The sendmail program can keep the system administrator up-to-date about many aspects of mail delivery and forwarding. It does this by logging its activities using the syslog(3) facility. It can also gather (or aid in gathering) statistics about what it is doing. Information about things like total message volume and site connectivity, for example, can help the administrator to make sendmail more efficient. Information about the SMTP dialog that was used to send the message can help the administrator to solve delivery problems.
In this chapter we cover these three important aspects of sendmail. First, we explain the use of the syslog(3) facility and illustrate several ways to tune its logging. Second, we show the built-in means that sendmail has for recording statistics and other information and how scripts can be used to extend that information. Third, we explore ways to tune the performance of sendmail.
Logging is the process of issuing one-line warnings that will be either displayed to a human, archived to a file, or both. The mechanism that sendmail uses to produce these warnings is called syslog(3). The sendmail program is concerned only with issuing its warnings. Once they are issued, the syslog facility takes over and disposes of them in a manner described in the file /etc/syslog.conf. Statements in this file determine whether a warning is written to a device (such as /dev/console), appended to a file, forwarded to another host, or displayed on a logged-in user's screen.
In the following discussion of syslog and syslog.conf, we will describe the BSD 4.4 version. Some versions of UNIX, such as Ultrix, use the 4.2 version of syslog, but because syslog is public domain, we recommend upgrading and will not cover that old version here.
The syslog(3) facility uses two items of information in
determining how to handle messages: facility and level.
The facility is the category of program issuing a message.
The syslog facility can handle many categories, but
openlog("sendmail", LOG_PID, LOG_MAIL);
This tells syslog three things:
All messages should
be printed using
sendmail as the name of the
program doing the logging. This means that no matter what name is
used to run sendmail (such as newaliases or smtpd),
the name that is logged will always be
The LOG_PID tells syslog that the PID (process identification number) should be included when each message is written. This is necessary because sendmail forks often, and each parent and child will have a different PID. Because queue file identifiers are constructed from PIDs, this record helps to determine which invocation of sendmail created a particular queued file. The PID also allows messages from the daemon form of sendmail to be differentiated from others.
Just before sendmail issues a warning,
it looks at the logging level defined by its
L) option (see Section 34.8.33, LogLevel (L)).
If the severity of the warning is greater than the logging level,
nothing is output.
If the severity of the warning that it intends to issue is less than or equal to
the logging level (lower is more serious),
it issues that warning with a C language call like this:
pri is the syslog logging priority, and
is the text of the warning message. Note that
L) option (see Section 34.8.33) level
is different than the syslog priority.
The former is used internally by sendmail to decide
whether it should log a message. The latter is used by syslog
to determine how it will dispose of the message (if it gets one).
L) option sets a threshold at and below
which sendmail will issue warnings. When the
L) option has a
zero value, nothing is ever issued. When the
L) option has a low
value, only critical warnings are issued. At higher values,
less critical messages are also issued.
The syntax of the
L) option and the kinds of information
issued for each level are explained in Section 34.8.33.
For each level, all the information produced at lower levels is also
issued. That is, setting the
to 9 causes messages
for levels 1 through 8 also to be issued.
The relationship between the
option logging levels and
syslog priorities is shown in
|1||LOG_CRIT and LOG_ALERT|
The file syslog.conf (usually located in the /etc directory) contains routing commands for use by syslog. That file can be complex, because it is designed to handle messages from many programs other than sendmail, even messages from the kernel itself. Under SunOS the syslog.conf file is also complex because it is preprocessed by m4(1) when it is read by syslog.
The file syslog.conf is composed of lines of text that each have the form:
facility is the type of program that may be producing
level indicates the severity at or above which messages
should be handled. These levels correspond to the
option levels shown in
Table 26.1 of Section 26.1.1, "syslog(3)".
The complete list of syslog.conf levels used by sendmail is shown in
|Level||Meaning of Severity (Highest to Lowest)|
|Conditions requiring immediate correction|
|Critical conditions for which action may be deferred|
|Nonerrors that may require special handling|
|Statistical and informational messages|
|Messages used only in debugging a program|
target is one of the four possibilities shown in
It is the
target and the preceding
level that must be tuned for use by sendmail.
|@host||Forward message to named host|
|/file||Append message to named file|
|user,user,...||Write to users' screens, if logged in|
|Write to all logged-in users' screens|
For example, the following syslog.conf line causes messages from
facility) that are at or above severity "info"
level) to be appended to the file
facility target mail.info /var/log/syslog level
A typical (albeit much simplified) /etc/syslog.conf file might look like this:
*.err;kern.debug;user.none /dev/console *.err;kern.debug;user.none /var/adm/messages auth.notice @authhost mail.info /var/log/syslog *.emerg;user.none *
Notice that there may be multiple
on the left, each separated from the others by semicolons. The first
two lines handle messages for all facilities at level
all kernel messages (
kern) at level
above, and none of the levels (
none) for the
user. The first line sends those messages to
/dev/console, the computer's screen. The second
appends its messages to the file
The third line sends authorization messages (such as repeated login failures)
to the host named
The fourth line appends all messages printed by sendmail at
info and above (the
is level 10 and below)
to the file
The last line is an emergency broadcast facility. A message
to any facility (the
*) at the highest level (
for the facility
be written to the screen of all currently logged-in users (the target
Finally, note that facilities may be listed together by using a comma:
This causes the level
info to be the level for both
daemon. Only the facility
may be listed this way. The level may not, and (unfortunately)
the target may not.
L) option level
is 9 or above (see Section 34.8.33), sendmail logs one line of information for each
envelope sender and one line of information for each recipient delivery or
deferral. As sendmail has evolved, these lines of logging information
have grown more complex. Here, we discuss the lines produced by
Each line of information logged looks something like this:
Each line of output that syslog produces begins with five pieces
of information. The
date is the month, day, and time that the
line of information was logged (note that the year is absent).
host is the name of the host that produced this information
(note that this may differ from the name of the host on which the
log files are kept).
sendmail is literal. Because of the LOG_PID argument that is given
to openlog(3) by sendmail (see Section 26.1.1),
the process ID of the invocation of sendmail that produced
this information is included in square brackets.
Finally, each line includes the
qid queue identifier
(see Section 23.2.1, "The Queue Identifier") that uniquely identifies each message on
a given host.
This initial information is followed by a comma-separated list of
Which equate appears in which line depends on whether the line documents
the sender or the recipient and whether deliver succeed, failed, or was
we list the possibilities in alphabetical order. Then, in the sections
that follow, we describe the role that each plays.
|Section 22.214.171.124, "class= the queue class"||The queue class|
|Section 126.96.36.199, "delay= total time to deliver"||Total time to deliver|
|Section 188.8.131.52, "from= show envelope sender"||Show envelope sender|
|Section 184.108.40.206, "mailer= the delivery agent used"||The delivery agent used|
|Section 220.127.116.11, "msgid= the Message-ID: identifier"||The Message-ID: identifier|
|Section 18.104.22.168, "nrcpts= the number of recipients"||The number of recipients|
|Section 22.214.171.124, "pri= the initial priority"||The initial priority|
|Section 126.96.36.199, "proto= the protocol used in transmission"||The protocol used in transmission|
|Section 188.8.131.52, "relay= the host that sent or accepted the message"||The host that sent or accepted the message|
|Section 184.108.40.206, "size= the size of the message"||The size of the message|
|Section 220.127.116.11, "stat= status of delivery"||Status of delivery|
|Section 18.104.22.168, "to= show final recipient"||The final recipient|
|Section 22.214.171.124, "xdelay= transaction"||Transaction delay for this address only|
If the mail message contained a
(see Section 35.8, "Precedence"), the
reflects sendmail's interpretation of the keyword
that follows that header. For example, given the configuration command
The following header will yield a
class= value of
Precedence: header is present in the message, the value shown for
class= is zero.
class= is shown only for sender records.
A mail message can be delivered immediately, without ever having
been queued, or it can be queued and retried over and over
again until it either times out or succeeds.
delay= shows the total amount of time the message
took to be delivered. This period of time starts when sendmail
first receives the message and ends when the message is finally
delivered or bounced. This interval is displayed with the
delay= syslog line equate:
The time expression shows the time it took in hours (
HH), minutes (
and seconds (
SS) to handle delivery or rejection of the message.
If the delay exceeds 24 hours, the time expression is prefixed
with the number
of days and a plus character.
For example, the following message took 5 seconds to deliver or bounce:
The following message took 4 days, 2 hours, 16 minutes, and 2 seconds to deliver or bounce:
Note that the
delay= equate is shown only for recipient records.
addr is the address of the envelope sender with any
RFC822 commentary (see Section 35.3.4, "Comments in the Header Field") removed.
This will usually be the address of an actual person, but it can
postmaster or the value of the
in the case of a bounced message.
from= equate is shown only for sender records.
The sendmail program does not perform the actual delivery of mail.
Instead, it calls other programs (called mail delivery agents) to perform
mailer= equate shows the symbolic name (see Section 30.1, "Configuration File Syntax")
of the delivery agent that was used to perform delivery to the recipient"
A list of symbolic names assigned to delivery agents can be viewed
-d0.15 debugging switch (see Section 37.5.4, -d0.15).
mailer= equate is shown only for recipient records.
RFC822 requires that each email message have a unique worldwide
identifier associated with it. That identifier is listed with
Message-ID: header (see Section 35.10.19, Message-ID:)
and often looks something like this:
The information inside, and including,
the angle brackets is the message identifier.
That identifier is what is listed with the
If a mail message arrives without a
Message-ID: header, and
if your configuration file correctly includes a definition for
that header, a new identifier will be created and listed with
msgid=. If a
Message-ID: header is absent, and if
your configuration file incorrectly excludes a definition for
that header, the
msgid= equate will be excluded from
the syslog report.
msgid= equate is shown only for sender records.
root: bob, hans
and if bob's ~/.forward file contained this:
\bob |"/usr/ucb/vacation bob"
nrcpts= equate would show three recipients.
nrcpts= is included only with the sender record
and that record is emitted when the message is first processed.
Any later changes in aliasing that may happen while the message
is queued are not reported. Aliasing on remote machines
(as would be the case with exploder mailing lists)
is also not reported for obvious reasons.
pri= equate shows the initial priority assigned to
the message (see Section 35.8).
This value is calculated once when the message is first processed
and changed each time the queued file is tried. This
shows the initial value.
pri= syslog equate is displayed only for the
$r macro (see Section 31.10.31, $r) holds as its
value the protocol that was used when a mail message was first received.
That value is either SMTP, ESMTP, or internal
or is a protocol assigned with the
switch (see Section 36.7.32, -p). If
$r lacks a value,
proto= equate is omitted. If
$r has a value,
the first 20 characters of that value are printed following
proto= in the syslog line:
When running as a daemon and listening for incoming connections,
sendmail attempts to look up the true identity of
connecting users and hosts. When it can find that information, it
saves it in the
$_ macro (see Section 31.10.1, $-).
When transporting mail to other hosts, sendmail looks up the MX records for those hosts and connects to the MX records when they are available. If MX records are not available, sendmail connects to the hostname that is specified in the recipient address.
$_ information is available, that information
appears following the
If the sender is a local user, the login name and localhost will
appear in the
Otherwise, the canonical name of the host that actually accepted delivery will appear here:
In summary, the
relay= equate shows who really accepted
or sent the message. The
relay= syslog equate
is included with both sender and recipient records.
The size of an incoming SMTP message is the number of
bytes sent during the DATA phase (see Section 126.96.36.199, "Timeout.datainit"), including
The size of a message received via sendmail's standard input
is a count of the bytes received, including the newline characters.
In both instances the size is displayed with the
Note that this size is reported before sendmail adds or deletes any headers. Therefore for mail being relayed through a site, the size will usually be small coming in and somewhat larger going out.
size= syslog equate is produced only for sender
Whenever the delivery status of a mail message changes, sendmail
logs the event and includes the
status= to specify why
the change happened. For example, a mail message may initially
be queued because the recipient's host was down:
Later it might change again because it succeeded in being delivered:
stat=Sent (HAA03001 Message accepted for delivery)
In transmitting a mail message via SMTP the
will include the actual text that the other host printed
when it accepted the mail message, as shown above. But in delivering locally,
stat= is more succinct:
In the case of bounced mail the
stat= will show the reason
stat= syslog equate is included only in recipient
Each such address is that of a final recipient (from the point of the view of the local host) after all aliasing, list expansions, and processing of ~/.forward files.
xdelay= equate shows the total amount of time the message
took to be transmitted during final delivery.
This differs from
delay= in that
computed from when the message was originally received (and can be days),
xdelay= shows how fast the receiving host was
(and is usually seconds).
In the case of SMTP mail
xdelay= computation starts when sendmail successfully
connects to the remote host.
In the case of locally delivered mail the computation starts when
sendmail executes the delivery agent.
The computation ends when the dot is accepted at the close of the
DATA SMTP phase or when the local delivery agent exits.
The form of the
xdelay= looks like this:
The time expression shows the hours (
HH), minutes (
and seconds (
SS) it took to perform delivery via the
final delivery agent. In the case of networked mail that interval
can be long:
But in the case of locally delivered mail this interval can seem instantaneous:
The log files that syslog creates provide a wealth of information that can be used to examine and tune the performance of sendmail. To illustrate, we will present a simple shell script for printing daily total message volume.
In the following discussion
we will assume that sendmail logging is enabled
L) option, see Section 34.8.33,
is nonzero) and that
all syslog(8) messages for the facility
date host sendmail[pid]: quid: from=sender, size=bytes, ...
That is, for each
sender that is logged (the
also logs the total received size of the message
By summing all the
size= lines in a /var/log/syslog file,
we can generate the total volume of all messages received for the period
represented by that file. One way to generate such a total is
shown in the following Bourne shell script:
#!/bin/sh LOG=/var/log/syslog TOTAL=`(echo 0; sed -e '/size=/!d' -e 's/.*size=//' -e 's/,.*/+/' $LOG; echo p; ) | dc` echo Total characters sent: $TOTAL
The sed(1) selects only the lines in /var/log/syslog that
contain the expression
It then throws away all but
the number immediately following each
size= (the actual
number of bytes of each message), and appends a
 If other programs also put
size=expressions into the log file, you may also want to screen for "sendmail."
The entire sequence of processes is enclosed in parentheses. An echo
statement first prints a zero. Then the list of
sizes is printed. Finally, another echo
prints a character
p. The resulting combined output
might look like this:
123+ 456+ 7890+ p
+ suffixes, and the final
p are commands for the dc(1) program, which adds
up all the numbers (the
+ suffixes) and prints the
p). That total is saved in the variable
TOTAL for later use in the final echo statement.
The output of this simple script might look something like this:
Total characters sent: 8469
More sophisticated scripts are possible, but the Bourne shell's lack of arrays suggest that perl(1) would provide a more powerful scripting environment. Most of the scripts that are available publicly are written in the perl scripting language.