Postfix Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is known for its easy configuration, secure default settings, and efficient management of system resources.

Supported Version(s)

Tested with Postfix version 3.7, but earlier versions may be compatible.

Requirements

Graylog server with a valid Enterprise license, running Graylog version 5.2.4 or later.

Stream Configuration

This technology pack includes 1 stream:

"Illuminate:Postfix Mail Server Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

"Postfix Mail Server Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Syslog

Syslog Configuration

Postfix sends the logs by default directly into syslog.

Create a matching syslog input in Graylog.
Configure your syslog server (e.g. rsyslog) to send the logs to Graylog.

Log Format Examples

Bounce Logs

`Jan 10 12:29:22 mailserver postfix/bounce[12345]: 24F202322: sender delay notification: 0A27A1222`

Cache Logs

`Jan 10 12:29:22 mailserver postfix/cache[12345]: 24F202322: cache lmdb:/var/lib/postfix/verify_cache full cleanup: retained=722 dropped=26 entries`

Connect Logs

`connect to intern.nl[10.10.10.10]:25: Connection timed out`

From Logs

`1234567222: from=<user@graylog.com>, size=3527, nrcpt=1 (queue active)`

To logs

`1234567222: to=, relay=none, delay=22, delays=22/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:2525: Connection refused)`

What is Provided

Rules to normalize and enrich Postfix log messages and a dashboard with four tabs.

Events Processed by This Technology Pack

The Postfix content pack supports:

Bounce Logs
Cache Logs
Certificate Logs
Client Logs
Connect Logs
DNS Logs
Lost Connection Logs
Mail from Logs
Mail to Logs
Master Logs
Pickup Logs
Postsuper Logs
Proxy Logs
PS Access Logs
PS Noqueue Logs
PS Violation Logs
QMGR Action Logs
SASL Failed Logs
Statistics Logs
Tls Connection Logs
Workaround Logs

Log Fields Included in this Pack

Field Name	Example Value	Field Type	Description
DNSBL
`source_ip`	10.1.2.3	keyword	IP address of the client.
`vendor_dnsblog_domain`	zen.spamhaus.org	keyword	The DNSBL service queried.
`vendor_dnsblog_result`	127.0.0.2	keyword	The DNSBL query result indicating whether the IP is blacklisted.
Postsuper
`vendor_event_action`	requeued	keyword	The postsuper action taken on messages.
`vendor_postsuper_summary_count`	23	keyword	Number of messages taken action on.
smtpd
`vendor_event_action`	connect	keyword	The action taken in the event.
`vendor_stage`	END-OF-MESSAGE	keyword	The stage of an SMTP connection, often associated with lost or filtered connections.
`vendor_smtp_response_message`	<user@example.com>: Recipient address rejected	keyword	The information provided in an SMTP response, often related to rejected or failed transactions.
`smtp_response_code`	554	keyword	SMTP basic status code.
`smtp_response_code_description`	Transaction failed	keyword	SMTP basic status code description.
`smtp_response_enhanced_class_code`	5	keyword	SMTP enhanced status class code.
`smtp_response_enhanced_class_code_description`	Permanent Failure	keyword	SMTP enhanced status class code description.
`smtp_response_enhanced_subject_code`	7	keyword	SMTP enhanced status subject code.
`smtp_response_enhanced_subject_code_description`	Security or Policy Status	keyword	SMTP enhanced status subject code description.
`smtp_response_enhanced_status_code`	7.1	keyword	SMTP enhanced status enumerated status code.
`email_from`	user@graylog.com	keyword	Email address of the sender.
`email_to`	user@graylog.com	keyword	Email address of the recipient found in some message types.
`source_ip`	10.1.2.3	keyword	IP address of the client.
`source_hostname`	graylog.com	keyword	Hostname of the client; often present when no sender address is given.
`source_port`	25	long	Port from which the client sent the request.
`destination_hostname`	mta.graylog.com	keyword	Hostname of the server; often present when no recipient address is given.
`network_protocol`	smtp	keyword	Network protocol used.
Master
`vendor_event_action`	daemon started	keyword	The action taken by the master daemon.
`service_version`	2.11.2	keyword	The Postfix version running.
`vendor_config_path`	/etc/postfix	keyword	Directory path to the Postfix configuration file.
`vendor_termination_signal`	22	keyword	Termination signal received by the master daemon.
Pickup
`email_from`	user@graylog.com	keyword	Email address of the sender.
`user_id`	1001	keyword	The ID of the user who submitted the message.
`vendor_event_severity`	high	keyword	The priority given to the message for processing.
`vendor_event_outcome`	deferred	keyword	The status of the message.
smtp
`vendor_event_action`	connect	keyword	The action taken in the event.
`vendor_event_outcome`	failed	keyword	The outcome of the event.
`vendor_event_description`	SASL authentication failed	keyword	The description of the event.
`vendor_event_outcome_reason`	Network is unreachable	keyword	The explanation for why a connection to the destination mail server failed.
`vendor_status`	sent	keyword	The outcome of an email delivery attempt.
`vendor_delay`	0.15	keyword	The total time in seconds that the message spent in the delivery process.
`vendor_delay_before_qmgr`	0.05	keyword	The time in seconds that the message spent in the queue before queue manager processing.
`vendor_delay_in_qmgr`	0	keyword	The time in seconds that the message spent in the queue manager.
`vendor_delay_conn_setup`	0	keyword	The time in seconds spent establishing a connection to the destination mail server.
`vendor_delay_transmission`	0.1	keyword	The time in seconds spent transmitting the message to the destination mail server.
`vendor_dsn`	2.0.0	keyword	Delivery Status Notification indicating the outcome of an email delivery attempt.
`vendor_pix_workaround`	disable_esmtp	keyword	Specific workaround(s) enabled.
`vendor_relay_ip`	10.1.2.3	keyword	IP address of the relay server.
`vendor_relay_host`	relay.graylog.com	keyword	Hostname of the relay server.
`vendor_relay_port`	25	long	Port used by the relay server.
`vendor_smtp_response_message`	Ok: queued as 1C4AF7872E4	keyword	The information provided for an SMTP response or delivery status.
`vendor_mail_response`	user unknown	keyword	The information provided for a delivery status.
`smtp_response_code`	250	keyword	SMTP basic status code.
`smtp_response_code_description`	Requested mail action okay, completed	keyword	SMTP basic status code description.
`smtp_response_enhanced_class_code`	2	keyword	SMTP enhanced status class code.
`smtp_response_enhanced_class_code_description`	Success	keyword	SMTP enhanced status class code description.
`smtp_response_enhanced_subject_code`	0	keyword	SMTP enhanced status subject code.
`smtp_response_enhanced_subject_code_description`	Other or Undefined Status	keyword	SMTP enhanced status subject code description.
`smtp_response_enhanced_status_code`	0	keyword	SMTP enhanced status enumerated status code.
`email_to`	user@graylog.com	keyword	Email address of the recipient.
`vendor_orig_to`	orig@graylog.com	keyword	The original recipient address of an email.
`source_ip`	10.1.2.3	keyword	IP address of the client.
`source_hostname`	graylog.com	keyword	Hostname of the client.
`source_port`	25	long	Port from which the client sent the request.
Warning
`vendor_event_severity`	warning	keyword	The vendor event severity. Follows syslog level with an additional panic state.
`vendor_warning_description`	database /etc/postfix/virtual.db is old	keyword	The error message.
TLS
`vendor_tls_trustlevel`	Anonymous	keyword	The vendor event severity. Follows syslog level with an additional panic state.
`vendor_event_action`	TLS connection	keyword	The TLS event action.
`vendor_event_outcome`	established	keyword	The outcome of the action.
`vendor_relay_host`	relay.graylog.com	keyword	Hostname of the relay server.
`vendor_relay_ip`	10.1.2.3	keyword	IP address of the relay server.
`vendor_relay_port`	25	long	Port used by the relay server.
`vendor_tls_version`	TLSv1.2	keyword	The TLS version.
`vendor_tls_cipher`	AECDH-AES256-SHA	keyword	The TLS cipher used.
`vendor_tls_cipher_size`	256/256	keyword	The TLS cipher size.
`vendor_tls_error`	self-signed certificate	keyword	The reason for a certificate verification failure.
Postscreen
`vendor_event_action`	PASS NEW	keyword	The action taken on incoming SMTP connections.
`vendor_server_ip`	10.1.2.3	keyword	IP address of the Postfix mail server.
`vendor_server_port`	25	long	Port on the Postfix mail server that received the request.
`vendor_ps_violation`	PREGREET	keyword	The reason the request was filtered, often due to being suspicious or non-compliant.
`vendor_ps_violation_time`	1.2	keyword	Duration in seconds that elapsed before a violation occurred.
`vendor_smtp_stage`	HELO	keyword	The stage of an SMTP connection during or after which a violation occurred.
`vendor_smtp_response_message`	<host@graylog.com>: Relay access denied	keyword	The explanation for why an SMTP transaction was rejected or failed.
`smtp_response_code`	550	keyword	SMTP basic status code.
`smtp_response_code_description`	Mailbox unavailable	keyword	SMTP basic status code description.
`smtp_response_enhanced_class_code`	5	keyword	SMTP enhanced status class code.
`smtp_response_enhanced_class_code_description`	Permanent Failure	keyword	SMTP enhanced status class code description.
`smtp_response_enhanced_subject_code`	5	keyword	SMTP enhanced status subject code.
`smtp_response_enhanced_subject_code_description`	Mail Delivery Protocol Status	keyword	SMTP enhanced status subject code description.
`smtp_response_enhanced_status_code`	5.3	keyword	SMTP enhanced status enumerated status code.
`email_from`	user@graylog.com	keyword	Email address of the sender.
`email_to`	user@graylog.com	keyword	Email address of the recipient.
`source_ip`	10.1.2.3	keyword	IP address of the client.
`source_hostname`	graylog.com	keyword	Hostname of the client, often present when no sender address is given.
`source_port`	25	long	Port from which the client sent the request.
`destination_hostname`	mta.graylog.com	keyword	Hostname of the server, often present when no recipient address is given.
`network_protocol`	smtp	keyword/loweronly	Network protocol used.
Cache
`vendor_cache_retained`	724	long	Number of result cache entries kept during cleanup.
`vendor_cache_dropped`	6	long	Number of result cache entries removed during cleanup.
Cleanup
`vendor_event_action`	header-redirect	keyword	The action taken in the event.
`vendor_email_header`	X-Spam-Status	keyword	An email header present in the message.
`vendor_email_header_content`	Yes, score=39.3 required=5.0 tests=ADVANCE_FE	keyword	The content of an email header.
`vendor_milter_data`	tom@example.com	keyword	Information pertaining to the mail filter protocol.
`email_message_id`	KIYjfnew6eh4nfj+reun0Kis-HIdHF714@mail.client.com	keyword	Email Message ID.
`email_subject`	This is a Subject	keyword	Email Subject.
`email_from`	user@graylog.com	keyword	Email address of the sender.
`email_to`	user@graylog.com	keyword	Email address of the recipient.
`source_ip`	10.1.2.3	keyword	IP address of the client.
`source_hostname`	graylog.com	keyword	Hostname of the client.
`network_protocol`	smtp	keyword/loweronly	Network protocol used.
Bounce
`vendor_event_outcome`	delay	keyword	The notification type indicating the outcome of an email delivery attempt.
`vendor_bounce_uid`	0A87A1A08	keyword	The queue ID unique to the email transaction the notification describes.
Queue Manager (qmgr)
`email_from`	user@graylog.com	keyword	Email address of the sender.
`email_size`	2522	long	Size of the email message in bytes.
`vendor_nrcpt`	2	long	Number of recipients for the email.
`vendor_qmgr_action`	removed	keyword	The status of the message within the mail queue.
General Parsing
`application_name`	postfix	keyword	This field is generated by the syslog input.
`process_id`	5222	keyword/loweronly	This field is generated by the syslog input.
`event_created`	6/12/2024 2:26	date
`event_source`	serverhost	keyword	This field is generated by the syslog input.
`vendor_event_severity`	warn	keyword	Not all Postfix logs have a severity, usually only error messages have one.
`vendor_daemon`	qmgr	keyword	The Postfix service that the message pertains to. Existence depends on the input format.
`email_uid`	2A123B456C	keyword	The queue ID unique to each Postfix message.
Scache
`vendor_event_action`	start interval	keyword	The action for this log type is always "start interval".
`vendor_scache_timestamp`	12/6/2024 21:20	keyword	The timestamp indicating when this statistic was recorded.
`vendor_scache_hits`	1	long	Indicates the number of successful cache hits.
`vendor_scache_miss`	1	long	Represents the number of cache misses.
`vendor_scache_success`	1	long	Shows the number of successful cache operations.
`vendor_scache_domains`	1	long	Indicates the number of unique domains for which connection information is cached.
`vendor_scache_addresses`	1	long	Shows the number of unique IP addresses for which connection information is cached.
`vendor_scache_connection`	1	long	Represents the number of active or open connections that are currently cached.
Anvil
`vendor_anvil_cache_size`	12	keyword	Represents the current size of the connection cache managed by the anvil daemon.
`vendor_anvil_timestamp`	12/6/2024 21:20	keyword	The timestamp indicating when this statistic was recorded.
`vendor_anvil_conn_count`	1	long	Refers to a specific metric tracked by the anvil daemon, which is responsible for rate limiting connections and command requests to prevent abuse or denial-of-service attacks.
`vendor_anvil_conn_rate`	1	long	Tracks the rate at which new connections are made to the server, providing a measure of connection activity over a specified time period.
`vendor_service`	smtpd	long	Specifies the context or service for which the statistic is relevant.
`source_ip`	10.1.2.3	keyword	IP address of the client.
`source_hostname`	graylog.com	keyword	Hostname of the client.
`source_port`	25	long	Port from which the client sent the request.

Postfix Legacy Timestamps

Postfix logs may include a legacy syslog-formatted timestamp, for example June 12 02:26:22, which are extracted and assigned the field event_created. The legacy format can be processed and indexed as a date value, but without a year defined, the date will be stored using the default year 1970.

The Illuminate Postfix processing pack will detect these timestamps and update them to a format that includes the current year. This will address the large majority of events, but it is possible that events occurring right before the end of the calendar year and being processed after the new calendar year starts could be indexed with the incorrect year, effectively making the event_created value appear in the future. Additionally, processing old events that did not occur in the current calendar year will be set to use the current year.

Graylog Illuminate:Postfix Spotlight Spotlight Content Pack

The Graylog "Illuminate:Postfix Spotlight" offers a dashboard with 4 tabs: Postfix Mail Server Overview, Postfix Email Overview, Postfix SMTP Overview, TLS Overview: