Daniluk, Chris <[EMAIL PROTECTED]> writes on 17 August 1999 at 12:21:07 -0400
> I'm a bit confused about how initial injection is logged. qmail-smtpd via
> tcpserver is receiving the message, but I cannot find where (or if) it is
> logged.
Aug 17 12:02:44 gw qmail: 934909364.119294 new msg 39077
Aug 17 12:02:44 gw qmail: 934909364.123654 info msg 39077: bytes 4463 from
<[EMAIL PROTECTED]> qp 1039 uid 70
This shows a message being received via smtp. The clue is the "uid
70" where 70 is the qmaild uid. The address shown is the envelope
sender.
Aug 17 12:02:44 gw qmail: 934909364.158059 starting delivery 112225: msg 39077 to
local @gw.dd-b.net
Aug 17 12:02:44 gw qmail: 934909364.162167 status: local 1/10 remote 2/50
Aug 17 12:02:44 gw qmail: 934909364.162554 starting delivery 112226: msg 39077 to
remote [EMAIL PROTECTED]
Aug 17 12:02:44 gw qmail: 934909364.163222 status: local 1/10 remote 3/50
Aug 17 12:02:44 gw qmail: 934909364.185655 delivery 112225: success:
Aug 17 12:02:44 gw qmail: 934909364.186046 status: local 0/10 remote 3/50
Aug 17 12:02:45 gw qmail: 934909365.650676 delivery 112226: success:
166.84.0.213_accepted_message./Remote_host_said:_250_Ok:_queued_as_9000518C0A/
This particular message got both a local and a remote delivery. The
local isn't important here, but the remote shows us some more; where
it says "to remote [EMAIL PROTECTED]", that's the envelope sender it's
delivering to remotely.
The "msg #" and "delivery #" are what ties this together. The "new
msg #" and "info msg #" lines let us identify the incoming message,
and then the deliveries each say what message they're delivering, so
that lets you tie a delivery number back to a message number.
Also note the "qp #" in the info msg line; that same qp # will appear
in the header of the message after it's been sent on, like this (this
example is actually your message coming in from the qmail list; it's
*not* the same message the previous examples used since that's a
private user message which I don't have access to and shouldn't
publish if I did):
In my mail log:
Aug 17 11:21:49 gw qmail: 934906909.153289 new msg 39065
Aug 17 11:21:49 gw qmail: 934906909.153961 info msg 39065: bytes 4717 from
<[EMAIL PROTECTED]> qp 32452 uid 70
Aug 17 11:21:49 gw qmail: 934906909.265442 starting delivery 111799: msg 39065 to
local [EMAIL PROTECTED]
And in the header of the message as it was delivered to me:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 32456 invoked by alias); 17 Aug 1999 16:21:49 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 32452 invoked from network); 17 Aug 1999 16:21:48 -0000
The bottom received line shows qmail 32452 invoked from network,
meaning smtp. The log entries show msg 39065 injected via uid 70
(also meaning smtp) and being handled by qmail process 32452. Process
numbers can repeat as the system wraps around, so verifying that the
timestamps are close is necessary to be really sure. Qmail, as you
see, likes GMT (the "-0000" shows that).
So you haven't actually showed us enough logs to tell much.
I'm not all that fond of the way qmail logs things myself. I find
other mailer's logs easier to read. *Some* of the constraints come
about because of the segmentation of qmail functions, which is an
important part of its security architecture. Some of the differences
are just personal preference. qmail logs are, I think, easier to
parse in a program, which is useful. But the information to trace
what was done with a message is all there; you just need different
approaches to finding it than with other mailers. (I should note that
I've never run sendmail, and am not familiar with its logs other than
as posted by people in discussion groups; the other mailer I've run on
unix is smail.)
Hope this helps. I'm curious as to what's going on in your setup.
Incidentally, while I'm writing, let me mention that I learned quite a
bit from the earlier performance analysis discussion that you started
and participated in. Thanks!
Regarding the user who requested to see logs, I did in fact send
> them in an earlier message. Again:
>
> 34578188.651364 starting delivery 622: msg 2230 to remote
> [EMAIL PROTECTED]
> 34578188.651413 status: local 0/10 remote 8/8
> ...
> 34578193.505918 delivery 622: success:
> 199.173.152.28_accepted_message./Remote_host_said:_250_OK/
> ...
> 934578193.515841 status: local 0/10 remote 7/8
> 934578193.516751 end msg 2230
>
> The dots of course represent entries from other messages being delivered at
> the same time.
--
David Dyer-Bennet ***NOTE ADDRESS CHANGES*** [EMAIL PROTECTED]
http://dd-b.lighthunters.net/ (photos) Minicon: http://www.mnstf.org/minicon
http://www.dd-b.net/dd-b (sf) http://ouroboros.demesne.com/ Ouroboros Bookworms
Join the 20th century before it's too late!
