Deciphering Log Files

Please contact us, if you want us to add to this page :-)

Firstly, it should be noted that, in general, the log files are there for when things go wrong. As such, they need to contain enough specific information that DMail support staff can track down what has gone wrong. This is unfortunately what tends to make them unreadable :-)

This page has a few pointers and a few strings that are useful for working your way through a DMail server's log file, looking to see if a message has been delivered, etc.

The daily summary logs which DSMTP creates, i.e. dmddmm.log, dm0304.log, are far more useful for finding out this sort of information, but we appreciate that at times the information in the log file is very useful to System Administrators as well.

The other useful tools are the status commands for both tellsmtp and tellpop. Probably the biggest thing to watch is the pending count. A rough guide is, on a small system in the 10s, medium system 100s, large system maybe into the thousands. A better guide is to take note of what is normal for your system and if it increases by an order of magnitude . . . panic :-)

Searching for:

Searching for failed deliveries

Search dsmtp.log (or dsmtp1.log, etc. for older messages) for the string '(failed)'

It will be on the end of a line like,
** Could not deliver message from <> to <> (failed)

This will only have been logged if you were running DSMTP on info log level.

You will need to search upwards in the log from this line to find out the reason for the failed delivery.

Example 1 - TCPIP or Socket error

> 18/03 10:36:45 *** Warning *** sock: (Error on channel) The virtual
> circuit was reset by the remote side.

This is a normal glitch in the TCPIP protocol.

> 18/03 10:36:45 *** Error *** In tcp_write (error) cant write 220
> DSMTP ESMTP Server v2.4f

The consequence of the above.

> 18/03 10:38:16 ** Lookup domain for channel 0 is
> 18/03 10:38:24 *** Error *** tcp: Channel closed or didn't open [2] 156

This means that the other end of the TCPIP channel did not respond, the server may be temporarily down. The line above it is probably not related. Again it is almost certainly nothing to worry about.

> 12/01 13:39:37 *** Warning *** socket: EINPROGRESS The open is pending

This is just TCPIP level socket information which we accidently made into a warning message. It is nothing to worry about, and in later versions (2.7n I think) it becomes a debug level only message.

The socket is marked as non-blocking and the requested operation would block.

This message was mistakenly set as an ERROR: message in the past, but more recently has been put back to a Debug: level message.

It is a normal TCPIP socket operation message which basically means that the program cannot write the next chunk of data to the socket (out to the user's email client) when it wants to.

It can be an indicator of a slow link, but is not proof of any problem on its own, as for example even a very fast link may not be as fast as the disk access and processing speed on your machine.

x failed logins from (ip_address username) in the last 10 minute

This message indicates that a person has tried to login but failed too many times in the last 10 minutes. The message that the user sees is,

-ERR too many guesses - wait 10 minutes then try again

This may indicate that someone is trying to guess passwords on your system, or it may be that a user is having a problem remembering their password.

This is a fairly new feature in DPOP that was added to its other 'password guessing' mechanisms in order to help make password guessing difficult. The log line shows the ip address which the user making the guess was connecting from as well as the username whose password they were trying to guess.