On Thu, Oct 31, 2013 at 04:15:19PM +1100, Russell Coker wrote:

The native Postfix logging has one line with a sender address and queue ID and later lines with the queue ID and the recipient(s) which may contain delivery errors. So I can't just grep for the data I want.

i've found that a two-pass search works well here - first pass to extract the queue ID (based on your search criteria), 2nd pass to grep for all log entries containing that queue ID. i wrote a perl script back in 2001 to do this - i haven't actually used it in years, but i expet it still works. http://taz.net.au/postfix/scripts/mailgrep.pl $ ./mailgrep.pl -h Usage: mailgrep.pl [options] [file ...] mailgrep.pl will scan the input file(s) and display matching log entries. if the --queue-id option is used, the program will just display all lines matching the --search string. if --queue-id is not used, the program will first scan the log file(s) and build up a list of QUEUE-IDs to search for, then it will display all log file lines matching those QUEUE-IDs. If no filenames are provided, it will default to /var/log/mail.log If any of the log files are compressed, the program will invoke the appropriate decompressor programs to open them (zcat, gzcat, and bzcat are supported). Examples: to search for all log entries related to "foobar@example.com": mailgrep.pl -s foobar@example.com to search for all log entries with two known queue-IDs: mailgrep.pl -q -s 503991407CA -s 9F2391407CA (C) Copyright Craig Sanders <cas@taz.net.au>, 2001 This program is licensed under the terms of the GNU GPL Options: --help, -h, -? Print a brief help message and exit. --search, -s String(s) to search for. This option may be repeated multiple times on the command line. The strings can be plain text or any valid perl regular expression. --queue-id, -q search string is a queue-id, not a pattern. craig -- craig sanders <cas@taz.net.au>

On 31/10/13 18:15, Russell Coker wrote:

Does anyone know of a good Postfix log file analysis program to find problems with particular users?

In this instance I'm not interested in general statistics or anything. I just want to do searches such as "all attempts for @gmail.com accounts to send mail to user@example.com" where example.com is a local domain.

The native Postfix logging has one line with a sender address and queue ID and later lines with the queue ID and the recipient(s) which may contain delivery errors. So I can't just grep for the data I want.

My problem is when I get complains like "user@example.com can't receive mail from friend@gmail.com". In many cases it's trivial problems that can be difficult to diagnose, such as friend@gmail.com sending mail to user2@example.com where user2 has just added the sender to the spam list and not told anyone. So all parts of the server are working correctly but the users aren't getting what they want.

You can extract details from different log lines and put them on lines which represent a single email like so: #!/bin/bash TO='grep "postfix/smtp.*to=" "'$1'" | awk "{print \$6,\$7}" | sort' MSGID='grep "postfix/cleanup.*message-id=" "'$1'" | awk "{print \$6,\$7}" | sort' FROM='grep "postfix/qmgr.*from=" "'$1'" | awk "{print \$6,\$7}" | sort' join <(join <(eval $FROM) <(eval $TO) ) <(eval $MSGID) Run the example script with the name of your log file as an argument. No doubt this could be done much more efficiently with a single pass over the log, but this approach is fine for many purposes. As formulated above, you may get multiple lines relating to the same email if there are multiple recipients, and also if there are multiple delivery attempts. Not too hard to work around if it's an issue. Andrew