This document explains how H-Sphere collects and rotates mail traffic.
H-Sphere cron script responsible for analyzing mail traffic is
Here, dd.mm.YYYY is current date timestamp.
dd.mm.YYYY.qml.txt log files contain lines of the following format:
where name is the domain name, xFer is the total traffic in kilobytes.
Then, H-Sphere TrafficLoader
utility is launched by cron to collect mail traffic from the statistics directory and to store it
into the system database. TrafficLoader also calls the
script to move the already loaded mail statistics files to the
directory as dd.mm.YYYY.qml.txt.gz archives.
Qmail Traffic Log
Before H-Sphere 2.4.3 Patch 1, H-Sphere collected mail statistics from the /var/log/maillog
qmail log file.
In H-Sphere 2.4.3 Patch 1 and up, qmail writes a more detailed mail traffic log to the
/var/hsphere/mail/logs/stats file. Log records have the following format:
date host msg_type[pid]: timestamp|sender|recipient|bytes|status|attempts
- host: mail server host, e.g., "mail.example.com"
- msg_type: in for incoming thread, and out for outgoing thread
- pid: PID of the process
- timestamp: UNIX timestamp of the date when the message is sent, e.g.,
- sender: message sender's e-mail address
- recipient: message recipient's e-mail address.
For multiple recipients each one a separate line in the log
- bytes: message size
- status: message status. It is different for incoming and outgoing mail
- success - message is received successfully
- timeout - no response from the source host while receiving the message
- rejclam - message is received completely but detected as infected
- rejspam - message is received completely but detected as spam;
- manyhops - message is looping
- bytestooverflow - message exceeds size limit
- success - message is sent successfully
- timeout - no response from destination host while sending the message
- partial - malformed incoming message
- readerr - internal server problems
- (HS 2.4.3 Patch 4+)
attempts: number of data transfers per one SMTP session