Thanks for providing the details! Unfortunately I still don't have a
good idea of what could be causing the broken/truncated mails you're
seeing. I have a very similar setup and things are working fine here.
The way arpwatch creates and sends reports is roughly as follows:
* Create a temporary file in /tmp, immediately unlink it (but keep the
file descriptor open).
* Write the report to that file descriptor. The report has all the
headers first, followed by two newlines and finally the body.
* Once finished writing the report, seek the file descriptor back to
position 0, launch sendmail and pass the file descriptor to it as
standard input.
Looking at the broken e-mails you attached, it appears that sendmail
doesn't receive the complete content of the report but it starts at
some offset (not always exactly the same). I'm not yet sure how that
can happen.
Can you check that your filesystem in /tmp isn't (almost) full? Also
make sure no other filesystem is (almost) full (I believe postfix
spools e-mails to somewhere in /var).
If that doesn't help, my best ideas are:
1. Launch arpwatch by hand using the `-d` flag but with otherwise same
parameters. That should print the reports to standard error so we
can see if those are truncated as well.
2. Write a dummy sendmail replacement that just copies the reports
somewhere, then direct arpwatch to use that instead. Then check if
those reports are truncated as well.
I'm happy to help with (2) if we're still uncertain after all the other
steps.
Thanks & regards
Lukas