Email Not Sending/Receiving: Log Analysis

Introduction

Email delivery issues can severely impact business operations, communication, and customer satisfaction. When emails fail to send or receive, identifying the root cause quickly is critical. Unlike web services where errors are immediately visible, email problems often require deep analysis of logs, SMTP transactions, and DNS records to diagnose.

This comprehensive guide teaches system administrators how to troubleshoot email issues through systematic log analysis and diagnostic procedures. You'll learn to read mail server logs, understand SMTP error codes, trace email delivery paths, and identify common issues affecting mail flow in both sending and receiving scenarios.

Email systems involve multiple components - mail transfer agents (MTAs), DNS records, authentication mechanisms, and spam filters - making troubleshooting complex. This guide provides a structured approach to analyzing these components and quickly identifying where email delivery breaks down.

Understanding Email Flow

Email Sending Process

  1. Client submits: Email client sends to SMTP server (port 587/465)
  2. Authentication: Server verifies sender credentials
  3. DNS lookup: Query MX records for recipient domain
  4. Connection: Connect to recipient's mail server (port 25)
  5. Handshake: SMTP conversation between servers
  6. Delivery: Email transferred to recipient server
  7. Queue/Deliver: Recipient server queues or delivers to mailbox

Email Receiving Process

  1. Connection: Remote server connects (port 25)
  2. SMTP dialogue: Commands exchanged (HELO, MAIL FROM, RCPT TO)
  3. Spam check: SPF, DKIM, DMARC validation
  4. Content filtering: Antivirus and spam filtering
  5. Delivery: To mailbox or forward to another server

Common Email Problems

Sending Issues:

  • SMTP authentication failures
  • Relay access denied
  • Blacklisted IP addresses
  • DNS/MX record problems
  • TLS/SSL certificate errors
  • Attachment size limits exceeded

Receiving Issues:

  • Spam filter blocking legitimate mail
  • Disk quota exceeded
  • Invalid recipient addresses
  • Greylisting delays
  • DNS reverse lookup failures
  • Port 25 blocked by ISP

Initial Email Diagnostics

Quick Email Status Check

# Check mail server is running
systemctl status postfix
systemctl status exim4
systemctl status sendmail

# Check listening ports
ss -tlnp | grep -E ":25|:587|:465"
netstat -tlnp | grep -E ":25|:587|:465"

# Check mail queue
mailq
postqueue -p    # Postfix
exim -bp        # Exim

# Check recent mail log
tail -100 /var/log/mail.log
tail -100 /var/log/maillog

# Test local mail delivery
echo "Test" | mail -s "Test" user@localhost

# Check DNS records
dig example.com MX +short
dig -x your-server-ip +short

Quick interpretation:

# If no service listening on port 25
# THEN mail server not running

# If mailq shows many messages
# THEN delivery problems or queue backup

# If MX records missing/incorrect
# THEN receiving mail won't work

# If reverse DNS missing
# THEN mail may be rejected as spam

Step 1: Analyzing Mail Logs

Log File Locations

# Common log file locations
tail -f /var/log/mail.log           # Debian/Ubuntu
tail -f /var/log/maillog            # CentOS/RHEL
tail -f /var/log/mail.info          # General info
tail -f /var/log/mail.err           # Errors only
tail -f /var/log/mail.warn          # Warnings

# Postfix logs
tail -f /var/log/postfix.log
journalctl -u postfix -f

# Exim logs
tail -f /var/log/exim4/mainlog
exim -bP log_file_path

Reading Postfix Logs

Postfix log anatomy:

Jan 11 10:30:45 mail postfix/smtp[12345]: 1A2B3C4D5E: to=<[email protected]>,
relay=mx.example.com[93.184.216.34]:25, delay=2.1, delays=0.01/0.01/1.5/0.6,
dsn=2.0.0, status=sent (250 2.0.0 OK)

Key components:

  • Timestamp: When event occurred
  • Queue ID: 1A2B3C4D5E (unique message identifier)
  • to: Recipient address
  • relay: Destination server and IP
  • delay: Total delivery time
  • dsn: Delivery Status Notification code
  • status: sent (success), deferred (retry), bounced (failed)

Common Postfix Log Patterns

# Find all bounced messages
grep "status=bounced" /var/log/mail.log

# Find deferred deliveries
grep "status=deferred" /var/log/mail.log | tail -50

# Find rejected messages
grep "reject:" /var/log/mail.log

# Search by queue ID
grep "1A2B3C4D5E" /var/log/mail.log

# Search by sender email
grep "from=<[email protected]>" /var/log/mail.log

# Search by recipient
grep "to=<[email protected]>" /var/log/mail.log

# Authentication failures
grep "authentication failed" /var/log/mail.log

# Connection attempts
grep "connect from" /var/log/mail.log

# SASL authentication
grep "sasl" /var/log/mail.log

# Relay denied
grep "Relay access denied" /var/log/mail.log

Analyzing Exim Logs

# View main log
tail -100 /var/log/exim4/mainlog

# Search by message ID
exigrep "1A2B3C-4D5E6F-GH" /var/log/exim4/mainlog

# Show message headers
exim -Mvh message-id

# Show message body
exim -Mvb message-id

# List messages in queue
exim -bp

# View frozen messages
exim -bp | grep frozen

# Count messages by status
exim -bp | awk '{print $4}' | sort | uniq -c

# Find delivery attempts
grep "=>" /var/log/exim4/mainlog | tail -50

# Find failures
grep "==" /var/log/exim4/mainlog | tail -50

# Find rejects
grep "rejected" /var/log/exim4/mainlog | tail -50

Step 2: Understanding SMTP Error Codes

Common SMTP Response Codes

2xx - Success:

  • 250: Requested mail action okay, completed
  • 251: User not local; will forward
  • 252: Cannot verify user, but will attempt delivery

4xx - Temporary Failure (retry later):

  • 421: Service not available, closing connection
  • 450: Mailbox unavailable (busy)
  • 451: Local error in processing
  • 452: Insufficient system storage
  • 454: TLS not available

5xx - Permanent Failure:

  • 550: Mailbox unavailable (doesn't exist)
  • 551: User not local
  • 552: Exceeded storage allocation
  • 553: Mailbox name not allowed
  • 554: Transaction failed

Interpreting Error Messages

# Find specific error codes
grep "550 5.1.1" /var/log/mail.log    # User unknown
grep "550 5.7.1" /var/log/mail.log    # Relay denied
grep "554 5.7.1" /var/log/mail.log    # Rejected as spam
grep "451 4.7.1" /var/log/mail.log    # Greylisting
grep "452 4.2.2" /var/log/mail.log    # Mailbox full

# Common error patterns
grep -i "relay access denied" /var/log/mail.log
grep -i "user unknown" /var/log/mail.log
grep -i "quota exceeded" /var/log/mail.log
grep -i "rejected" /var/log/mail.log | grep -v "spam"

Error Code Analysis Script

cat > /tmp/analyze-errors.sh << 'EOF'
#!/bin/bash

LOG="/var/log/mail.log"
echo "Email Error Analysis"
echo "===================="

echo -e "\nMost Common Errors:"
grep "status=bounced\|status=deferred" "$LOG" | \
    sed 's/.*dsn=\([^,]*\).*/\1/' | \
    sort | uniq -c | sort -rn | head -10

echo -e "\nRejection Reasons:"
grep "reject:" "$LOG" | \
    sed 's/.*reject: //' | \
    cut -d';' -f1 | \
    sort | uniq -c | sort -rn | head -10

echo -e "\nTop Bounced Recipients:"
grep "status=bounced" "$LOG" | \
    grep -o "to=<[^>]*>" | \
    sort | uniq -c | sort -rn | head -10
EOF

chmod +x /tmp/analyze-errors.sh
/tmp/analyze-errors.sh

Step 3: Diagnosing Sending Issues

Testing SMTP Sending

# Test SMTP connection manually
telnet localhost 25
# or
openssl s_client -connect localhost:587 -starttls smtp

# In the SMTP session:
EHLO example.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
DATA
Subject: Test

This is a test message.
.
QUIT

# Test with swaks (Swiss Army Knife SMTP)
apt install swaks

# Basic test
swaks --to [email protected] --from [email protected]

# With authentication
swaks --to [email protected] \
      --from [email protected] \
      --auth-user username \
      --auth-password password \
      --server smtp.example.com:587 \
      --tls

# Test to specific server
swaks --to [email protected] --server smtp.gmail.com:587 --tls

Checking Mail Queue

# Postfix queue
postqueue -p
mailq

# Count queued messages
postqueue -p | grep -c "^[A-F0-9]"

# View specific message
postcat -q queue-id

# Show message headers
postcat -qh queue-id

# Delete specific message
postsuper -d queue-id

# Delete all queued messages
postsuper -d ALL

# Flush queue (attempt delivery)
postqueue -f

# Hold queue
postsuper -h queue-id

# Release held message
postsuper -H queue-id

Analyzing Delivery Delays

# Find messages with long delays
grep "status=deferred" /var/log/mail.log | \
    awk -F'delay=' '{print $2}' | \
    cut -d',' -f1 | \
    sort -rn | \
    head -20

# Find slow connections
grep "smtp.*delay=" /var/log/mail.log | \
    awk '{for(i=1;i<=NF;i++) if($i~/delay=/) print $i}' | \
    cut -d'=' -f2 | \
    cut -d',' -f1 | \
    awk '$1 > 10 {print}' | \
    sort -rn

# Delays by destination
grep "status=sent\|status=deferred" /var/log/mail.log | \
    awk '{print $7, $NF}' | \
    grep "delay=" | \
    sed 's/.*relay=\([^[]*\).*delay=\([^,]*\).*/\1 \2/' | \
    sort | \
    awk '{sum[$1]+=$2; count[$1]++} END {for(i in sum) print i, sum[i]/count[i]}' | \
    sort -k2 -rn

Step 4: Diagnosing Receiving Issues

Testing Mail Reception

# Send test email from external service
# Use mail-tester.com or mxtoolbox.com

# Check if port 25 is accessible
telnet your-server-ip 25

# Test from remote server
swaks --to [email protected] \
      --from [email protected] \
      --server your-server-ip

# Check MX records
dig your-domain.com MX +short

# Verify reverse DNS
dig -x your-server-ip +short

# Check if IP is blacklisted
host your-server-ip.zen.spamhaus.org
host your-server-ip.bl.spamcop.net

Spam Filter Analysis

# SpamAssassin logs
tail -100 /var/log/mail.log | grep spamd

# Check spam scores
grep "X-Spam-Status" /var/mail/username

# SpamAssassin test
spamassassin -D < email-sample.eml

# Amavis logs
grep amavis /var/log/mail.log | tail -50

# Check rejected as spam
grep "Rejected by.*spam" /var/log/mail.log

# Spam statistics
grep -c "identified spam" /var/log/mail.log

Greylisting Issues

# Check for greylisting
grep "Greylisted" /var/log/mail.log

# Postgrey status
systemctl status postgrey

# Postgrey whitelist
cat /etc/postgrey/whitelist_clients

# Add to whitelist
echo "example.com" >> /etc/postgrey/whitelist_clients
systemctl reload postgrey

# Check greylisting delays
grep "Greylisted" /var/log/mail.log | \
    awk '{print $1, $2, $3, $NF}'

Step 5: DNS and Authentication Issues

Checking Email DNS Records

# MX records
dig your-domain.com MX +short

# SPF record
dig your-domain.com TXT +short | grep "v=spf1"
host -t TXT your-domain.com | grep spf

# DKIM record (replace selector)
dig default._domainkey.your-domain.com TXT +short

# DMARC record
dig _dmarc.your-domain.com TXT +short

# Reverse DNS
dig -x your-server-ip +short

# Verify DNS propagation
for ns in 8.8.8.8 1.1.1.1 208.67.222.222; do
    echo "DNS: $ns"
    dig @$ns your-domain.com MX +short
done

SPF/DKIM/DMARC Validation

# Check SPF in logs
grep "SPF" /var/log/mail.log | tail -20

# DKIM verification
grep "DKIM" /var/log/mail.log | tail -20

# DMARC reports
grep "DMARC" /var/log/mail.log

# Test SPF manually
# Use mxtoolbox.com/spf.aspx

# Validate DKIM signature
opendkim-testkey -d your-domain.com -s default -vvv

Step 6: Blacklist and Reputation Issues

Checking IP Blacklists

# Check major blacklists
cat > /tmp/check-blacklist.sh << 'EOF'
#!/bin/bash

IP=$1
BLACKLISTS="
zen.spamhaus.org
bl.spamcop.net
dnsbl.sorbs.net
b.barracudacentral.org
bl.spameatingmonkey.net
psbl.surriel.com
"

echo "Checking $IP against blacklists..."
for bl in $BLACKLISTS; do
    REVERSED=$(echo $IP | awk -F. '{print $4"."$3"."$2"."$1}')
    if host ${REVERSED}.${bl} > /dev/null 2>&1; then
        echo "LISTED on $bl"
    else
        echo "OK on $bl"
    fi
done
EOF

chmod +x /tmp/check-blacklist.sh
/tmp/check-blacklist.sh your-server-ip

# Check blacklist in logs
grep "blocked using" /var/log/mail.log
grep "RBL" /var/log/mail.log

Sender Reputation

# Check rejection due to reputation
grep "450 4.7.1" /var/log/mail.log
grep "554 5.7.1" /var/log/mail.log

# Analyze rejection patterns
grep "reject:" /var/log/mail.log | \
    grep -o "reject: [^;]*" | \
    sort | uniq -c | sort -rn

Step 7: Performance and Resource Issues

Mail Server Performance

# Connection count
ss -tan | grep :25 | wc -l

# Queue size
postqueue -p | grep -c "^[A-F0-9]"

# Process resources
ps aux | grep -E "postfix|exim|dovecot" | \
    awk '{sum+=$4} END {print "Memory: " sum "%"}'

# Disk usage
df -h /var/mail
du -sh /var/spool/postfix/*

# I/O wait
iostat -x 1 3 | grep -A1 sda

Resource Exhaustion

# Check disk space
df -h /var

# Check inodes
df -i /var

# Large mailboxes
du -sh /var/mail/* | sort -rh | head -10

# Queue directory size
du -sh /var/spool/postfix/deferred

# Connection limits
grep "too many connections" /var/log/mail.log

# Memory issues
grep "Cannot allocate memory" /var/log/mail.log

Solutions and Remediation

Immediate Fixes

Flush stuck queue:

postqueue -f
postsuper -r ALL

Clear bounced messages:

postsuper -d ALL deferred
postsuper -d ALL bounce

Restart mail services:

systemctl restart postfix
systemctl restart dovecot

Increase connection limits:

# Edit /etc/postfix/main.cf
default_process_limit = 200
smtpd_client_connection_count_limit = 50

Configuration Improvements

Postfix optimization:

# /etc/postfix/main.cf
queue_run_delay = 300s
maximal_queue_lifetime = 5d
bounce_queue_lifetime = 5d
maximal_backoff_time = 4000s
minimal_backoff_time = 300s

Enable detailed logging:

# Postfix debug
postconf -e "debug_peer_list = example.com"
postconf -e "debug_peer_level = 2"
postfix reload

# Watch debug output
tail -f /var/log/mail.log

Monitoring and Alerting

cat > /usr/local/bin/mail-monitor.sh << 'EOF'
#!/bin/bash

QUEUE_THRESHOLD=100
LOG_FILE="/var/log/mail-monitor.log"
ALERT_EMAIL="[email protected]"

# Check queue size
QUEUE_SIZE=$(postqueue -p | grep -c "^[A-F0-9]")

if [ $QUEUE_SIZE -gt $QUEUE_THRESHOLD ]; then
    echo "$(date): High queue: $QUEUE_SIZE messages" >> "$LOG_FILE"
    echo "Mail queue has $QUEUE_SIZE messages on $(hostname)" | \
        mail -s "Mail Queue Alert" "$ALERT_EMAIL"
fi

# Check for errors
ERRORS=$(grep -c "status=bounced" /var/log/mail.log)
if [ $ERRORS -gt 10 ]; then
    echo "$(date): High bounce rate: $ERRORS" >> "$LOG_FILE"
fi

# Check service
if ! systemctl is-active --quiet postfix; then
    echo "$(date): Postfix not running!" >> "$LOG_FILE"
    systemctl start postfix
fi
EOF

chmod +x /usr/local/bin/mail-monitor.sh
echo "*/15 * * * * /usr/local/bin/mail-monitor.sh" | crontab -

Conclusion

Email troubleshooting requires systematic log analysis and understanding of the email delivery process. Key takeaways:

  1. Read logs carefully: Most problems revealed in mail logs
  2. Understand SMTP codes: Know what 4xx vs 5xx means
  3. Check DNS records: MX, SPF, DKIM, DMARC, rDNS all critical
  4. Monitor queues: Large queues indicate delivery problems
  5. Test thoroughly: Use swaks and manual SMTP for testing
  6. Watch blacklists: IP reputation affects deliverability
  7. Implement monitoring: Catch issues before users complain

Regular log review, proper DNS configuration, and proactive monitoring ensure reliable email delivery. Master these log analysis techniques to quickly diagnose and resolve email issues when they occur.