Tracking which processes send outbound email

Summary Question: Is there a way to tell what process is sending email on Red Hat?

I'm running a Red Hat 6.1 server.   I have to mail issues I'd like to track.
Every day, at the same time, I get a blank email from root.  I'd like to know what process is sending out that email.
Yes, I've checked cron and all the cron.d items, hourly, daily, weekly, monthly, etc.  No dice.  Ideally, I'd love something that, every time an email is sent, it would write to a log file what process generated that email (plus any info about that email, ideally).

I also see that a different email is generated and sent to a specific user daily, and I'd like to know what process generated that email, or at least what subject line that email had.

Thanks for your help.
indsupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

xtermCommented:
What I would do is replace the local mailer with a wrapper script to log who called it, and then let it launch mail as it normally would.

So rename /bin/mail to /bin/mail2, and then create a new /bin/mail as below (and don't forget to make executable with chmod 755).

This will write a date stamp and the parent process information to /var/log/binmail.log
#!/bin/sh

MYLOGFILE="/var/log/binmail.log"
PARENTPID=`ps -p $$ -o ppid=`
PARPIDINFO=`ps ax | grep "$PARENTPID "`

echo "`date`: I was called by $PARENTPID ($PARPIDINFO)" >> $MYLOGFILE

/bin/mail2 $*

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
indsupportAuthor Commented:
I'll give it a try and write back!
0
indsupportAuthor Commented:
Okay, I put it in place.  The mystery email usually comes in about 2 hours from now, so I'll let you know.
I made one change to your script above.

I changed
PARPIDINFO=`ps ax | grep "$PARENTPID "`

to

PARPIDINFO=`ps ax | grep "$PARENTPID " | grep -v grep`

because the grep line from the ps was showing up in the log file as well.

Thanks!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

xtermCommented:
Good thinking... that should keep things clean.  Let me know how it goes and if you find the mystery process.

If it doesn't show up in a couple of hours, you may need to do a similar trick with /usr/sbin/sendmail.sendmail if that is being called directly (pretty rare though)
0
indsupportAuthor Commented:
This worked like a charm.  Thank you so much!
0
xtermCommented:
Glad to hear it!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.