# Destroyed a logfile by mistake



## xy16644 (Feb 13, 2014)

I was trying to view the contents on my /var/log/maillog but instead of typing ee `/var/log/postfix/maillog` I typed:

`tee /var/log/maillog`

and now my logfile is not updating anymore!

What have I done wrong?


----------



## ljboiler (Feb 13, 2014)

I assume you typed ctrl-C to stop `tee`? Basically what you just did was to truncate that file to a length of 0, and most likely the program that uses that log file is very confused;  restarting the mail service (sendmail or is it postfix) will probably make it happy.


----------



## ljboiler (Feb 13, 2014)

P.S.   Never use an editor to view a live log file; either use something like `more`, or make a copy and open the copy in your favorite editor.


----------



## kpa (Feb 13, 2014)

Remove the file you created because it's most likely now owned by root and the process that tries to write to the file is running as a non-privileged user. The file should be recreated when you restart the mailer daemon.


----------



## gesperon (Feb 13, 2014)

kpa said:
			
		

> Remove the file you created because it's most likely now owned by root and the process that tries to write to the file is running as a non-privileged user. The file should be recreated when you restart the mailer daemon.



and for a good measure do: `kill -HUP `cat /var/run/syslog.pid``


----------



## xy16644 (Feb 13, 2014)

Thanks all, the log file is working again and I learnt a valuable lesson...don't use `ee` on a live logfile but use `more` rather!!


----------



## phoenix (Feb 13, 2014)

Or tail(1):

Look at the last 10 lines:
`# tail /var/log/maillog`

Look at the last 100 lines:
`# tail -100 /var/log/maillog`

Look at the last X (put in an actual number, not the letter X) lines:
`# tail -X /var/log/maillog`

Look at the last 10 lines, and watch updates live as they happen:
`# tail -f /var/log/maillog`

Look at the last 100 lines, and watch updates live as they happen:
`# tail -100[b]f[/b] /var/log/maillog`

And so on.


----------



## xy16644 (Feb 13, 2014)

Thanks @phoenix, thats very helpful.

I am getting these in /var/log/maillog now:


```
Feb 13 20:38:32 mail postfix/master[64595]: warning: process /usr/local/libexec/postfix/smtpd pid 99785 killed by signal 11
Feb 13 20:50:06 mail postfix/master[64595]: warning: process /usr/local/libexec/postfix/smtpd pid 3525 killed by signal 11
Feb 13 20:58:52 mail postfix/master[64595]: warning: process /usr/local/libexec/postfix/smtpd pid 5478 killed by signal 11
Feb 13 21:13:54 mail postfix/master[5828]: warning: process /usr/local/libexec/postfix/smtpd pid 10118 killed by signal 11
Feb 13 21:27:11 mail postfix/master[5828]: warning: process /usr/local/libexec/postfix/smtpd pid 14008 killed by signal 11
Feb 13 21:28:37 mail postfix/master[5828]: warning: process /usr/local/libexec/postfix/smtpd pid 14469 killed by signal 11
```

Emails still flowing fine (I did a few send/receive tests) but this error is worrying?

I also have a few of these:


```
mail postfix/master[5828]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
```

Could these errors be due to me screwing up the maillog logfile?


----------



## phoenix (Feb 14, 2014)

Nope, those would be from screwing up the Postfix config.  

Look at your main.cf to make sure everything is set correctly.  Do a restart of postfix and check the logs right away for messages.  Confider re-mapping your database files:
`# postalias /path/to/aliases`
`# postmap /path/to/any/hash/map/files`


----------



## xy16644 (Feb 14, 2014)

phoenix said:
			
		

> Nope, those would be from screwing up the Postfix config.
> 
> Look at your main.cf to make sure everything is set correctly.  Do a restart of postfix and check the logs right away for messages.  Confider re-mapping your database files:
> `# postalias /path/to/aliases`
> `# postmap /path/to/any/hash/map/files`



 I have had a read through the main.cf file but nothing looks out of place to me. I stopped and started postfix and immediately checked the maillog but there were no errors reported.

FYI: I use virtual users/domains/aliases.

I ran:

`postalias /etc/aliases`

and it ran fine.

When I ran:

`postmap /etc/aliases`

I get this error:



> maillog:Feb 14 08:34:49 mail postfix/postmap[86101]: warning: /etc/aliases, line 79: record is in "key: value" format; is this an alias file?



is this the cause of the problem or could it be something else? Theres no hint in the logs that I can see.

What else can I try to troubleshoot this?


----------



## ShelLuser (Feb 14, 2014)

xy16644 said:
			
		

> Thanks all, the log file is working again and I learnt a valuable lesson...don't use `ee` on a live logfile but use `more` rather!!


Actually I think there's a totally different lesson to be learned here, one which we all already know but which most of us often ignore:


```
$ tee /var/log/maillog
tee: /var/log/maillog: Permission denied
```
When I check up on my logfiles I make sure to be in a situation where I can only check and not do anything else. If I need more (I can understand that you need to check logfiles in order to perform other administrative tasks) I do so with the use of sysutils/tmux.

In other words; I always know that whenever I go to my first screen I basically enter a root session whereas my second screen is always under a regular user account. This literally helps me to divide my tasks but also minimizes potential dangers.

I know it sounds clichéd, but in my opinion you should never use root to check up on logfiles.

Edit: s/never\ should/should\ never/g


----------



## kpa (Feb 14, 2014)

I have two windows open in a sysutils/tmux session, one is with normal user account and the other one is su(1)'ed to root. I can switch between the windows with couple of keystrokes and there's never a danger of getting the windows mixed up because of the shell prompt that is the #-sign for root. I also make use of SSH key forwarding using ssh-agent(1) so that I don't have to type passwords to log into my machines and then I have security/pam_ssh_agent_auth that allows me to su(1) to root without a password.


----------



## xy16644 (Feb 14, 2014)

Thanks to you all for your replies. The irony in all this is I started to *not* use root on my new server and I started to use my own account with `sudo` but that day I was logged in with root (naughty naughty).

Does anyone have any ideas as to the errors I am experiencing in Postfix? Looks like I have been experiencing those errors a few days BEFORE I screwed up the maillog logfile.

From what I understand there is a problem with my main.cf but I can't see anything helpful in the logs.

Can someone assist please?


----------



## xy16644 (Feb 14, 2014)

Having had a good look through the maillog I have noticed that the "signal 11" error I am receiving occurs when I receive email from the following  domains:


```
mxslcpool74.ebay.com
outmail034.prn2.facebook.com
...
outmail040.prn2.facebook.com
```

Why would receiving email from only these two domains cause Postfix to crash and restart?


----------



## ShelLuser (Feb 15, 2014)

Impossible to tell; it needs more context. Is said e-mail always addressed to the same recipient? Are there other similarities (attachments for example)?


----------



## xy16644 (Feb 15, 2014)

Thats a good question but I don't know as its not showing in the log. Here is what I can see in the log so far:


```
Feb 15 05:12:40 mail postfix/smtpd[40147]: connect from mxslcpool74.ebay.com[66.135.215.176]
Feb 15 05:12:41 mail postfix/master[88477]: warning: process /usr/local/libexec/postfix/smtpd pid 40147 killed by signal 11
Feb 15 05:12:41 mail postfix/master[88477]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
```

I don't think the connection gets far enough to see *who* the email is addressed to.


----------



## mickey (Feb 16, 2014)

Did you try rebuilding a fresh postfix from ports? In no event (at least none I could think of) should an MTA crash with segmentation fault while receiving an E-Mail, even given the possibility that something might be slightly misconfigured.


----------



## xy16644 (Feb 16, 2014)

mickey said:
			
		

> Did you try rebuilding a fresh postfix from ports? In no event (at least none I could think of) should an MTA crash with segmentation fault while receiving an E-Mail, even given the possibility that something might be slightly misconfigured.



I'm glad you asked   

It turns out I had to disable zlib in OpenSSL to fix my issue (it wasn't an issue with my Postfix config files).

I've been running now for over 12 hours without any signal 11 errors and I can see email being received from Facebook fine now.


----------

