Postfix

LogZilla App Store application: Postfix

Overview

Postfix is a popular open-source Mail Transfer Agent (MTA) that routes and delivers electronic mail. Developed as a more secure and easier to administer alternative to Sendmail, Postfix is designed to be fast, easy to administer, and secure. It is widely used on Unix-like systems to route and deliver email.

App Function

  • Parse Postfix syslog messages for delivery status and connection events
  • Extract recipient/sender email addresses, relay servers, and client IPs
  • Categorize events (delivery, delivery_failure, connection, reject, queue)
  • Provide dashboards for monitoring mail flow and delivery issues
  • Alert on bounced emails and relay access denials

Vendor Documentation

Device Configuration

Postfix logs to syslog by default. Configure the syslog daemon to forward mail facility logs to LogZilla:

  1. Edit /etc/rsyslog.conf or create /etc/rsyslog.d/logzilla.conf

  2. Add a forwarding rule:

    text
    mail.*    @logzilla-server:514

  3. Restart rsyslog:

    bash
    systemctl restart rsyslog

Verification

Send a test email and verify events appear in LogZilla with program name Postfix.

Incoming Log Format

text
<date> <hostname> postfix/<service>[<pid>]: <queue_id>: <details> status=<status>
  • date - Timestamp of the log entry
  • hostname - Server generating the log
  • service - Postfix component (smtp, smtpd, qmgr, local, bounce)
  • queue_id - Unique message identifier
  • status - Delivery status (sent, bounced, deferred, expired)

Parsed Metadata Fields

FieldTag NameDescription
(auto)Event ClassCross-vendor classification (network or security)
Event typePostfix EventEvent category (delivery, delivery_failure, etc.)
StatusPostfix StatusDelivery status (sent, bounced, deferred, etc.)
RecipientPostfix ToRecipient email address
SenderPostfix FromSender email address
RelayPostfix RelayRelay server used for delivery
Client IPSrcIPSource IP from connection/reject events

Dashboards

DashboardPurpose
Postfix: OverviewBounced/deferred/rejected counts, top failed recipients, relay servers

Triggers

TriggerConditionActions
Postfix: Email bouncedstatus=bouncedmark_known, mark_actionable
Postfix: Email deferredstatus=deferredmark_known
Postfix: Relay access deniedreject eventmark_known, mark_actionable, notify

Log Examples

Successful Delivery

text
Jan  1 00:00:00 host1 postfix/smtp[1234]: 1234ABCD: to=<[email protected]>, relay=smtp.example.com[192.168.1.1]:25, status=sent (250 OK)

Bounced Email

text
Feb 28 12:34:56 server-01 postfix/smtp[5678]: 9876ZYXW: to=<[email protected]>, status=bounced (User unknown)

Connection Event

text
Apr 10 08:15:30 mx1 postfix/smtpd[1111]: connect from mail.sender.com[10.0.0.50]

Relay Denied

text
May 20 14:22:45 mx1 postfix/smtpd[2222]: NOQUEUE: reject: RCPT from spammer.bad.com[192.168.100.99]: 554 5.7.1 Relay access denied
Postfix | LogZilla Documentation