Skip to main content

Understanding Postfix logs and configuring Logrotate

In this lesson you will learn how Postfix logs its activity, where to find those logs, and how to query them using journalctl. You'll also learn about Logrotate's mail feature, which allows you to email rotated files.

Logging in Postfix

A default Postfix installation uses syslog to write system logs using the mail facility. However, on most modern Ubuntu and Debian-based installations, these are first routed through journald.

What this means for Postfix is that log messages are available in multiple places: the systemd journal (accessible through journalctl), /var/log/mail.log, and usually /var/log/syslog.

My first instinct is always /var/log/mail.log, which is widely available on most other systems as well. However, working with journalctl is a great skill and habit to develop.

Postfix's logs are broken down by modules:

  • postfix/master is the main Postfix daemon controller
  • postfix/pickup scans the maildrop queue for new submissions
  • postfix/cleanup sanitizes messages, runs content filters, cleans headers, etc.
  • postfix/qmgr maintains various message queues
  • postfix/smtp is the outgoing SMTP client, used for relay too
  • postfix/smtpd is the incoming SMTP server
  • postfix/local is used for local Unix mail accounts
  • postfix/bounce works with non-delivery reports
  • postfix/flush manages the flush queue used for retries
  • postfix/anvil implements rate limiting and throttling for smtpd
  • postfix/trivial-rewrite rewrites addresses and manages aliases
  • postfix/verify is used for address verification

That's a lot of modules! You don't have to memorize them, but for detailed information about how they work together, check out the Postfix architecture overview page.

In our Postfix relay configuration, we'll primarily be concerned about the postfix/smtp service, as that's where things typically get stuck. You can query individual modules using the -t or --identifier flag with journalctl:

sudo journalctl -t postfix/smtp

The optional --since flag can be very useful:

sudo journalctl -t postfix/smtp --since '24 hours ago'

As well as the --grep flag:

sudo journalctl -t postfix/smtp --grep '[email protected]'

If you'd like to query all Postfix modules and services, not just smtp, you can use the --facility filter:

sudo journalctl --facility mail

You can also go for the old-fashioned mail.log:

sudo cat /var/log/mail.log | grep '[email protected]'

However, using journalctl gives you more structure, date and time filters, greater control, and includes compressed and rotated logs in your search.

Logrotate & Email

Like any other logs, Postfix logs should be rotated. Luckily, journald takes care of its own rotation, and rsyslog ships with a default logrotate configuration file that covers various system logs, including /var/log/mail.log. So all Postfix logs should already be taken care of.

However, now that we have a working mail server, it's time to revisit Logrotate and its mail feature in particular.

This article is for premium members only. One-time payment of $96 unlocks lifetime access to all existing and future content on wpshell.com, and many other perks.