In response to Noel's followup, here is a proposal that can make
Postfix trouble shooting / anomaly detection easier. This would
reveal information that is currently available only by turning on
verbose logging.
Proposal:
The Postfix SMTP server maintains two counters for each known
command: one counter for the total number of times the command was
issued during an SMTP session, and one counter for the number of
normal completions (a 2XX reply status). These counters are reset
before the server accepts the next SMTP connection. Perhaps there
should also be a counter for unknown commands.
Upon disconnect. the Postfix SMTP server logs statistics for each
command that has a non-zero counter. The syntax is:
command-name=normal-completions/total
Example: a "normal" session with ESMTP handshake, one mail delivery
transaction with one recipient, and closed with "quit":
ehlo=1/1 mail=1/1 rcpt=1/1 data=1/1 quit=1/1
An "abnormal" session that drops after a rejected recipient:
helo=1/1 mail=1/1 rcpt=0/1
A "normal" ESMTP session with vrfy:
ehlo=1/1 vrfy=1/1 quit=1/1
An "abnormal" session that drops after 10 rejected AUTH commands:
ehlo=1/1 auth=0/10
The logging shows only counters for commands that were actually
issued. To save space we could replace "n/n" (two identical numbers)
with just "n". I don't know if this would actually simplify parsing.
As the examples show this is really a small amount of text, so there
is no reason to increase logging overhead by using a separate record.
Since the stats would be logged at the end of a session, they can
be logged in the "disconnect" record.
Wietse
