syslog(3) facility to log its activities. The syslog facility used is "mail"; the syslog level varies with the message being logged. For each message to be logged, Sendmail checks whether the severity of the message is equal to or lower than its log level setting (lower = more serious); only then the message is logged. This setting is taken from the log level option in the sendmail configuration file. For a log level of zero, nothing is ever logged; for a low value only critical messages are logged, and for higher values also less serious messages are logged.

The log message contents depends on the sendmail version; [1] describes it for sendmail version 8.8.4; [3] for version 8.10 (8.10.2 is current at the time of writing). The general format of a sendmail message log line is:

<date> <host> sendmail[pid]: <qid>: <what>=<value>,

with meanings:

Field Meaning
<date> month, day and time that the line was logged (no year is present, which is a syslog peculiarity).
<host> The name of the host that produced this information (may differ from the logging host).
sendmail Literal, even if sendmail is invoked as mailq or newaliases, 'sendmail' is printed here.
<pid> The process id of the sendmail invocation that produced this log line.
<qid> The queue id, a message identifier unique on the host producing the log lines.
<what>=<value> A comma-separated list of equates. Which equate appears in which line depends on whether the line documents the sender or the recipient and whether delivery succeeded, failed, or was deferred.

The possible <what>=<value> equates [1,3] are:

<what>= Description Occurs in
Class The queue class: the numeric value defined in the sendmail configuration file for the keyword given in the Precedence: header of the processed message. Sender log records
Ctladdr The "controlling" user", that is, the name of the user whose credentials we use for delivery. Recipient log records
Delay The total message delay: the time difference between reception and final delivery or bounce). Format is delay=HH:MM::SS for a delay of less than one day and delay=days+HH:MM::SS otherwise. Recipient log records
From The envelope sender. Format is from=addr, with addr defined in [2] by the "address" keyword. This can be an actual person, or also be postmaster or the value of the $n macro in the case of a bounced message. Sender log records
Mailer The symbolic name (defined in the sendmail configuration file) for the program (known as delivery agent) that performed the message delivery. Recipient log records
Msgid A world-unique message identifier, defined in [2] as msgid= local-part (a) domain and the placeholders local-part and domain replaced by the respective keywords in [2]. The msgid= equate is omitted if it (incorrectly) is not defined in the configuration file. Sender log records
Nrcpts The number of recipients for the message, after all aliasing has taken place. Sender log records
pri The initial priority assigned to the message. The priority changes each time the queued message is tried, but this equate only shows the initial value. Sender log records
Proto The protocol that was used when the message was received; this is either SMTP, ESMTP, or internal, or assigned with the -p command-line switch. It is stored in $r. Sender log records
Relay Shows which user or system sent / received the message; the format is one of relay=user(a)domain [IP], relay=user(a)localhost, or relay=fqdn host. Sender and recipient log records
Size The size of the incoming message in bytes during the DATA phase, including end-of-line characters. For messages received via sendmails' standard input, it is the count of the bytes received, including the newline characters. Sender log records
Stat The delivery status of the message. For successful delivery, stat=Sent (text) is printed, where text is the actual text that the other host printed when it accepted the message, transmitted via SMTP. For local delivery, stat=Sent is printed. Other possibilities are stat=Deferred: reason, stat=queued, or stat=User unknown. [complete list of possible values to be made] Recipient log records
to Address of the final recipient, after all aliasing has taken place. The format is defined in [2] by the "address" keyword. Recipient log records
Xdelay The total time the message took to be transmitted during final delivery. This differs from the delay= equate, in that the xdelay= equate only counts the time in the actual final delivery. Recipient log records

Message logging and sendmail dlf file contents

Example for a successful message sending

Two records are taken from the log file of the machine called thor.foo.com, running sendmail version 8.10.2 with the default log level 9. This log concerns data that was sent successfully.

Jul 15 17:11:21 thor.foo.com sendmail[22398]: e6FFBLP22398: from=<jan(a)foo.com>, size=589, class=0, nrcpts=1, msgid=<200007151510.e6FFAC316448(a)odin.foo.com>, proto=ESMTP, daemon=MTA, relay=jan(a)odin.foo.com [192.168.1.1]

Jul 15 17:11:21 thor.foo.com sendmail[22400]: e6FFBLP22398: to=<gerrit(a)bar.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30589, relay=frigga.bar.com. [192.168.1.3], dsn=2.0.0, stat=Sent (e6FFAFv24566 Message accepted for delivery)

The meaningful information is put in the dlf-file format.

Time 963673881
LogRelay thor.foo.com
QueueId e6FFBLP22398
MessageId 200007151510.e6FFAC316448(a)odin.foo.com
FromUser jan
FromDomain foo.com
FromRelay jan(a)odin.foo.com_[192.168.1.1]
Size 589
Delay 00:00:00
XDelay 00:00:00
ToUser gerrit
ToDomain bar.com
ToRelay frigga.bar.com._[192.168.1.3]
Status Sent
XStatus e6FFAFv24566_Message_accepted_for_delivery

The "e6FFAFv24566" string as part of the XStatus field is the queue id of this message on the ToRelay. This information helps in tracking a message over multiple machines.

One line in the 'standard' file Sent Domain now becomes:

963673881 thor.foo.com e6FFBLP22398 200007151510.e6FFAC316448(a)odin.foo.com jan foo.com odin.foo.com_[192.168.1.1] 589 00:00:00 00:00:00 gerrit bar.com frigga.bar.com._[192.168.1.3] Sent e6FFAFv24566 Message accepted for delivery

Note: 963673881 is the number of seconds since Jan 1 1970 1:00 till Jul 15 2000 17:11:21. The sendmail log line does not show the year, which is a drawback of the syslog(3) facility.

Example for an erroneous message sending

The Error Domain and the Error Relay types are also explained with an example. The same sendmail version and log level are used as before. The example is about a message that could not be sent because the destination host was unknown.

Jul 15 17:53:51 thor.foo.com sendmail[22493]: e6FFrpW22493: from=<jan(a)foo.com>, size=551, class=0, nrcpts=1, msgid=<200007151552.e6FFqmD16573(a)odin.foo.com>, proto=ESMTP, daemon=MTA, relay=jan(a)odin.foo.com [192.168.1.1]
Jul 15 17:53:51 thor.foo.com sendmail[22495]: e6FFrpW22493: to=<joost(a)magnum.bar.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30551, relay=frigga.bar.com. [192.168.1.3], dsn=5.1.2, stat=Host unknown (Name server: magnum.bar.com.: host not found)
 

Time 963676431
LogRelay thor.foo.com
QueueId e6FFrpW22493
MessageId 200007151552.e6FFqmD16573(a)odin.foo.com
FromUser jan
FromDomain foo.com
FromRelay jan(a)odin.foo.com_[192.168.1.1]
Size 551
Delay 00:00:00
XDelay 00:00:00
ToUser joost
ToDomain magnum.bar.com
ToRelay frigga.bar.com_[192.168.1.3]
Status Host_unknown
XStatus Name_server:_magnum.bar.com.:_host_not_found

Note that the reason why the message could not be sent is put into the XStatus field. This information can be used to analyze what causes a message not to be sent.

Miscellaneous sendmail loggings

Until now, only logging of message transfers was described. However, sendmail will log much more events than just those, it e.g. also logs connection rejections, alias database rebuilds and generation of DSN's (among which error messages).

A lot of things can go wrong in message transfers. Possible sources are local host problems, problems with incoming and outgoing connections and of course, problems with the message itself, e.g. its addressing.

A full list of what is logged up to log level 9, and the extra's above that value is given in [3, page 27]. Over here, these items are sorted per source category below. Not everything logged is an error event though.

Local host related logging

Events on the local host (mostly problems) are also logged by sendmail. Host and sendmail configuration errors cause lasting (non-transient) problems in message transfer, while resource shortages are usually temporary and so cause transient problems. Non-error events, such as alias database rebuilds, are also configuration-related and are logged too.

For log level 9, the logged events per category are:

Examples:

Connection related logging

Connections relate to both incoming and outgoing network connections from and to other hosts. Both on network level and on protocol level, error and non-error events are logged. Logging categories for log level 9 are:

Examples:

Message related logging

Message logging was already discussed at the top. At log level 9, items logged apart from successful message transfers are:

Examples:

Log control

Check if the following statement is in your sendmail.cf:

[/etc] edwin(a)p6> grep -i loglevel sendmail.cf O LogLevel=9

In syslog.conf, check if the file is logged to:

[/etc] edwin(a)p6> grep -i mail syslog.conf
mail.info               /var/log/mail.log

Create the file /var/log/mail.log (if it didn't exist yet), restart the syslog daemon and then the sendmail daemon.

Other Sendmail log-processors



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: October, 11, 2015