// Services · Postfix
Postfix / Mail Server Logs
Postfix logs to syslog: /var/log/mail.log (Debian) or /var/log/maillog (RHEL). Each email produces multiple log lines as it passes through different Postfix daemons. The queue ID is the key to tracing a message end-to-end.
Tracing a Single Email End-to-End
Every log line for one email shares the same queue ID (e.g., 3AB1C2D3E4). Use grep "3AB1C2D3E4" /var/log/mail.log to trace its complete lifecycle.
# 1. Incoming SMTP connection accepted by smtpd Apr 10 19:00:01 mail postfix/smtpd[6001]: connect from mail.sender.com[198.51.100.10] Apr 10 19:00:01 mail postfix/smtpd[6001]: 3AB1C2D3E4: client=mail.sender.com[198.51.100.10] # 2. Message accepted, headers processed by cleanup Apr 10 19:00:01 mail postfix/cleanup[6002]: 3AB1C2D3E4: message-id=<unique@sender.com> # 3. Queue manager receives it Apr 10 19:00:01 mail postfix/qmgr[1234]: 3AB1C2D3E4: from=<sender@example.com>, size=4096, nrcpt=1 (queue active) # 4. smtp daemon delivers to remote server Apr 10 19:00:02 mail postfix/smtp[6003]: 3AB1C2D3E4: to=<recipient@dest.com>, relay=mail.dest.com[10.10.10.1]:25, delay=1.2, delays=0.1/0/0.8/0.3, dsn=2.0.0, status=sent (250 OK) # 5. Queue entry removed Apr 10 19:00:02 mail postfix/qmgr[1234]: 3AB1C2D3E4: removed # --- Deferred delivery (temporary failure) --- Apr 10 19:05:00 mail postfix/smtp[6010]: F1A2B3C4D5: to=<user@baddomain.xyz>, relay=none, delay=30, delays=0.1/0/30/0, dsn=4.4.1, status=deferred (connect to mail.baddomain.xyz:25: Connection refused) # --- RBL / spam policy rejection --- Apr 10 19:10:00 mail postfix/smtpd[6020]: NOQUEUE: reject: RCPT from unknown[91.200.12.5]: 554 5.7.1 Service unavailable; Client host [91.200.12.5] blocked using zen.spamhaus.org; from=<spam@example.net>, to=<user@ourdomain.com>
The delays= Field Explained
The delays=a/b/c/d field breaks total delay into four components:
| Position | Meaning |
|---|---|
| a | Time before queue manager (message acceptance, cleanup) |
| b | Time in queue manager (waiting to be dispatched) |
| c | Connection setup time to remote server |
| d | Actual message transmission time |
Postfix Daemon Reference
| Daemon | Role | What to Look For in Logs |
|---|---|---|
| smtpd | Receives incoming SMTP from other servers and clients | Authentication failures, rejected connections, SASL auth, RBL blocks, NOQUEUE entries |
| smtp | Outgoing SMTP delivery to remote servers | Delivery status (sent/deferred/bounced), relay address, DSN codes, TLS negotiation |
| submission | Authenticated client submission (port 587) | SASL login events, authenticated client IPs, outbound relay |
| cleanup | Normalizes headers, assigns queue ID, runs header checks | Message-ID assignment, header check rule violations |
| qmgr | Queue manager — dispatches messages to delivery agents | "queue active" = processing; "queue full" = backlog; removed = delivered |
| pickup | Picks up locally-submitted messages from maildrop queue | Messages from local programs (cron, PHP mail(), scripts) |
| local | Delivers to local Unix mailboxes | Local delivery success/failure, .forward file processing |
| lmtp | Delivers to LMTP server (e.g. Dovecot) | IMAP store delivery — critical for webmail setups |
| bounce | Generates non-delivery notifications (NDRs) | Bounce messages generated = delivery failures requiring attention |
| anvil | Connection rate and concurrency limiting | Connection rate statistics, max connection counts |
DSN Status Code Reference
DSN (Delivery Status Notification) codes follow the format X.Y.Z where X = status class (2=success, 4=transient failure, 5=permanent failure), Y = subject, Z = detail.
| Code | Category | Meaning |
|---|---|---|
| 2.0.0 | Success | Message delivered successfully. Final. Queue entry will be removed. |
| 4.x.x | Transient failure | Temporary error — Postfix will retry on schedule. Resolve within the retry window or message bounces. |
| 4.4.1 | No answer from host | Remote server not responding. Network issue or server down. Will retry per retry schedule. |
| 4.4.2 | Bad connection | Connection dropped mid-session. Network instability or remote server restart. |
| 4.7.1 | Delivery not authorized (temp) | Greylisting in effect. Remote will retry and delivery should succeed on second attempt. |
| 5.x.x | Permanent failure | Fatal error — message will bounce. Investigate and resolve. No further retries. |
| 5.1.1 | Bad destination mailbox | Recipient address doesn't exist. Typo or deleted account. |
| 5.1.2 | Bad destination system | Domain has no MX record or unresolvable hostname. |
| 5.7.1 | Delivery not authorized (perm) | Blacklisted, spam policy rejection, or SPF failure at remote server. |
| 5.7.26 | SPF/DMARC failure | Message failed SPF/DMARC authentication at recipient. Check SPF records and DKIM signing. |
💡 Find Any Email
By queue ID: grep "3AB1C2D3E4" /var/log/mail.logBy recipient:
grep "to=<user@domain.com>" /var/log/mail.log | tail -50By sender:
grep "from=<sender@domain.com>" /var/log/mail.log | tail -50Show current queue:
mailq | head -40 or postqueue -p | head -40