Postfix/mail.log

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to: navigation, search

Notes

Not sure if there's any official documentation of the format, so this is reverse-engineered.

Sample lines (raw):

Feb 15 09:25:43 cloud2 dovecot: imap-login: Login: user=<harena>, method=PLAIN, rip=104.169.188.172, lip=45.55.148.146, mpid=32283, TLS, session=<PdnAys8r4QBoqbys>
Feb 15 09:25:46 cloud2 dovecot: imap-login: Login: user=<harena>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=32285, secured, session=<Ourpys8rIQB/AAAB>
Feb 15 09:25:46 cloud2 dovecot: imap(harena): Disconnected: Logged out in=402 out=1099

My interpretation:

Abbreviations:

  • rip: remote IP address (i.e. address of the email client)
  • lip: local IP address (i.e. address of the Postfix server)
  • mpid: not sure; "mail process ID"?

Breakdown of a line:

  • When: Feb 15 09:25:43
    • Server ID: cloud2
    • Daemon: dovecot
    • Action imap-login
      • user: harena
      • auth method: plaintext via TLS
      • remote IP: 104.169.188.172
      • local IP: 45.55.148.146
      • mpid: 32283
      • session ID: PdnAys8r4QBoqbys