Logwatch without an MTA like Postfix

Logwatch is a log analysis tool for Linux based servers with the general gist being you get emailed reports when suspicious activity occurs. It does this by parsing your log files and looking for patterns that you can configure.

By default Logwatch will install Postfix MTA which is a little more heavy duty than I want on a web server, I would rather use a service like Mailgun as a smarthost. This essentially means all outgoing email from your app will be routed through Mailgun, giving you the ability to easily view logs and data on opens, bounces etc. We will configure it in such a way that it will only send email for localhost, it will not deliver anything locally and certainly wont be able to be used as a relay from a third party. To do this we will install and configure Exim as a simple relay.

These steps have only been tested with Ubuntu 12.04.

Install Exim

aptitude install exim4-daemon-light mailutils

Configure Exim

dpkg-reconfigure exim4-config

You’ll be presented with a welcome screen, followed by a screen asking what type mail delivery you’d like to support. Choose the option for “mail sent by smarthost; no local mail” and select “Ok” to continue


Enter your system’s FQDN (fully qualified domain name) in the “mail name” configuration screen.


Enter “” when asked which IP address to listen on for SMTP connections. The ::1 is for ipv6 so you may not need it.


List your FQDN, hostname, and localhost entries when you’re asked which destinations mail should be accepted for.


Since we are hiding the local mail name we must specify the domain name for local users.


Specify the smart host we are sending through.


As the server is not on a dial-up account we select No to keeping DNS queries minimal.


Don’t split configuration files.


We will authenticate to Mailgun SMTP servers so we need to add those details to “passwd.client”. Instead of the asterisk we could add the hostname of the SMTP server.

sudo nano /etc/exim4/passwd.client

Add a line like this.


Generate the certificate for Exim to use by running this and answering the prompts. This is so we can configure the server for TLS.

sudo /usr/share/doc/exim4-base/examples/exim-gencert

Add the following file so we can enable TLS.

sudo touch /etc/exim4/exim4.conf.localmacros
sudo nano /etc/exim4/exim4.conf.localmacros

Add this line to the “localmacros” file. Restart Exim.

sudo /etc/init.d/exim4 restart

Test your configuration

echo "This is a test." | mail -s Testing someone@example.com sudo cat /var/log/exim4/mainlog

Install Logwatch

To see what packages Logwatch depends on we can run the following.

aptitude show logwatch

Notice how in the “Depends” line it says “Depends: perl, postfix | mail-transport-agent”.

Well because Exim ‘implements’ mail-transport-agent it wont install postfix as a dependency.

Install Logwatch and edit its config.

sudo aptitude install logwatch
sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Update the config with these values.

Output = mail
Format = html
Mailto = someone@example.com
MailFrom = server@example.com
Range = Yesterday
Detail = 4 or Med (get long kernel messages)

By default the logwatch process will run as part of cron.daily which in Ubuntu 12.04 is 06:26AM.