Postfix Mail Server Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. This content pack processes Postfix syslog and Filebeat log messages, providing field extraction, normalization, and enrichment for common mail server events including message delivery, rejection, quarantine, SASL authentication, TLS connections, and service lifecycle events.

Supported Versions

  • Postfix 3.7 or later

Requirements

  • Graylog Server with a valid Enterprise license, running Graylog version 6.0 or later

  • Postfix configured to send logs via syslog, or a Filebeat agent collecting Postfix log files

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Postfix Mail Server Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "PostFix Mail Server Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection and Delivery

Postfix supports two log delivery methods: syslog and Filebeat. Choose the method that best fits your environment.

Option 1: Syslog

Postfix writes logs to syslog by default. Configure your syslog daemon (rsyslog or syslog-ng) to forward mail logs to a Graylog Syslog input.

  1. Create a Syslog UDP or TCP input in Graylog.

  2. Configure your syslog daemon to forward mail facility messages to the Graylog syslog input. Example rsyslog rule: mail.* @@<graylog-host>:<port>

  3. Restart the syslog daemon to apply the configuration.

Filebeat

Postfix can be configured to write logs to a file. A Filebeat agent can then collect and forward those logs to a Graylog Beats input.

  1. Edit /etc/postfix/main.cf and add maillog_file = /var/log/postfix.log to enable file-based logging, or configure rsyslog to write mail logs to a file such as /var/log/mail.log.

  2. Install and configure the Graylog Sidecar with a Filebeat collector. Refer to the Graylog Sidecar documentation.

  3. Create a matching Beats input in Graylog.

  4. Add the following fields to your Filebeat configuration so messages are routed to this pack: fields_under_root: true and fields.event_source_product: postfix

Hint: The event_source_product: postfix field is required when using Filebeat. Without it, messages are not recognized by this pack.

What is Provided

  • Rules to parse, normalize, and enrich Postfix log messages delivered via syslog or Filebeat.

  • Support for mail delivery (sent, bounced, deferred), rejection (NOQUEUE, postscreen), quarantine (milter redirect), SASL authentication, TLS connections, DNS blocklist checks, and service lifecycle events.

  • GIM event type code assignment and enforcement field normalization for all supported message types.

  • A dashboard providing an overview of mail server activity, email flow, SMTP responses, and TLS connections.

Log Format Examples

Postfix log messages follow standard syslog format. The following examples illustrate the main supported log types:

Postfix examples

# Mail delivery (smtp, relay-forwarded via amavis/spam filter) mail postfix/smtp[26388]: C1EEF447422E5: to=<ktester@lsuas.gov.my>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.83, delays=0.09/0/0/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 92AA522740522) # Mail delivery (lmtp, relay-forwarded) mail postfix/lmtp[5347]: 92AA544740226: to=<ktester@lsuas.gov.my>, relay=mail.luas.gov.my[192.168.1.9]:7025, delay=0.21, delays=0.01/0/0.09/0.11, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK) # Mail delivery (smtp, direct) June 12 02:26:22 serverhost postfix/smtp[5222]: 25F2E5E061: to=<stefan@test.example.com>, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=2.0.0, status=sent (test.example.com) # Mail accepted (smtpd, from) June 12 02:26:22 serverhost postfix/smtpd[5222]: 1234567222: from=<user@graylog.com>, size=2522, nrcpt=2 (queue active) # Mail rejected (NOQUEUE, postscreen) Jan 10 12:09:10 mailserver postfix/postscreen[5222]: NOQUEUE: reject: CONNECT from [1.2.3.22]:1322: too many connections # Mail rejected (NOQUEUE, smtpd) Aug 11 21:47:10 mydomain postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[10.10.10.10]: 503 <host@agency.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<host@agency.com> to=<ad@domain.org.br> proto=SMTP helo=<ran-aaaa22aa22> # Postscreen violation Jan 10 12:09:10 mailserver postfix/postscreen[5222]: COMMAND LENGTH LIMIT from [182.246.250.222]:51222 after RCPT # Milter quarantine (spam filter redirect) Aug 11 21:47:10 mydomain postfix/cleanup[10829]: 2222AA2: milter-header-redirect: header X-Spam-Status: Yes, score=39.3 required=5.0 tests=ADVANCE_FE from 061238241086.static.ctinets.com[10.10.10.10]; from=<user@aaaa.com> to=<user@example.com> proto=ESMTP helo=<ecsolved.com>: tom@example.com # Cleanup warning (header check) Nov 4 08:51:29 mail postfix/cleanup[1111]: 2AA2AA2A22: warning: header Subject: THIS IS SUBJECT WITH FROM IN THE TEXT from localhost[127.0.0.1]; from=<sender@my.server.hostname> to=<recipient@domain.tld> proto=ESMTP helo=<localhost> # Bounce - delivery status notification Jan 10 12:09:10 mailserver postfix/bounce[5222]: 24F202322: sender delivery status notification: 1DF35222 # Bounce - delay notification Aug 11 21:47:10 mydomain postfix/bounce[10829]: 264FE1A18: sender delay notification: 0A87A1A08 # TLS connection established Jan 10 12:09:10 mailserver postfix/smtp[5222]: Verified TLS connection established to mail.sys4.de[2222:a2a2:2222:a22::22a]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) # Certificate verification failure Jan 10 12:09:10 mailserver postfix/smtp[5222]: 4224E3D: certificate verification failed for mail.example.com[122.162.12.22]:25: self-signed certificate. # SASL authentication failure Jan 10 12:09:10 mailserver postfix/smtpd[5222]: A2AA222222: SASL authentication failed; server xyz.example.com[1.2.3.4] said: 535 5.7.8 Error: authentication failed: authentication failure # Connection timeout (lost connection) Jan 10 12:09:10 mailserver postfix/smtpd[5222]: 4224E3D: timeout after END-OF-MESSAGE from unknown[72.13.22.27] # DNSBL listing Apr 9 08:42:22 graylog postfix/dnsblog[32022]: addr 201.22.22.22 listed by domain dnsbl.graylog.net as 127.0.0.7 # Proxy accept Jan 10 12:09:10 mailserver postfix/smtpd[5222]: 4224E3D: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10223): 250 2.0.0 Ok: queued as DF22E220333; from=<stefan@test.example.com> to=<jordan@example2.com> proto=ESMTP helo=<[127.0.0.1]> # TLS proxy disconnect Jan 10 12:09:10 mailserver postfix/tlsproxy[5222]: 4224E3D: DISCONNECT from [216.22.72.22]:42422 # Pickup (local submission) Jan 10 12:03:04 mailserver postfix/pickup[12345]: 4224E3D: uid=1003 from=<priority@graylog.com> priority=high # Queue manager action Jan 10 12:09:10 mailserver postfix/qmgr[5222]: A2AA222222: skipped, still being delivered # Postsuper queue management Jan 10 12:09:10 mailserver postfix/postsuper[5222]: 24F202322: released from hold # Service start Jan 10 12:09:10 mailserver postfix/master[1]: daemon started -- version 2.11.2, configuration /etc/postfix # Service stop Jan 10 12:09:10 mailserver postfix/master[1]: terminating on signal 15 # Statistics Jan 10 12:09:10 mailserver postfix/smtp[5222]: statistics: domain lookup hits=0 miss=1 success=0%

GIM Categorization

GIM event type codes are assigned based on the vendor_event_action field extracted from the log message, with the following exceptions:

  • Email delivery events (status=sent or status=bounced) are categorized using the vendor_status field.

  • Postscreen protocol violations are categorized using the vendor_ps_violation field.

  • Certificate verification failed events (certificate verification) are not assigned a GIM category as no suitable code exists.

Vendor Event Action GIM Category GIM Subcategory GIM Event Type
sent messaging messaging.email email sent
bounced messaging messaging.email email sent
reject messaging messaging.email email rejected
postscreen violation messaging messaging.email email rejected
header-redirect messaging messaging.email email quarantined
body-redirect messaging messaging.email email quarantined
connect network network.open network connection initiated
TLS connection network network.open network connection initiated
accept network network.open network connection initiated
disconnect network network.close network connection ended
DISCONNECT network network.close network connection ended
timeout network network.close network connection ended
authentication authentication authentication.credential validation credential validation
daemon started service service.start service started
starting service service.start service started
stopping service service.stop service stopped
terminating on signal service service.stop service stopped
reload service service.configuration service configuration change
refreshing service service.configuration service configuration change
(all others) messaging messaging.default message

Postfix Mail Server Spotlight Content Pack

The Postfix Mail Server Spotlight pack provides an overview dashboard with the following tabs:

Postfix Mail Server Overview

Postfix Email Overview

Postfix SMTP Overview

TLS Overview