Prev: debian based network appliance
Next: Which disk is failing?
From: Stanisław Findeisen on 22 Jul 2010 05:50
Hi

I have several simple questions regarding Logwatch reporting on Postfix
logs with Mailman involved, too.

(1) How does Logwatch work? Suppose an attacker manages to break into
the machine and deletes/changes parts of the logs. Will Logwatch get
tricked by this or not?
I guess Logwatch is just run periodically from cron, so the answer is yes...

(2) This is what appeared in my logwatch today:

> ################### Logwatch 7.3.6+cvs20080702-debian (07/02/08) ####################
> Processing Initiated: Thu Jul 22 09:30:47 2010
> Date Range Processed: yesterday
> ( 2010-Jul-21 )
> Period is day.
> [...]
> --------------------- Postfix Begin ------------------------
>
> 1 *Warning: Queue file size limit exceeded
>
> 16.730M Bytes accepted 17,542,489
> 29.163M Bytes sent via SMTP 30,579,186
> 8.382M Bytes delivered 8,788,693
> ======== ================================================

I'd like to understand the numbers. :-)

First, the traffic yesterday was really low. With one exception: I have
a Mailman mailing list, and 1 subscriber (Ilona) sent to it an e-mail
with about 4 MB in size. So, the e-mail was delivered to:

1. a Mailman command
2. a local mailbox of list member (just 1)
3. 7 non-local mailing list members:
3x gmail.com
1x gazeta.pl relay=ASPMX.L.GOOGLE.COM
3 other servers (all diferent).

The question is, how does this sum up to the Logwatch/Postfix numbers above.

* Does delivery to the mailman command and delivery to a local mailbox
(after mailman command execution) count each on its own, so there should
be ca. 4 MB + 4 MB? Or only the submission to the mailman command
counts, so there should be just 4 MB?

* Does 29 MB ("sent via SMTP") comes from 7 * 4 MB? As I said there are
3 Gmail members, so that would mean that they all add up. How many times
is e-mail body physically transmitted over the network in such a case?

* I have no idea where does 16.7 MB accepted comes from, though. However
before successful 4 MB submission by Ilona someone tried to send in an
e-mail that was too big:

> Jul 21 12:11:26 smtpd[31280]: connect from mail-ww0-f46.google.com[74.125.82.46]
> Jul 21 12:11:26 smtpd[31280]: 2E..36: client=mail-ww0-f46.google.com[74.125.82.46]
> Jul 21 12:11:26 cleanup[31284]: 2E..36: message-id=<AANLk...Ux(a)mail.gmail.com>
> Jul 21 12:11:34 smtpd[31280]: warning: 2E..36: queue file size limit exceeded
> Jul 21 12:11:39 smtpd[31280]: disconnect from mail-ww0-f46.google.com[74.125.82.46]

Does this failed submission count as "bytes accepted"??

What was its size??

Thank you!

STF

http://eisenbits.homelinux.net/~stf/
OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A

 | 
Pages: 1
Prev: debian based network appliance
Next: Which disk is failing?