# 郵件Log欄位意義 2021/12/22 來源 https://coctec.com/docs/service/show-post-29168.html 本文基本上都是來這這篇 https://blog.xuite.net/rockmansyz/twblog/115535156-%E9%83%B5%E4%BB%B6%E4%BC%BA%E6%9C%8D%E5%99%A8--mail+server+log+%E5%88%86%E6%9E%90 ## mail log 路徑 Solaris : /var/adm/log/mail Linux: /var/log/mail or /var/log/mail/mail FreeBSD:/var/log/maillog ## log範例 ``` Oct 11 00:08:30 shona sendmail[28560]: [ID 801593 mail.info] j2VG8UoI028560: from= , size=1310, class=0, nrcpts=1, msgid=<20051011160826.3451.qmail@mail.fakeurl.net>, proto=SMTP, daemon=MTA, relay=mail.fakeurl.net [192.168.20.15] Oct 11 00:08:31 shona sendmail[28521]: [ID 801593 mail.info] j2VG8Gv2028521: from= , size=7591, class=0, nrcpts=3, msgid=<200510111608.j2VG8Gv2028521@wgf.com.tw>, proto=SMTP, daemon=MTA, relay=[172.16.4.41] Oct 11 00:08:31 shona sendmail[28590]: [ID 801593 mail.info] j2VG8UoI028560: to= , delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=121310, relay=[10.115.1.15] [10.115.1.15], dsn=2.0.0, stat=Sent (j2VG8RjQ013936 Message accepted for delivery) Oct 11 00:08:31 shona sendmail[28592]: [ID 801593 mail.info] j2VG8Gv2028521: to= , , delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=187591, relay=[10.115.1.15] [10.115.1.15], dsn=2.0.0, stat=Sent (j2VG8RL7013937 Message accepted for delivery) Oct 11 00:08:23 shona sendmail[28528]: [ID 801593 mail.notice] j2VG8NKb028528: ruleset=CheckFrom, arg1=plato@fakeurl.net,relay=mail.fakeurl.net [192.168.20.15], reject=550 5.7.1 We don"t accept junk mail Oct 11 00:08:25 shona sendmail[28528]: [ID 801593 mail.info] j2VG8NKb028528: from= , size=41096, class=0, nrcpts=1, msgid=<200510111608.j2VG8NKb028528@realurl.net>, proto=ESMTP, daemon=MTA, relay=mail.fakeurl.net, [192.168.20.15] Oct 11 00:08:25 shona sendmail[28528]: [ID 801593 mail.info] j2VG8NKb028528: to= , delay=00:00:02, pri=71096, stat=We don"t accept junk mail Oct 11 00:08:31 shona sendmail[28524]: [ID 801593 mail.notice] j2VG8QDv028524: ruleset=check_mail, arg1= , relay=fakeurl.net [192.168.20.15] (may be forged), reject=451 4.5.1 Domain must resolve Oct 11 00:08:31 shona sendmail[28524]: [ID 801593 mail.info] j2VG8QDv028524: from= , size=1665, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=fakeurl.net [192.168.20.15] (may be forged) ``` ## log說明 名詞|定義 --|-- class |The class (i.e., numeric precedence) of the message. pri |Theinitial message priority (used for queue sorting). nrcpts |The number of envelope recipients for this message (after aliasing and forwarding). msgid |The message id of the message (from the header). proto |The protocol used to receive this message (e.g., ESMTP or UUCP) daemon |The daemon name from the DaemonPortOptions setting. relay |The machine from which it was received. ctladdr |The 『『controlling user』』, that is, the name of the user whose credentials we use for delivery. delay |The total delay between the time this message was received and the current delivery attempt. xdelay |The amount of time needed in this delivery attempt (normally indicative of the speed of the connection). mailer |The name of the mailer used to deliver to this recipient. relay |The name of the host that actually accepted (or rejected) this recipient. dsn |Theenhanced error code (RFC 2034) if available. stat |The delivery status. --- 一行標準的記錄檔需要包含： 1.日期 (Date) 以 "月 日" 為其格式，例如 "Oct 11" 2.時間 (Time) 以 "時:分:秒" 為其格式，例如 "00:08:30" 3.主機名稱 (Host Name) 以此處為例，主機名稱為 shona 4.Sendmail 執行時期的 Process ID 例如 28560, 28512 等等 5.記錄檔層級 (Log Level) 前面曾經說過，Sendmail 記錄檔的位置是依據設定所決定，同樣的我們也可以透過設定決定所需記錄的訊息詳細程度，在 Sendmail 中定義了幾種層級，分別如下 level|定義 --|-- 1 |Minimal logging. 2 |Serious system failures and potential security problems. 3 |Other serious failures, malformed addresses, transient forward/include errors, connection timeouts. 4 |Minor failures, out of date alias databases, connection rejections via check_rulesets. 5 |Message collection statistics. 6 |Creation of error messages VRFY and EXPN commands. 7 |Delivery failures (host or user unknown, etc). 8 |Successful deliveries and alias database rebuilds. 9 |Message being deferred (due to a host being down, etc). 10 |Database expansion (alias, forward, and userdb lookups). 11 |NIS errors and end of job processing. 12 |Logs all SMTP connections. 13 |Log bad user shells, files with improper permissions, and other questionable situations. 14 |Logs refused connections. 15 |Log all incoming and outgoing SMTP commands. 20 |Logs attempts to run locked queue files. These are not errors, but can be useful to note if your queue appears to be clogged. 30 |Lost locks (only if using lockf instead of flock) 其餘還有 64 以上的值是保留給除錯所使用，一般而言是不會使用到他們。 而 Sendmail 的記錄訊息是透過 syslog 來決定要記錄哪些訊息，syslog 中定義了七個層級 syslog level | 定義 --|-- 0 |Emergency 1 |Alert 2 |Critical 3 |Error 4 |Warning 5 |Notice 6 |Info 7 |Debug 在 Sendmail 中預設的 Log Level 為 9 ，相當於 syslog 的 Info。 例如上面的記錄檔所屬層級都是 info，通常這樣的記錄都是正常且較為不重要的訊息。 6.訊息辨識碼 (Message-ID) 這是記錄檔中相當重要的一項。由於 mail log 是乏態 (Stateless) 的記錄檔，這意思是說，幾行連續的記錄中也許包含了好幾封信的訊息，而 Message-ID 就是用來分辨該筆記錄檔所記錄的是哪一封郵件，因而他也是唯一的標記，每封不同的郵件就會有不同的 Message-ID。 例如上面第一筆和第三筆訊息的 Message-ID 是 "j2VG8UoI028560"，我們可以由此得知他是同一封郵件的記錄。 基本上每行記錄檔都有上面六項必要的訊息，可以作為分析的基準條件 基本資訊 | 日期 | 時間 | 主機名稱 | Sendmail PID | 紀錄層級 | 訊息識別碼 | |---|---|---|---|---|---| | Oct 11 | 00:08:31 | shona | sendmail[28560]: | [ID 801593 mail.info] | j2VG8UoI028560 | 其他資訊 參數 | 說明 --|-- to= | 收件者 email delay=00:00:01 | 從接收郵件到嘗試傳送出去所花的時間 xdelay=00:00:00 | 嘗試傳送的總時間，通常代表了連線的速度 mailer=relay | 將傳送給收件者所透過的 mailer pri=121310 | 郵件優先性，進到 queue 排序用 relay=[10.115.1.15] [10.115.1.15] | 郵件所送到的伺服器位址 dsn=2.0.0 | Enhanced Error Code，可參考 RFC 2034 stat=Sent (j2VG8RjQ013936 Message accepted for delivery)|傳送狀態 從 Stat 欄位得知這封信傳送成功了！