CloudInsidr

Cyber security, infotech

Join us on Twitter: @CloudInsidr

Home Uncategorized Set up logrotate for Postfix
Set up logrotate for Postfix

Leave a Comment

Set up logrotate for Postfix

Finding errors in a postfix log file is tedious work. The job gets even more complicated if you have to dig through old postfix log files which might no longer be relevant. logrotate comes to the rescue, but only if you configure it correctly.  Here is how you can do it on Fedora.

Step 1. Create your logrotate configuration file for Postfix

Create a new configuration file for Postfix logs in the logrotate directory at:

/etc/logrotate.d

To create the file, feel free to use any text editor of your choice. We are naming the file

postfix

Make sure it contains roughly these directives (adjust as needed):

/var/log/maillog {
monthly
rotate 24
compress
delaycompress
extension log
create 0644 root root
      postrotate
          systemctl restart rsyslog
          systemctl restart postfix
      endscript
}

Each time Postfix gets to use a new log file, rsyslog will still hang onto the old one. This is why you have to restart it an then restart Postfix using a postrotate script in the file above.

An alternative would be to use

copytruncate

It tell logrotate to make a copy of the log file, which will be the rotated, renamed file, and then truncate the log file to a size of zero.

Step 2. Run logrotate manually

Execute logrotate on Postfix manually:

logrotate --force postfix

If you are using SElinux, this will most likely fail. To tempararily deactivate SElinux:

setenforce 0

Step 3. Set up SElinux labels for logrotate

Verify permissions using the command:

ls- laZ

You will see something like this:

-rw-r–r–. 1 root root system_u:object_r:etc_t:s0 130 Oct 14 2019 btmp
-rw-r–r–. 1 root root system_u:object_r:etc_t:s0 160 Oct 7 08:27 chrony
-rw-r–r–. 1 root root system_u:object_r:etc_t:s0 103 Nov 9 06:58 dnf
-rw-r–r–. 1 root root unconfined_u:object_r:etc_t:s0 128 Dec 6 08:47 postfix

Adjust SElinux labels:

semanage fcontext -a -t etc_t -s system_u "/etc/logrotate.d/*"

Apply new SElinux labels on the logrotate configuration file for Postfix:

restorecon -RFv postfix

Now is the time to run audit2allow.

Step 4. Permit logrotate in SElinux

With setenforce set to zero, execute logrotate:

logrotate --force postfix

and see what happens:

grep logrotate /var/log/audit/audit.log | audit2allow -w -a logrotate-module

Follow the instructions. This usually involves

semodule -i logrotate-module.pp

If there is nothing to be done, you will see:

<no matches>

in the command line.

Now you should be good to go.

Step 5. Activate SElinux

Enable SElinux enforcing:

setenforce 1

Leave a Reply

Your email address will not be published. Required fields are marked *

©2022 CybrAnalytiqa OÜ