Welcome to the Linux Foundation Forum!

Logging outgoing message content

Hey team,

This feels like a question that's been answered before, but Google has turned up nothing, so here I am.

I have a RHEL server running sendmail that sends out a variety of notifications to a huge user base. Today, my manager got an email from that server, with no subject or body in it. Naturally, he's concerned that some of our users might've received similar messages and he wants me to investigate.

I can see that messages are being sent out if I review /var/log/maillog, but it doesn't show me any of the message content. What I want to do is log all outbound messages' contents, including the subject and body.

I realize this can generate a LOT of data very quickly, so naturally I would set up logrotate to clear it out on a pretty frequent basis.

Also, I'm not opposed to changing my mailer daemon (to postfix, for example).

Cheers,

- Rick

Comments

  • I have never used sendmail. Though I am saw there are good documentation that further explained the use of this package. I would first read the man page for sendmail and find any commands that will you do what you are requesting.

    Sendmail should have a configuration file that allows you to manipulate the the way the program works.

    I'll get back to you letting you know what can and cannot be done in regards to your request.

  • I can see that messages are being sent out if I review /var/log/maillog, but it doesn't show me any of the message content. What I want to do is log all outbound messages' contents, including the subject and body.
    - Rick



    When you say outbound messages are you referring to messages being sent to the hosts that your mail server serves are messages coming in to the server from the hosts? Is this server by any chance accepting email transfers from the Internet or only from in-house hosts?
  • I was reading how sendmail works through redhat's online documentation. I found a section that highlights stopping spam. However, I have yet to come across anything related to configuring what sendmail logs. Have a look at this section and see what you can find.

    18.3.2.5. Stopping Spam
    Email spam can be defined as unnecessary and unwanted email received by a user who never requested the communication. It is a disruptive, costly, and widespread abuse of Internet communication standards.

    Sendmail makes it relatively easy to block new spamming techniques being employed to send junk email. It even blocks many of the more usual spamming methods by default. Main anti-spam features available in sendmail are header checks, relaying denial (default from version 8.9), access database and sender information checks.

    For example, forwarding of SMTP messages, also called relaying, has been disabled by default since Sendmail version 8.9. Before this change occurred, Sendmail directed the mail host (x.edu) to accept messages from one party (y.com) and sent them to a different party (z.net). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the /etc/mail/relay-domains file and restart Sendmail
    
    
    ~]# service sendmail restart
    

    However users can also be sent spam from from servers on the Internet. In these instances, Sendmail's access control features available through the /etc/mail/access file can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
    badspammer.com ERROR:550 "Go away and do not spam us anymore" tux.badspammer.com OK 10.0 RELAY
    

    This example shows that any email sent from badspammer.com is blocked with a 550 RFC-821 compliant error code, with a message sent back. Email sent from the tux.badspammer.com sub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.

    Because the /etc/mail/access.db file is a database, use the makemap command to update any changes. Do this using the following command as root:
    ~]# makemap hash /etc/mail/access < /etc/mail/access
    

    Message header analysis allows you to reject mail based on header contents. SMTP servers store information about an email's journey in the message header. As the message travels from one MTA to another, each puts in a Received header above all the other Received headers. It is important to note that this information may be altered by spammers.
    The above examples only represent a small part of what Sendmail can do in terms of allowing or blocking access. See the /usr/share/sendmail-cf/README file for more information and examples.

    Since Sendmail calls the Procmail MDA when delivering mail, it is also possible to use a spam filtering program, such as SpamAssassin, to identify and file spam for users. See Section 18.4.2.6, “Spam Filters” for more information about using SpamAssassin.

    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-email-mta-sendmail.html#s3-email-mta-sendmail-changes

Categories

Upcoming Training