There are 2 different kind of main Postfix logs.

• Postfix server logs
• Users email logs

Typically, the Postfix server logs are logged to

• /var/log/maillog

Typically, a users email logs are logged to

• /home/username/Maildir/new (non-root)
• /root/Maildir/new (root)

If there are new emails in the new mail directory, each email will be a file with a string of psuedo-random data. As an example, there could be a file in the new mail directory such as 114879058.P856I6E4567229.  This file will contain the email metadata.  The cat command can be used to view the metadata.

• cat /home/username/Maildir/new/114879058.P856I6E4567229
• cat /root/Maildir/new/114879058.P856I6E4567229

Depending on the Linux distro you are using, one of the following commands will be used to view the mail log:

[root@mail ~]# tail -20 /var/log/maillog
[root@mail ~]# tail -20 /var/log/mail.log
[root@mail ~]# journtalctl --since="today" | grep postfix

The -f option lets you view the mail log in real time, which can be very helpful in identifying the exact command that is causing some error in the log.

[root@mail ~]# tail -f /var/log/maillog
[root@mail ~]# tail -f /var/log/mail.log

SENT

If the mail log has dsn=2.0.0 and status sent (250 2.0.0 OK), this means the relay server accepted the email. In this example, this means that mail.isp.com accepted the email. The ISP may refuse to deliver the mail. Perhaps the ISP spam filter has filter the email. You will want to ensure your Postfix / Dovecot email server is configured to receive emails, because the ISP may attempt to send you an email that explains why the email was not delivered.

Aug 2 17:36:16 localhost postfix/smtp[4250]: 12A95860867: to=john.doe@example.com, relay=mail.isp.com, delay=xxx, delays=xxx, dsn=2.0.0, status=sent (250 2.0.0 OK)

BOUNCED

In the mail log, look for an event like the event listed in the below text box.

Aug 2 17:36:16 localhost postfix/smtp[4250]: 12A95860867: to=, relay=none, delay=68, delays=68/0.01/0.24/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=jeremy type=AAAA: Host not found)

For this error, follow the article on Host or domain name not found in the Postfix mail logs.

If the mail log has numerous events with text unknown[ip address]: SASL LOGIN authentication failed: authentication failure, and you do not recognize the IP address, this could be hackers attempting to determine your Postfix user name. If there are numerous attempts from the unknown IP address where there seems to be repetitive attempts to guess your email server user name, you can be almost certain that hackers are attempts to guess your Postfix user name. This implies that you have not secured your Linux computer by setting up rules in the /etc/hosts.allow and /etc/hosts.deny files. Follow these directions to secure your Linux computer by setting up allow and deny rules.

1. In Terminal, type nano /etc/hosts.allow and press Enter
2. At the bottom of the file, type ALL: 192.168.0.0/24. Of course, if you are not on the 192.168 ip address range, enter your range.
3. Press Ctrl O and Enter to save
4. Press Ctrl X and Enter to exit the nano editor

1. In Terminal, type nano /etc/hosts.deny and press Enter
2. At the bottom of the file, type ALL: ALL. Of course, if you are not on the 192.168 ip address range, enter your range.
3. Press Ctrl O and Enter to save
4. Press Ctrl X and Enter to exit the nano editor

This should prevent the hackers from being able to connect to your computer and perform brute force username/password guessing attacks.