Mail Logs Format
There are three types of log files used on our mail servers:
Each type has a different format. This page provides an explanation of the most common lines you will see in the logs.
The SMTP logs contain information about messages that are delivered to our mail server for local delivery or relay to other mail servers.
Information about each message is logged on multiple lines, and the lines pertaining to the same message are grouped together.
SMTP logs are split by the incoming port. Our servers accept SMTP connections on ports 25, 465, and 587. Email is almost always delivered between servers on port 25. Ports 465 and 587 are mostly used by email programs (such as Outlook, for example) to connect to the mail server and relay email through it.
If you are looking for messages that have been delivered from the Internet to your mailboxes, they will be recorded in the SMTP log for port 25.
Here are a couple of examples:
For these examples, we assume that our server handles email for example.com, and email for all other domains is hosted elsewhere.
In the first group, a message was sent from firstname.lastname@example.org. Our server initially responded with an "OK" (response codes in the 200-299 range mean "request was accepted").
The sending server then indicated that the message was addressed to email@example.com. Again, our server responded with "OK".
However, when our server was done examining the sender and the message, it responded that the delivery was rejected (response codes 500-599 mean "request was denied"). The reason for the failure is given after the response code. In this case, the message was rejected because it was most likely coming from a spam source.
The second message was sent from firstname.lastname@example.org (our server responded "OK") to email@example.com, a local mailbox. Our server checked the mailbox and responded "OK" again. The message had a size of 23533 bytes and our server finally responded that it had been accepted for delivery. The "ok 1615286631 qp 15309" part contains information about the mail server process that took over the delivery.
On ports 465 and 587, you are most likely going to see outgoing messages. The following log entries describe a message that was sent from firstname.lastname@example.org and delivered to email@example.com:
Note that the firstname.lastname@example.org email address points to a local mailbox on the server. This means that the message never left our server.
However, the message is still considered to be "outgoing" from the point of view of the sending mailbox, email@example.com.
The delivery logs contain information about the actions taken by our mail server after accepting a message for delivery.
The message from firstname.lastname@example.org would appear here as well:
Here, our server initiated the delivery of the message from email@example.com by trying to deliver it to the local mailbox firstname.lastname@example.org. The result was that the message was delivered successfully.
There are three possible delivery outcomes:
The delivery log of the message from email@example.com to firstname.lastname@example.org tells a similar story. The message was successfully delivered to the local mailbox email@example.com:
Interesting to note here is that the sender (firstname.lastname@example.org) authenticated to the mail server before sending (the smtp_auth part). This is required when relaying email through our servers.
Spamdyke is an anti-spam system running on our servers. Each line in the Spamdyke log corresponds to one handled message.
Here are two examples:
Delivery of the first message was denied because the reverse DNS (RDNS) record of the source IP address was missing. This is the same message as the very first example above (from email@example.com).
The second message was OK, and it was allowed to be delivered.