Introduction

For mail servers to operate smoothly and for incoming and outgoing emails to be transmitted healthily, it is critical to monitor log files instantly. On Linux systems, these log files are usually located in /var/log/maillog. The most common command used to monitor this log file in real-time is tail -f /var/log/maillog.

What Does tail -f /var/log/maillog Do?

This command allows you to monitor the last lines of the mail server's log file in real-time. When a new email is sent, received, or an error occurs, you will instantly see the information logged on the screen.

tail -f /var/log/maillog

With this command, the following situations can be monitored instantly:

Email connection errors
Authentication problems
DNS/SMTP errors
RBL blacklist status
SpamAssassin scanning information
DKIM, SPF, DMARC log entries

Which Mail Servers Use /var/log/maillog?

Postfix: One of the most common MTAs, and its default log path is /var/log/maillog.
Exim: Used in systems like WHM/cPanel, and the log path may be /var/log/exim_mainlog, but it can also write to maillog via a symbolic link.
Sendmail: Used in older systems and can also use /var/log/maillog.

What Can Be Observed Through Logs?

When an email is sent, the log may produce an output like this:

May 13 14:00:21 server postfix/smtp[12345]: 9A1C812345: to=<[email protected]>, relay=mx1.domain.com[192.0.2.1]:25, delay=2.1, delays=0.1/0.02/0.5/1.5, dsn=2.0.0, status=sent (250 OK id=1hGzV4-0006Xz-JN)

Similarly, a failed mail attempt may look like this:

May 13 14:05:22 server postfix/smtp[23456]: 7B2D912345: to=<[email protected]>, relay=none, delay=10, status=bounced (host not found)

How to Use the tail -f Command More Efficiently?

Filtering with grep:

tail -f /var/log/maillog | grep [email protected]

Use ccze or multitail for colored and readable logs:

tail -f /var/log/maillog | ccze -A

multitail /var/log/maillog

Tracking /var/log/maillog Logs on WHM

To examine Exim logs via WHM:

WHM > Mail Delivery Reports
WHM > Mail Queue Manager
WHM > View Sent Summary

However, the tail -f /var/log/maillog command via SSH allows for more detailed and real-time monitoring.

If the Log File is Full or Redirection is Done

In some systems, the log file may change in the following ways:

grep maillog /etc/rsyslog.conf

grep -i mail /etc/logrotate.d/*

This allows you to see where the log file is located and its rotation processes.

Conclusion

The tail -f /var/log/maillog command is an indispensable command for system administrators who want to analyze problems in mail servers instantly. It allows you to easily analyze email delivery problems, authentication errors, and spam filtering. Its usability can be increased by supporting it with effective filtering and colored display commands.