Tips and tricks for zimbra email logs

Mostly used command for checking up your zimbra server

We have learn on how to restart the Zimbra services in here. Now lets continue on basic learning how to manage and maintaining Zimbra base on logs.

Tips 1 – View the Zimbra logs activity

You have an eagle eye to run through live activity of your zimbra email logs. In the perspective of seeing email from who, from source ip address, to who, the time stamp, the date and the status of the email being sent or deferred due to some reason that require some investigation.

Login to your Zimbra server and run this command and it will run through the email activity inbound and outbound

tail -f /var/log/zimbra.log

Tips 2 – Sample of what to view in the logs

Below are some code snippet grep from the logs to show whats its all about.

Aug 6 18:20:38 mail postfix/smtpd[18795]: NOQUEUE: filter: RCPT from mail-lf0-f43.google.com[209.85.215.43]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=

Aug 6 18:20:39 mail postfix/smtpd[18795]: 455862A04DB: client=mail-lf0-f43.google.com[209.85.215.43]


Aug 6 18:20:40 mail postfix/cleanup[21766]: 455862A04DB: message-id=<[email protected]om>


Aug 6 18:20:40 mail postfix/qmgr[31275]: 455862A04DB: from=<[email protected]>, size=2447, nrcpt=1 (queue active)


Aug 6 18:20:40 mail amavis[7425]: (07425-07) ESMTP:[127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20170806T092546-07425-UpnoiLPu: <[email protected]> -> <[email protected]> SIZE=2447 Received: from mail.blabla.com ([127.0.0.1]) by localhost (mail.blabla.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[email protected]>; Sun, 6 Aug 2017 18:20:40 +0800 (MYT)


Aug 6 18:20:40 mail amavis[7425]: (07425-07) Checking: g2LQ5zXvMWD5 [209.85.215.43] <[email protected]> -> <[email protected]>


Aug 6 18:20:40 mail clamd[30137]: SelfCheck: Database status OK.


Aug 6 18:20:40 mail postfix/smtpd[18795]: disconnect from mail-lf0-f43.google.com[209.85.215.43]


Aug 6 18:20:42 mail postfix/amavisd/smtpd[21772]: connect from localhost[127.0.0.1]


Aug 6 18:20:42 mail postfix/amavisd/smtpd[21772]: 54E3E2A063B: client=localhost[127.0.0.1]


Aug 6 18:20:42 mail postfix/cleanup[21766]: 54E3E2A063B: message-id=<[email protected]om>


Aug 6 18:20:42 mail postfix/qmgr[31275]: 54E3E2A063B: from=<[email protected]>, size=3374, nrcpt=1 (queue active)


Aug 6 18:20:42 mail postfix/amavisd/smtpd[21772]: disconnect from localhost[127.0.0.1]


Aug 6 18:20:42 mail amavis[7425]: (07425-07) g2LQ5zXvMWD5 FWD from <[email protected]> -> <[email protected]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 54E3E2A063B


Aug 6 18:20:42 mail amavis[7425]: (07425-07) Passed CLEAN {RelayedInbound}, [209.85.215.43]:32885 [209.85.215.43] <[email protected]> -> <[email protected]>, Queue-ID: 455862A04DB, Message-ID: <[email protected]om>, mail_id: g2LQ5zXvMWD5, Hits: -1.519, size: 2447, queued_as: 54E3E2A063B, dkim_sd=20161025:gmail.com, 2362 ms


Aug 6 18:20:42 mail postfix/smtp[21768]: 455862A04DB: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.2, delays=1.8/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 54E3E2A063B)


Aug 6 18:20:42 mail postfix/qmgr[31275]: 455862A04DB: removed


Aug 6 18:20:42 mail postfix/lmtp[21773]: 54E3E2A063B: to=<[email protected]>, relay=mail.blabla.com[10.100.100.200]:7025, delay=0.29, delays=0.03/0.01/0.07/0.18, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)


Aug 6 18:20:42 mail postfix/qmgr[31275]: 54E3E2A063B: removed

The explanation :

Aug 6 18:20:38 mail postfix/smtpd[18795]: NOQUEUE: filter: RCPT from mail-lf0-f43.google.com[209.85.215.43]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]>

There were an email coming in dated August 6 at 6:20pm from server host mail-lf0-f43.google.com with ip address 209.85.215.43 by email address [email protected] to [email protected]

Aug 6 18:20:40 mail amavis[7425]: (07425-07) Checking: g2LQ5zXvMWD5 [209.85.215.43] <[email protected]> -> <[email protected]>
Aug 6 18:20:40 mail clamd[30137]: SelfCheck: Database status OK.

Aug 6 18:20:42 mail amavis[7425]: (07425-07) g2LQ5zXvMWD5 FWD from <[email protected]> -> <[email protected]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 54E3E2A063B
Aug 6 18:20:42 mail amavis[7425]: (07425-07) Passed CLEAN {RelayedInbound}, [209.85.215.43]:32885 [209.85.215.43] <[email protected]> -> <[email protected]>, Queue-ID: 455862A04DB,

The zimbra server do a checking on email, domain and ip reputation from blacklist database and also antivirus check for the email content. If its clean will send to queue to deliver to end user and if not will be quarantine or base on email administrator flow policy.

Aug 6 18:20:42 mail postfix/smtp[21768]: 455862A04DB: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.2, delays=1.8/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 54E3E2A063B)

Aug 6 18:20:42 mail postfix/qmgr[31275]: 455862A04DB: removed


Aug 6 18:20:42 mail postfix/lmtp[21773]: 54E3E2A063B: to=<[email protected]>, relay=mail.blabla.com[10.100.100.200]:7025, delay=0.29, delays=0.03/0.01/0.07/0.18, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)


Aug 6 18:20:42 mail postfix/qmgr[31275]: 54E3E2A063B: removed

And if everything is ok, the email will be delivered to the recipient [email protected] Focus on the status=sent. this mean the email is successfully deliver to the recipient.

Tips 3 – Searching on particular from or to

There a request by end user asking if the email from this sender is reaching the email server or not yet base on specific date and time stamp given. You may run below command and explain to the end user what happen to that email. Please run this command to search base on email

cat /var/log/zimbra.log | grep [email protected]

Resulting below sample. Focus on the date and time stamp specify by end user.

[[email protected] ~]# cat /var/log/zimbra.log | grep [email protected]

Aug 6 18:20:38 mail postfix/smtpd[18795]: NOQUEUE: filter: RCPT from mail-lf0-f43.google.com[209.85.215.43]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=


Aug 6 18:20:38 mail postfix/smtpd[18795]: NOQUEUE: filter: RCPT from mail-lf0-f43.google.com[209.85.215.43]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=


Aug 6 18:20:40 mail postfix/qmgr[31275]: 455862A04DB: from=<[email protected]>, size=2447, nrcpt=1 (queue active)


Aug 6 18:20:40 mail amavis[7425]: (07425-07) ESMTP:[127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20170806T092546-07425-UpnoiLPu: <[email protected]> -> <[email protected]> SIZE=2447 Received: from mail.blabla.com ([127.0.0.1]) by localhost (mail.blabla.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[email protected]>; Sun, 6 Aug 2017 18:20:40 +0800 (MYT)


Aug 6 18:20:40 mail amavis[7425]: (07425-07) Checking: g2LQ5zXvMWD5 [209.85.215.43] <[email protected]> -> <[email protected]>


Aug 6 18:20:42 mail postfix/qmgr[31275]: 54E3E2A063B: from=<[email protected]>, size=3374, nrcpt=1 (queue active)


Aug 6 18:20:42 mail amavis[7425]: (07425-07) g2LQ5zXvMWD5 FWD from <[email protected]> -> <[email protected]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 54E3E2A063B


Aug 6 18:20:42 mail amavis[7425]: (07425-07) Passed CLEAN {RelayedInbound}, [209.85.215.43]:32885 [209.85.215.43] <[email protected]> -> <[email protected]>, Queue-ID: 455862A04DB, Message-ID: <[email protected]om>, mail_id: g2LQ5zXvMWD5, Hits: -1.519, size: 2447, queued_as: 54E3E2A063B, dkim_sd=20161025:gmail.com, 2362 ms

With above info, you will gain basic capability to check email issue that your end user request. This not only apply to zimbra but also can be apply to any linux base email system.

Loading…

Comments

comments

Tips and tricks for HP switch secret command

Cheat sheet on nmap command as reference