(as)  [sysadmin] [blog]

User Tools

Site Tools


Adding RFC5322.From to Sendmail logs

Sendmail, by default, logs only the envelope "From" address (AKA RFC5321.From). I wanted to add the "From:" headers of outgoing messages (AKA RFC5322.From).1) So, in sendmail.mc I added the following at the bottom:

Klog syslog
HFrom: $>+LogFrom
R$*        $: $(log From: $&{currHeader} $)

(Note that the block of spaces in the last line have to be TABs. For details of the syntax see e.g. The whole scoop of the configuration file.)

Basically, this defines a map "log" and a ruleset "LogFrom", looks for "From:" and "rewrites" (R) any content via "log" to syslog, prepending "From:". The results in mail.log should look similar to

Sep 21 22:03:34 localhost sm-mta[1364]: u8LK3Y6P001364: From: "Full Name" <sender@example.net>
Sep 21 22:03:35 localhost sm-mta[1364]: u8LK3Y6P001364: from=<sender@mail.example.net.net>, size=724389, class=0, nrcpts=1, msgid=<005c01d21443$2bf4e600$83deb200$@example.net>, proto=ESMTP, daemon=MTA, relay=mail.example.net []
Sep 21 22:03:38 localhost sm-mta[1365]: u8LK3Y6P001364: to=<receiver@example.org>, delay=00:00:04, xdelay=00:00:03, mailer=local, pri=754801, dsn=2.0.0, stat=Sent

These sendmail.cf instructions make Sendmail log "From:" headers of both incoming and outgoing mail. Only the latter was my original intention, however, I appreciate the additional log data for incoming mail, too. It helps debugging and answering user queries since they often and understandably enough only mention RFC5322.From addresses.

2 From:s

However, much to my surprise I found that Sendmail sometimes logged 2 "From:" headers even though the messages definitely had only 1. Turned out that Sendmail indeed inspects contents of attachments if their "Content-type" is message/rfc822.

My colleague Johann Klasek, a true Sendmail aficionado, even digged the source code to confirm my empirical findings. He also came up with the following rules to skip "From:" headers of attachments by means of a macro {InMessage} and an if-then type rewriting:

Klog syslog
HFrom: $>+LogFrom
HContent-Type: $>+CheckMessage
R$*           $: <$&{InMessage}> $1                      are we in a message/rfc822 part?
R<> $*        $: $(log From: $&{currHeader} $) $1        if not then log the From: header
Rmessage/$*   $: $(macro {InMessage} $@ YES $) $1        set mark if Content-Type is message/*

In order to log "From:" headers of attached messages with e.g. keyword "MIME-From:" instead of "From:" add the following line before SCheckMessage (i.e. at the end of ruleset SLogFrom):

R<YES> $*     $: $(log MIME-From: $&{currHeader} $) $1   embedded MIME part From: header

(Again, aligned whitespaces are TAB characters.)

Many thanks to Johann Klasek for his great help!

Since the world of eMail is unstoppably moving towards aligned and authenticated eMail (SPF, DKIM, DMARC, …), and since our mail servers volume is low and we don't need and don't do mail archiving, I was looking for ways to evaluate outgoing eMail by analyzing mail.log. After all, most information was already there. However, I needed the RFC5322.From headers to check domain alignment and make sure we send only eMail we are authorized to send.


Enter your comment:
blog/160921_adding_rfc5322.from_to_sendmail_logs.txt · Last modified: 2016-09-23 15:27 by andreas