Thanks for providing the details! Unfortunately I still don't have a good idea of what could be causing the broken/truncated mails you're seeing. I have a very similar setup and things are working fine here.
The way arpwatch creates and sends reports is roughly as follows: * Create a temporary file in /tmp, immediately unlink it (but keep the file descriptor open). * Write the report to that file descriptor. The report has all the headers first, followed by two newlines and finally the body. * Once finished writing the report, seek the file descriptor back to position 0, launch sendmail and pass the file descriptor to it as standard input. Looking at the broken e-mails you attached, it appears that sendmail doesn't receive the complete content of the report but it starts at some offset (not always exactly the same). I'm not yet sure how that can happen. Can you check that your filesystem in /tmp isn't (almost) full? Also make sure no other filesystem is (almost) full (I believe postfix spools e-mails to somewhere in /var). If that doesn't help, my best ideas are: 1. Launch arpwatch by hand using the `-d` flag but with otherwise same parameters. That should print the reports to standard error so we can see if those are truncated as well. 2. Write a dummy sendmail replacement that just copies the reports somewhere, then direct arpwatch to use that instead. Then check if those reports are truncated as well. I'm happy to help with (2) if we're still uncertain after all the other steps. Thanks & regards Lukas
