In looking at the Proxmox Mail Gateway’s (PMG) Tracking Center I became alarmed that it appeared that emails were being exchanged between users (I thought the issue was from my roundcube web mail as each email addressee matched an entry in the contacts part of Roundcube). Those emails were not sent by me nor were any received by me. I began looking for the cause and shutdown webmail. I cloned the containers. I brought non-webmail back up and began more investigation. I also noted that the dates in PMG tracking were one day off.
I looked at the /var/log/maillog on both the mail gateway and my mail server. I could not find any lines matching those sent and received emails. I looked at /var/log/authlog too with no success.
I then looked up where PMG gets its tracking data (/var/log/syslog) and found each of the lines relating to what I was seeing in the Tracking Center by searching for the exact time (and only the time). I then continued the search and found more lines with that exact time only they were for months like September. That seemed strange as this is August not September. I kept searching and found more in more months. This is not shocking. It was just a match on the time the line in the log file was created.
I then looked at the size of the syslog file. It was huge. It is supposed to only hold the past 7 days of data. What bothers me is that none of the lines in /var/log/syslog hold the year of the date. For example it says, “Aug 04 09:02:50” and lacks the year part of the date.
What this means is that the tracking center was reading the /var/log/syslog file from top to bottom every query and it was showing records from last year or before.
Mystery solved. Now I have to figure out why PMG isn’t log rotating /var/log/syslog.