MTA transaction log entry format

The format of message transaction log entries and connection transaction log entries is subject to change. By default, message transaction log entries and connection transaction log entries all  appear in the same message log files (  files);  however, if the MTA option     is set, then the connection transaction log entries will  instead appear in the connection transaction log files  (  files).

Currently, by default, each message transaction log entry contains eight or nine fields, e.g.,  19-Jan-1998 19:16:57.64 tcp_intranet tcp_local   E 1 adam@domain.com rfc822;mark@innosoft.com mark@innosoft.com (1)        (2)              (3)      (4)(5)    (6)         (7)                        (8)       (9) These fields are:



  The date and time when the entry was made. 

  The channel name for the source channel. 

  The channel name for the destination   channel. 

  The type of entry; see Message logging entry action type codes. 

  The size of the  message.1 This    is expressed in kilobytes by default, although this default can be    changed by using the     MTA option. If message size is not an exact  multiple,    then the size is rounded up to the next block for logging purposes. (Note that in "Q" records, the size is not necessarily the   size of the message as a whole, but rather indicates the amount of    message processed before the delivery attempt failed: in particular,    the size field in a "Q" record may be 0 such as in cases    where the MTA&#x27;s SMTP client encounters a connection failure, or the    size field may correspond to the full size of the message such as in    cases where the MTA&#x27;s SMTP client encounters message rejection after    the final ".", or in cases such as a network disconnect part way    through message transfer the size field   will indicate roughly at what point in message    transfer the disconnect occurred.) </li>

 <span id='call_134'> The envelope From address. Note that for   messages with an empty envelope From address, such as notification    messages, this field will be blank. </li>

 <span id='call_135'> The original form of the envelope To   address. (Note that this is the ORCPT value, and hence follows ORCPT   syntax; see RFC 3461.    Also note that the semantics of ORCPT are neither    "originally submitted address", nor "address originally    given to this MTA", and hence ORCPT only sometimes corresponds to    one or the other or both. For the "address originally given to    this MTA", see instead the    MTA option.) </li>

 <span id='call_136'> The active (current) form of the envelope   To address. </li>

 <span id='call_137'> The delivery status (SMTP channels only). </li>

</ol>

In addition to the default message transaction fields (shown above), the MTA may optionally be configured to log additional information to the message transaction log file; see the   MTA options  described in  Transaction logging MTA options. With,   ,   ,   ,   ,   ,   ,   ,   , and    all  enabled, the format becomes as follows. (Note that the sample transaction log entry line has been wrapped for typographic reasons;  the actual message transaction log entry would appear on one physical line.) <span id='extra_message_transaction_log_entry'> 19-Jan-1998 13:13:27.10 hosta  2e2d.5.1 tcp_local   tcp_intranet E 1 service@innosoft.com (1)          (10)     (11)     (2)        (3)        (4) (5)   (6) rfc822;adam@domain.com adam 276 (7)                    (8) (12) /opt/sun/comms/messaging64/data/queue/tcp_intranet/ZZi0D4d9f5mwC.00 (13) &#x3c;01IWFVYLGTS499EC9W@innosoft.com&#x3e; &#x3c;01IWFVYLGTS499EC9Y@innosoft.com&#x3e; (14)                    (15) mailsrv innosoft.com (innosoft.com &#x5b;192.160.253.66&#x5d;) 0 3 (16)   (17)                                      (18) (19)  (9) Here the additional fields, beyond those already discussed above, are:

<ul>

 <span id='call_139'> (10)       The name of the node on which the channel    process is running. </li>

 <span id='call_140'> (11)      The process id (expressed in hexadecimal),    followed by a period (dot) character, if it is a multithreaded channel entry   a process id and another period (dot), and finally a count. </li>

 <span id='call_148'> (12)      The NOTARY (delivery receipt request) flags    for the message, expressed as an integer. </li>

 <span id='call_149'> (13)      The file name in the MTA queue area. </li>

 <span id='call_150'> (14)      The envelope id. </li>

 (     new in MS 8.0 and not shown in the above example)   Tracking ID. </li>

 (     new in MS 8.0 and not shown in the above example)   Deferred delivery time and expiry time. </li>

 <span id='call_151'> (15)      The message id. </li>

 <span id='call_152'> (16)     The username of the executing process. Note   that in the case of Dispatcher services such as the SMTP server, this    will be the username of the user who most recently did a startup of the    Dispatcher. </li>

 (   new in MS 7.0.5 and not shown in the above example)   The SMTP MAIL FROM&#x27;s AUTH parameter value. </li>

 <span id='call_153'> (17)      The exact connection information shown    varies according to whether a message is incoming (E record) or    outgoing (e.g., D record), whether or not the channel is an    SMTP (or LMTP) channel, and for SMTP/LMTP channels for incoming    messages, the specific bits set for the      MTA option. For   incoming messages, the connection information consists of the sending    system or channel name, such as the name presented by the sending    system on the HELO/EHLO line (for incoming SMTP messages), or the    enqueuing channel&#x27;s official host name (for other sorts of channels). In the case of TCP/IP channels, the sending system&#x27;s real name, that   is, the symbolic name as reported by a DNS reverse lookup and/or the IP    address, can also be reported within parentheses as controlled by the      channel options. This sample   assumes use of one of these options, for instance use of the default      channel option, that selects display of both the name    found from the DNS and IP address. This example also assumes that     is set, but that higher bits of      are not    set. If bit 5 (value 32) of     were set, then the incoming    connection information for a message incoming over TCP/IP would also    include the entire    transport information string,            . If bit 6 (value 64) of     were set,    then the incoming connection information would also include the    application information string,    just   for the case of    incoming SMTP messages. For outgoing messages, e.g., D   records, the connection information (due to  &#x27;s bit    0/value 1 being set) is present only for SMTP/LMTP channels, and in    such cases consists of the remote host name and the remote name as    found in the DNS, the transport information string (see above), and the    remote SMTP banner line. And this information is included at the start   of the SMTP diagnostic field. </li>

 <span id='call_154'> (18)      The sensitivity for the message. </li>

<li> (    new in MS 8.0 and not shown in the above example)    The SMTP MT-PRIORITY associated with the transaction. </li>

<li> <span id='call_155'> (19)      This effective processing priority for the    message; 3 corresponds to "normal" priority. Note that the   effective processing priority may not be the same as the message&#x27;s    Priority: header value (if any); for instance, the        channel options can cause lowering of effective    message processing priority. </li>

<li> <span id='call_157'>   (     not shown in the above example)   The intermediate form of the recipient    address. </li>

<li> <span id='call_158'>   (    not shown in the above example)   The original (RCPT TO) form of the    recipient address. </li>

<li> (    new in MS 8.0 and not shown in the above example)   LDAP   attribute for local users. </li>

<li> (   new in MS 7.0.5 and not shown in the above example)   For messages delivered to the MS Message Store, the UID and UIDVALIDITY. </li>

<li> (   new in MS 8.0 and not shown in the above example)   SMTP FUTURERELEASE value. </li>

<li> <span id='call_159'> (   not shown in the above example)   The Sieve filter actions applying to the    message, including effects from verdicts from spam/virus package    "plug-ins". </li>

<li> <span id='call_160'>   (     new in MS 6.3 and not shown in the    above example)    The reason field (due to setting     ). It   would appear in a message transaction log entry corresponding to a    message rejection (for instance, an "R" or "K"    entry), appearing just before the SMTP delivery status (SMTP    diagnostic) field. </li>

<li> (   not shown in the above example)   The SMTP delivery status/SMTP diagnostic field (due to having the default of     set) </li>

<li> <span id='call_161'>   (    new in MS 6.3 and not shown in the    above example) The "time in queue" field (due to setting     ). </li>

<li> (   new in MS 7.0.5 and not shown in the above example)   Any conversion tags on the message. </li>

<li> (   new in MS 7.0.5 and not shown in the above example)   Any IMAP flags that have been set on the message by the MTA. </li>

<li> (    new in MS 7.0.5 and not shown in the above example)   Delivery flags. </li>

<li> (   new in MS 8.0 and not shown in the above example)   Callout delay timer values. </li>

<li> (   new in MS 8.0 and not shown in the above example)   String(s) logged due to the Sieve   " " action. </li>

</ul>

The maximum line length for message transaction records is 4096 characters.

Currently, each connection transaction log entry contains at least six fields, with the presence of up to five additional optional fields  controlled by the MTA options  ,   ,   ,   , and   , e.g., 04-Sep-2002 01:00:04.23 host.domain.com 1f625.d.0 tcp_local   +            O TCP&#x7c;129.153.12.42&#x7c;25&#x7c;123.4.5.67&#x7c;65228 SMTP 04-Sep-2002 01:00:05.21 host.domain.com 1f625.d.3 tcp_local   +            C TCP&#x7c;129.153.12.42&#x7c;25&#x7c;123.4.5.67&#x7c;65228 SMTP/TLS-192-DES-CBC3-SHA 04-Sep-2002 01:00:06.23 host.domain.com 1f627.3.0 tcp_local   -            O TCP&#x7c;129.153.12.42&#x7c;4303&#x7c;123.45.6.7&#x7c;25 SMTP/domain.com/mail.domain.com 04-Sep-2002 01:00:06.49 host.domain.com 1f627.3.3 tcp_local   -            C TCP&#x7c;129.153.12.42&#x7c;4303&#x7c;123.45.6.7&#x7c;25 SMTP/domain.com/mail.domain.com/TLS-192-DES-CBC3-SHA (1)             (2)                (3)      (4)      (5)          (6)   (7)                             (8) <ul>

<li> <span id='call_162'> (1) The date and time when the entry was made. </li>

<li> <span id='call_163'> (2) &#x5b;Optional---only present when     is    set.&#x5d; (New in MS 6.3) The host name of the MTA system. </li>

<li> <span id='call_164'> (3) &#x5b;Optional---only present when        is set.&#x5d; The process id (expressed in hexadecimal), followed by a    period (dot) character and then a thread id, followed by a period (dot)    character and a count. </li>

<li> <span id='call_165'> (4)The channel name for the source channel. In   the case of " " entries (outgoing messages),    this is the name of the channel acting as SMTP client or LMTP client. Note, however, that in the case of " " entries   (incoming messages), the name shown is that of the default channel for    the Dispatcher service listening on the port and interface address for    the incoming connection, so is typically merely one of      (for the SMTP server on port 25) or      (for the SMTP SUBMIT server on port 587) or      (for the LMTP server); in particular, channel    "switching" due to      channel option based    effects (such as switching to a   channel due    to   or switching to a      channel due to  ) is not reflected in such    entries. (In the case of "I" records, that is, ETRN records,   this "source" channel field instead is used to display the    name of the channel which the ETRN command would cause to run.) </li>

<li> <span id='call_166'> (5) A plus,, or minus,     , indicating whether this is an inbound or outbound    connection, respectively. That is, a  indicates a    connection inbound to an SMTP, SMTP SUBMIT, or LMTP server; a      indicates a connection outbound by a channel acting as    an SMTP (or LMTP) client. </li>

<li> <span id='call_167'> (6) A code indicating the type of entry; see  Connection logging entry action type   codes. </li>

<li>

<span id='call_168'> (7)<span id='Transport_information'> The transport information. This takes the   form: TCP&#x7c;local-IP&#x7c;local-port&#x7c;remote-IP&#x7c;remote-port </li>

<li>

<span id='call_169'> (8)<span id='Application_information'> The application information. For inbound   connections (to the SMTP server), the "O" (that is, open)    records will just show " " in this field; the    "C" (that is, close) records will just show    " " unless TLS was used, in which case this    field will show " ". The     string consists of    "    ". (Note that the   field may not be   present, and if present may be unreliable in the MTA, especially as    of MS 6.0 and later, as the cipher information is not reliably    reported back by the underlying NSS library in use.) For outbound    connections, the field has some additional information, showing the    initial host name (prior to DNS lookup) to which to connect, and the    host name found from doing a DNS lookup, that is, the host name to    which the connection was really made/attempted. In the case of outbound   connections where TLS was used, the TLS information will also be shown    in the C (that is, close) record. So for outbound connections, the   field takes the form SMTP/initial-host/DNS-host or when TLS was used, the C records will take the form SMTP/initial-host/DNS-host/TLS-info For instance,   might be a name used for e-mail addresses which merely has MX records, and then    will be the actual host name to which  the connection was made (the name pointed to by an MX record).

</li>

<li> <span id='call_170'> (9) &#x5b;Optional---only present if    .&#x5d;     In "I" records, the host name presented on    the ETRN command line. In "U" records, the   MTA AUTH error,    if there was one. </li>

<li> <span id='call_171'> (10) &#x5b;Optional---only present if    .&#x5d;    In "U" records, the authenticated user. </li>

<li> <span id='call_172'> (11) (New in MS 6.2) "C" records may   include additional information about the reason for the close, if the    close was due to an error. For instance, "Error reading SMTP   packet" (in cases where the connection was dropped, for instance    due to a network problem or the remote system aborting the connection),    or "Timeout after x minutes trying to read SMTP    packet" (in cases where the MTA times out the connection due to    remote system inactivity). </li>

<li> <span id='call_173'> (12) &#x5b;Optional---only present if    .&#x5d;    (New in MS 6.3)     "O" records may include the     "time to open the connection", "Y" records may    include the "time attempting to open a connection for an attempt    that failed", and "C" records may include the total time the connection was open as a final field. This appears as a  attribute in XML format logs. </li>

</ul>

The maximum line length for connection transaction records is 4096 characters. <span id='trans_entry_format_footnote1'> 1The mechanism for computing size values in enqueue entries in the MTA transaction logs was revised for  MS 7.0 update 2. Previously message sizes were computed based on counting octets in the input, which did not take various things,  including charset-conversion, into account. It was done this way in order to facilitate certain calculations needed for performing  message fragmentation. Now that message fragmentation has become a rarity, this approach is no longer appropriate, and the code has been changed to  work directly with the output message.

See also:
 * separate_connection_log MTA Option
 * acceptalladdresses Option
 * binaryserver Option
 * chunkingclient Option
 * chunkingserver Option
 * error_text MTA options
 * MTA transaction logging
 * Transaction logging MTA options