See incoming SMTP e-mail traffic per domain / extend SMTP log lifetime

While solving a client issue, I made a bash command to simplify the process of checking the email traffic per domain. I felt this may be useful to some of you out there with high incoming SMTP traffic who may want to see which domains get the most email. This will only show you the number of received emails by the SMTP server per @domain over the period that your logs cover.

# cat /var/log/smtp/*.s /var/log/smtp/current | \
grep 'CHKUSER accepted rcpt' | \
cut -d ' ' -f 10 | cut -d '@' -f 2 | sed 's/>$//g' | \
sort | uniq -c | sort -rn

If your logs only hang around for a few hours or so (common on high-traffic servers), you will have to modify the daemontools multilog utility (syslog/logrotate is not used for qmail) to extend the lifetime of the smtp logs before you can see a significant amount of data. You can tell how far your logs go back by running

# ls -la /var/log/smtp 

and seeing whats the oldest time you see for date modified on the logs. In order to extend the amount of time the logs hang around for:


  • Open up the multilog configuration file for the smtp server. I use vim but you can use what ever text editor you prefer. ``` # vim /service/smtp/log/run ```
  • This is what the file looks like: ``` #!/bin/sh exec /usr/bin/setuidgid qmaill /usr/bin/multilog t s1000000 n5 /var/log/smtp 2>&1 ``` The 's' and 'n' values are what we will need to adjust here. ``` ... exec /usr/bin/setuidgid qmaill /usr/bin/multilog t [B]s1000000 n5 [/B]/var/log/smtp 2>&1 ``` [B][U]s[/U][/B] is the max size of a log file in bytes and [B][U]n[/U][/B] is the number to keep around before deleting the oldest one. I'd increase 's' to something like 5000000 for ~5MiB files and bump the 'n' number to 20 or so if you find you are only getting a few hours of data. Use your best judgement for these numbers. You obviously don't want to run out of disk space. Make sure the 's' bytes times 'n' number of log files is not larger then you are willing to sacrifice to the log utility!
  • Now, restart the multilog qmail service: ``` # svc -t /service/smtp/log ```
  • You're Done! Now, wait for enough time to pass for the logs to fill up so they begin to rotate, and check to see if you now have a large enough sample size. [/LIST]
  • Thanks for posting this Dan :slight_smile:

    While responding to a customer’s request regarding email logs, I found out this thread, which I applied to all our Interworx servers and work fine.

    Now, when another customer called regarding his sent emails or his pop3 or imap connections, I had nothing… I looked at the /var/log/ subdirectories and a few others had the qmail user:group permissions so I did the same for all of them and I am sure it will help us out a lot in the future so it may help someone else.

    Here are the folders that I changed in the same manner:


    Which represent all the services we use on our hosting servers.

    Hope this helps someone someday! :slight_smile:

    Is there any sane way to get any of the DJB programs to log to a remote syslog server? Sane=reasonably non-anti-human and easy, not how to pipe 10 DJB scripts together to accomplish an absolutely standard task.