Am I correct to conclude that Apple hasn't fixed the missing postfix logs which are supposed to end up in /var/log/mail.log? Or is there now some setting that gets my postfix logging in there and not only the greylisting logging?
Mac mini, macOS Sierra (10.12.4), Server 5.3
Sorry, contained errors. Here is a fixed version.
#!/bin/bash
LOGDIR=/tmp # For testing
#LOGDIR=/var/log
LOGFILE="$LOGDIR/mail.log"
LOGDATEFILE="$LOGDIR/maillog.lastrun"
LOCKDIR="$LOGDIR/maillog.lock"
if mkdir "$LOCKDIR"
then
# Lock acquired
# Remove LOCKDIR when the script finishes, or when it receives a signal
trap 'rm -rf "$LOCKDIR"' 0 # remove directory when script finishes
ENDDATE=$(date -v-1S +"%Y-%m-%d %T")
if [ ! -f "$LOGDATEFILE" ]
then
/usr/bin/log show --end "$ENDDATE" --predicate '(process == "smtp") || (process == "smtpd") || (process == "postscreen") || (process == "qmgr")' -info >> "$LOGFILE"
else
STARTDATE=`cat "$LOGDATEFILE"`
/usr/bin/log show --start "$STARTDATE" --end "$ENDDATE" --predicate '(process == "smtp") || (process == "smtpd") || (process == "postscreen") || (process == "qmgr")' -info >> "$LOGFILE"
fi
/bin/echo -n "$ENDDATE" >"$LOGDATEFILE"
else
# Another one is already running or the lock was not cleaned up
echo >&2 "Cannot acquire lock on $LOCKDIR. Giving up"
exit 0
fiHello,
in the Apple discussions I found another thread regarding Server 5.2/macOS Sierra which describes the problem and provides a workaround based on the log command and cron.
This was not really a solution for me, because I want to use fail2ban with postfix and the workaround suggested by the user "mac mini dabbler" always replaces the entire mail.log file and then completely reads the entire content again. So I made some changes to his concept and perhaps this also helps you and other users.
My workaround consists of two steps:
1. Add a script to get the log entries of the last minute of several SMTP processes and append them to the file /var/log/mail.log
2. Add a cron job to launch this script every minute
Step 1:
open Terminal
add a directory called scripts in /usr/local and go to that directory
#sudo mkdir /usr/local/scripts && cd /usr/local/scripts
then use nano to edit and save a file called maillog.sh to that directory
#sudo nano maillog.sh
Please paste the following code to that file:
---- copy below that line ----
#!/bin/bash
THEN=$(date -v-1M +"%Y-%m-%d %T")
NOW=$(date +"%Y-%m-%d %T")
if [ ! -f /var/log/mail.log ]
then
touch /var/log/mail.log
fi
/usr/bin/log show --start "$THEN" --end "$NOW" --predicate '(process == "smtp") || (process == "smtpd") || (process == "postscreen") || (process == "qmgr")' -info >> /var/log/mail.log
---- copy above that line ----
Then press "ctrl-o" to save the file and after that "ctrl-x" to quit nano.
To make the file executable you need to enter
#sudo chmod a+x maillog.sh
Step 2:
#sudo env EDITOR=nano crontab -e
Paste the following text into the nano editor:
---- copy below that line ----
MAILTO=""
*/1 * * * * /usr/local/scripts/maillog.sh
---- copy above that line ----
Then press "ctrl-o" to save the file and after that "ctrl-x" to quit nano.
Enter
#sudo crontab -l
to check, if the crontab exists.
Then open the console app and go to /var/log and check, if the mail.log file is present and becomes filled.
It might not be a perfect solution for everyone, but for me it works OK.
This is very nice. It seems to me there is a small risk that between the previous NOW and the new THEN you will miss something. The same is maybe true if you end up exactly within a second. So, safest is to set NOW to now minus one second and make the start depend on the previous call (no previous call: forever). The state could be preserved by storing NOW in a file and using that instead. It would then even be possible to do intermediary calls (though to make that safe, you need to make sure that no two calls to the script overlap).
Something along the lines:
if [ ! -f /var/log/maillog.last ]
then
FROM=''
else
LAST=`cat /var/log/maillog.last`
FROM="--start '$LAST'"
fi
NOW=$(date -v-1S +"%Y-%m-%d %T")
/bin/echo -n "$NOW" >/var/log/maillog.last
UNTIL="--end '$NOW'"
/usr/bin/log show "$FROM" "$UNTIL" --predicate '(process == "smtp") || (process == "smtpd") || (process == "postscreen") || (process == "qmgr")' -info >> /var/log/mail.logI'm going to try this.
After reading your notes, I changed my script in a way, that it appends the log entries of the last 62 seconds to mail.log.
#!/bin/bash
THEN=$(date -v-1M -v-2S +"%Y-%m-%d %T")
NOW=$(date +"%Y-%m-%d %T")
if [ ! -f /var/log/mail.log ]
then
touch /var/log/mail.log
fi
/usr/bin/log show --start "$THEN" --end "$NOW" --predicate '(process == "smtp") || (process == "smtpd") || (process == "postscreen") || (process == "qmgr")' -info >> /var/log/mail.logThis should make sure, that nothing gets lost. The worst thing, that might happen, is, that some log entries will be loaded twice, but this is not important for my fail2ban filters. According to the system.log this method works fine. Thanks again for your help.
If I want to check the realtime log, then I don't use my script, but the "stream" function of the log binary in Terminal:
sudo /usr/bin/log stream --predicate '(process == "smtpd") || (process == "smtp") || (process == "postscreen") || (process == "qmgr")' -infoUnfortunately I did not find a way, yet, to write/append the stream to a file.
The way you do it has the advantage of not using a file to store the time, but it is not robust, e.g. the possibility of duplicates and (if something goes wrong with cron) loss of data too. The way I do it, gets you a perfect copy, I think, and it is totally independent from how often and when you call the script.
To set NOW to NOW -1S is a good idea. In the worst case we would see some log entries twice, but the chances, that we would miss anything, would become much smaller.
Server 5.3: still no postfix logging to /var/log/mail.log?