Graylog Illuminate is available for use with Graylog Enterprise and Graylog Security Graylog Security. Contact sales to learn more about obtaining Illuminate.

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is known for its easy configuration, secure default settings, and efficient management of system resources.

Supported Version(s)

  • Tested with Postfix version 3.7, but earlier versions may be compatible.

Requirements

  • Graylog server with a valid Enterprise license, running Graylog version 5.2.4 or later.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Postfix Mail Server Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Postfix Mail Server Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

  • Syslog

Syslog Configuration

Postfix sends the logs by default directly into syslog.

  1. Create a matching syslog input in Graylog.

  2. Configure your syslog server (e.g. rsyslog) to send the logs to Graylog.

Log Format Examples

Bounce Logs

`Jan 10 12:29:22 mailserver postfix/bounce[12345]: 24F202322: sender delay notification: 0A27A1222`

Cache Logs

`Jan 10 12:29:22 mailserver postfix/cache[12345]: 24F202322: cache lmdb:/var/lib/postfix/verify_cache full cleanup: retained=722 dropped=26 entries`

Connect Logs

`connect to intern.nl[10.10.10.10]:25: Connection timed out`

From Logs

`1234567222: from=<user@graylog.com>, size=3527, nrcpt=1 (queue active)`

To logs

`1234567222: to=, relay=none, delay=22, delays=22/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:2525: Connection refused)`

What is Provided

  • Rules to normalize and enrich Postfix log messages and a dashboard with four tabs.

Events Processed by This Technology Pack

The Postfix content pack supports:

  • Bounce Logs

  • Cache Logs

  • Certificate Logs

  • Client Logs

  • Connect Logs

  • DNS Logs

  • Lost Connection Logs

  • Mail from Logs

  • Mail to Logs

  • Master Logs

  • Pickup Logs

  • Postsuper Logs

  • Proxy Logs

  • PS Access Logs

  • PS Noqueue Logs

  • PS Violation Logs

  • QMGR Action Logs

  • SASL Failed Logs

  • Statistics Logs

  • Tls Connection Logs

  • Workaround Logs

Log Fields Included in this Pack

Field Name Example Value Field Type Description
DNSBL      
source_ip 10.1.2.3 keyword IP address of the client.
vendor_dnsblog_domain zen.spamhaus.org keyword The DNSBL service queried.
vendor_dnsblog_result 127.0.0.2 keyword The DNSBL query result indicating whether the IP is blacklisted.
Postsuper      
vendor_event_action requeued keyword The postsuper action taken on messages.
vendor_postsuper_summary_count 23 keyword Number of messages taken action on.
smtpd      
vendor_event_action connect keyword The action taken in the event.
vendor_stage END-OF-MESSAGE keyword The stage of an SMTP connection, often associated with lost or filtered connections.
vendor_smtp_response_message <user@example.com>: Recipient address rejected keyword The information provided in an SMTP response, often related to rejected or failed transactions.
smtp_response_code 554 keyword SMTP basic status code.
smtp_response_code_description Transaction failed keyword SMTP basic status code description.
smtp_response_enhanced_class_code 5 keyword SMTP enhanced status class code.
smtp_response_enhanced_class_code_description Permanent Failure keyword SMTP enhanced status class code description.
smtp_response_enhanced_subject_code 7 keyword SMTP enhanced status subject code.
smtp_response_enhanced_subject_code_description Security or Policy Status keyword SMTP enhanced status subject code description.
smtp_response_enhanced_status_code 7.1 keyword SMTP enhanced status enumerated status code.
email_from user@graylog.com keyword Email address of the sender.
email_to user@graylog.com keyword Email address of the recipient found in some message types.
source_ip 10.1.2.3 keyword IP address of the client.
source_hostname graylog.com keyword Hostname of the client; often present when no sender address is given.
source_port 25 long Port from which the client sent the request.
destination_hostname mta.graylog.com keyword Hostname of the server; often present when no recipient address is given.
network_protocol smtp keyword Network protocol used.
Master      
vendor_event_action daemon started keyword The action taken by the master daemon.
service_version 2.11.2 keyword The Postfix version running.
vendor_config_path /etc/postfix keyword Directory path to the Postfix configuration file.
vendor_termination_signal 22 keyword Termination signal received by the master daemon.
Pickup      
email_from user@graylog.com keyword Email address of the sender.
user_id 1001 keyword The ID of the user who submitted the message.
vendor_event_severity high keyword The priority given to the message for processing.
vendor_event_outcome deferred keyword The status of the message.
smtp      
vendor_event_action connect keyword The action taken in the event.
vendor_event_outcome failed keyword The outcome of the event.
vendor_event_description SASL authentication failed keyword The description of the event.
vendor_event_outcome_reason Network is unreachable keyword The explanation for why a connection to the destination mail server failed.
vendor_status sent keyword The outcome of an email delivery attempt.
vendor_delay 0.15 keyword The total time in seconds that the message spent in the delivery process.
vendor_delay_before_qmgr 0.05 keyword The time in seconds that the message spent in the queue before queue manager processing.
vendor_delay_in_qmgr 0 keyword The time in seconds that the message spent in the queue manager.
vendor_delay_conn_setup 0 keyword The time in seconds spent establishing a connection to the destination mail server.
vendor_delay_transmission 0.1 keyword The time in seconds spent transmitting the message to the destination mail server.
vendor_dsn 2.0.0 keyword Delivery Status Notification indicating the outcome of an email delivery attempt.
vendor_pix_workaround disable_esmtp keyword Specific workaround(s) enabled.
vendor_relay_ip 10.1.2.3 keyword IP address of the relay server.
vendor_relay_host relay.graylog.com keyword Hostname of the relay server.
vendor_relay_port 25 long Port used by the relay server.
vendor_smtp_response_message Ok: queued as 1C4AF7872E4 keyword The information provided for an SMTP response or delivery status.
vendor_mail_response user unknown keyword The information provided for a delivery status.
smtp_response_code 250 keyword SMTP basic status code.
smtp_response_code_description Requested mail action okay, completed keyword SMTP basic status code description.
smtp_response_enhanced_class_code 2 keyword SMTP enhanced status class code.
smtp_response_enhanced_class_code_description Success keyword SMTP enhanced status class code description.
smtp_response_enhanced_subject_code 0 keyword SMTP enhanced status subject code.
smtp_response_enhanced_subject_code_description Other or Undefined Status keyword SMTP enhanced status subject code description.
smtp_response_enhanced_status_code 0 keyword SMTP enhanced status enumerated status code.
email_to user@graylog.com keyword Email address of the recipient.
vendor_orig_to orig@graylog.com keyword The original recipient address of an email.
source_ip 10.1.2.3 keyword IP address of the client.
source_hostname graylog.com keyword Hostname of the client.
source_port 25 long Port from which the client sent the request.
Warning      
vendor_event_severity warning keyword The vendor event severity. Follows syslog level with an additional panic state.
vendor_warning_description database /etc/postfix/virtual.db is old keyword The error message.
TLS      
vendor_tls_trustlevel Anonymous keyword The vendor event severity. Follows syslog level with an additional panic state.
vendor_event_action TLS connection keyword The TLS event action.
vendor_event_outcome established keyword The outcome of the action.
vendor_relay_host relay.graylog.com keyword Hostname of the relay server.
vendor_relay_ip 10.1.2.3 keyword IP address of the relay server.
vendor_relay_port 25 long Port used by the relay server.
vendor_tls_version TLSv1.2 keyword The TLS version.
vendor_tls_cipher AECDH-AES256-SHA keyword The TLS cipher used.
vendor_tls_cipher_size 256/256 keyword The TLS cipher size.
vendor_tls_error self-signed certificate keyword The reason for a certificate verification failure.
Postscreen      
vendor_event_action PASS NEW keyword The action taken on incoming SMTP connections.
vendor_server_ip 10.1.2.3 keyword IP address of the Postfix mail server.
vendor_server_port 25 long Port on the Postfix mail server that received the request.
vendor_ps_violation PREGREET keyword The reason the request was filtered, often due to being suspicious or non-compliant.
vendor_ps_violation_time 1.2 keyword Duration in seconds that elapsed before a violation occurred.
vendor_smtp_stage HELO keyword The stage of an SMTP connection during or after which a violation occurred.
vendor_smtp_response_message <host@graylog.com>: Relay access denied keyword The explanation for why an SMTP transaction was rejected or failed.
smtp_response_code 550 keyword SMTP basic status code.
smtp_response_code_description Mailbox unavailable keyword SMTP basic status code description.
smtp_response_enhanced_class_code 5 keyword SMTP enhanced status class code.
smtp_response_enhanced_class_code_description Permanent Failure keyword SMTP enhanced status class code description.
smtp_response_enhanced_subject_code 5 keyword SMTP enhanced status subject code.
smtp_response_enhanced_subject_code_description Mail Delivery Protocol Status keyword SMTP enhanced status subject code description.
smtp_response_enhanced_status_code 5.3 keyword SMTP enhanced status enumerated status code.
email_from user@graylog.com keyword Email address of the sender.
email_to user@graylog.com keyword Email address of the recipient.
source_ip 10.1.2.3 keyword IP address of the client.
source_hostname graylog.com keyword Hostname of the client, often present when no sender address is given.
source_port 25 long Port from which the client sent the request.
destination_hostname mta.graylog.com keyword Hostname of the server, often present when no recipient address is given.
network_protocol smtp keyword/loweronly Network protocol used.
Cache      
vendor_cache_retained 724 long Number of result cache entries kept during cleanup.
vendor_cache_dropped 6 long Number of result cache entries removed during cleanup.
Cleanup      
vendor_event_action header-redirect keyword The action taken in the event.
vendor_email_header X-Spam-Status keyword An email header present in the message.
vendor_email_header_content Yes, score=39.3 required=5.0 tests=ADVANCE_FE keyword The content of an email header.
vendor_milter_data tom@example.com keyword Information pertaining to the mail filter protocol.
email_message_id KIYjfnew6eh4nfj+reun0Kis-HIdHF714@mail.client.com keyword Email Message ID.
email_subject This is a Subject keyword Email Subject.
email_from user@graylog.com keyword Email address of the sender.
email_to user@graylog.com keyword Email address of the recipient.
source_ip 10.1.2.3 keyword IP address of the client.
source_hostname graylog.com keyword Hostname of the client.
network_protocol smtp keyword/loweronly Network protocol used.
Bounce      
vendor_event_outcome delay keyword The notification type indicating the outcome of an email delivery attempt.
vendor_bounce_uid 0A87A1A08 keyword The queue ID unique to the email transaction the notification describes.
Queue Manager (qmgr)      
email_from user@graylog.com keyword Email address of the sender.
email_size 2522 long Size of the email message in bytes.
vendor_nrcpt 2 long Number of recipients for the email.
vendor_qmgr_action removed keyword The status of the message within the mail queue.
General Parsing      
application_name postfix keyword This field is generated by the syslog input.
process_id 5222 keyword/loweronly This field is generated by the syslog input.
event_created 6/12/2024 2:26 date  
event_source serverhost keyword This field is generated by the syslog input.
vendor_event_severity warn keyword Not all Postfix logs have a severity, usually only error messages have one.
vendor_daemon qmgr keyword The Postfix service that the message pertains to. Existence depends on the input format.
email_uid 2A123B456C keyword The queue ID unique to each Postfix message.
Scache      
vendor_event_action start interval keyword The action for this log type is always "start interval".
vendor_scache_timestamp 12/6/2024 21:20 keyword The timestamp indicating when this statistic was recorded.
vendor_scache_hits 1 long Indicates the number of successful cache hits.
vendor_scache_miss 1 long Represents the number of cache misses.
vendor_scache_success 1 long Shows the number of successful cache operations.
vendor_scache_domains 1 long Indicates the number of unique domains for which connection information is cached.
vendor_scache_addresses 1 long Shows the number of unique IP addresses for which connection information is cached.
vendor_scache_connection 1 long Represents the number of active or open connections that are currently cached.
Anvil      
vendor_anvil_cache_size 12 keyword Represents the current size of the connection cache managed by the anvil daemon.
vendor_anvil_timestamp 12/6/2024 21:20 keyword The timestamp indicating when this statistic was recorded.
vendor_anvil_conn_count 1 long Refers to a specific metric tracked by the anvil daemon, which is responsible for rate limiting connections and command requests to prevent abuse or denial-of-service attacks.
vendor_anvil_conn_rate 1 long Tracks the rate at which new connections are made to the server, providing a measure of connection activity over a specified time period.
vendor_service smtpd long Specifies the context or service for which the statistic is relevant.
source_ip 10.1.2.3 keyword IP address of the client.
source_hostname graylog.com keyword Hostname of the client.
source_port 25 long Port from which the client sent the request.

Graylog Illuminate:Postfix Spotlight Spotlight Content Pack

The Graylog "Illuminate:Postfix Spotlight" offers a dashboard with 4 tabs: Postfix Mail Server Overview, Postfix Email Overview, Postfix SMPT Overview, TLS Overview: