Hi I have several simple questions regarding Logwatch reporting on Postfix logs with Mailman involved, too.
(1) How does Logwatch work? Suppose an attacker manages to break into
the machine and deletes/changes parts of the logs. Will Logwatch get
tricked by this or not?
I guess Logwatch is just run periodically from cron, so the answer is yes...
(2) This is what appeared in my logwatch today:
> ################### Logwatch 7.3.6+cvs20080702-debian (07/02/08)
> ####################
> Processing Initiated: Thu Jul 22 09:30:47 2010
> Date Range Processed: yesterday
> ( 2010-Jul-21 )
> Period is day.
> [...]
> --------------------- Postfix Begin ------------------------
>
> 1 *Warning: Queue file size limit exceeded
>
> 16.730M Bytes accepted 17,542,489
> 29.163M Bytes sent via SMTP 30,579,186
> 8.382M Bytes delivered 8,788,693
> ======== ================================================
I'd like to understand the numbers. :-)
First, the traffic yesterday was really low. With one exception: I have
a Mailman mailing list, and 1 subscriber (Ilona) sent to it an e-mail
with about 4 MB in size. So, the e-mail was delivered to:
1. a Mailman command
2. a local mailbox of list member (just 1)
3. 7 non-local mailing list members:
3x gmail.com
1x gazeta.pl relay=ASPMX.L.GOOGLE.COM
3 other servers (all diferent).
The question is, how does this sum up to the Logwatch/Postfix numbers above.
* Does delivery to the mailman command and delivery to a local mailbox
(after mailman command execution) count each on its own, so there should
be ca. 4 MB + 4 MB? Or only the submission to the mailman command
counts, so there should be just 4 MB?
* Does 29 MB ("sent via SMTP") comes from 7 * 4 MB? As I said there are
3 Gmail members, so that would mean that they all add up. How many times
is e-mail body physically transmitted over the network in such a case?
* I have no idea where does 16.7 MB accepted comes from, though. However
before successful 4 MB submission by Ilona someone tried to send in an
e-mail that was too big:
> Jul 21 12:11:26 smtpd[31280]: connect from
> mail-ww0-f46.google.com[74.125.82.46]
> Jul 21 12:11:26 smtpd[31280]: 2E..36:
> client=mail-ww0-f46.google.com[74.125.82.46]
> Jul 21 12:11:26 cleanup[31284]: 2E..36: message-id=<aanlk.....@mail.gmail.com>
> Jul 21 12:11:34 smtpd[31280]: warning: 2E..36: queue file size limit exceeded
> Jul 21 12:11:39 smtpd[31280]: disconnect from
> mail-ww0-f46.google.com[74.125.82.46]
Does this failed submission count as "bytes accepted"??
What was its size??
Thank you!
STF
http://eisenbits.homelinux.net/~stf/
OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A
signature.asc
Description: OpenPGP digital signature
