diff --git a/conf.c b/conf.c
index 3e3c7d3..faf52a9 100644
--- a/conf.c
+++ b/conf.c
@@ -35,6 +35,7 @@
 
 #include <err.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -230,6 +231,12 @@ parse_conf(const char *config_path)
 			config.features |= FULLBOUNCE;
 		else if (strcmp(word, "NULLCLIENT") == 0 && data == NULL)
 			config.features |= NULLCLIENT;
+		else if (strcmp(word, "DEBUGLOG") == 0 && data != NULL) {
+			config.debugfd = open(data, O_APPEND|O_WRONLY);
+			if (config.debugfd == -1)
+				errlog(EX_CONFIG, "could not open debug log file");
+			syslog(LOG_NOTICE, "debug logging to `%s'", data);
+		}
 		else {
 			errlogx(EX_CONFIG, "syntax error in %s:%d", config_path, lineno);
 			/* NOTREACHED */
diff --git a/dma.c b/dma.c
index 4006bce..0ceeacc 100644
--- a/dma.c
+++ b/dma.c
@@ -85,6 +85,7 @@ struct config config = {
 	.mailname	= NULL,
 	.masquerade_host = NULL,
 	.masquerade_user = NULL,
+	.debugfd        = -1,
 };
 
 
diff --git a/dma.h b/dma.h
index ed0d0fc..764c972 100644
--- a/dma.h
+++ b/dma.h
@@ -141,6 +141,7 @@ struct config {
 
 	/* XXX does not belong into config */
 	SSL *ssl;
+	int debugfd;
 };
 
 
diff --git a/net.c b/net.c
index b388ce0..a3e6f32 100644
--- a/net.c
+++ b/net.c
@@ -41,6 +41,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <sys/uio.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
@@ -74,6 +75,29 @@ ssl_errstr(void)
 	return (ERR_error_string(oerr, NULL));
 }
 
+static void
+debug_log(const char *dir, const char *data, size_t len)
+{
+	if (config.debugfd == -1)
+		return;
+
+	char tag[20];
+	snprintf(tag, sizeof(tag), "%d\t %s: ", getpid(), dir);
+
+	struct iovec iov[2] = {
+		{ tag, strlen(tag) },
+		{ (void *)data, len },
+	};
+
+	ssize_t res = writev(config.debugfd, iov, sizeof(iov)/sizeof(*iov));
+
+	if (res < 0) {
+		syslog(LOG_ERR, "could not write to debug log: %m");
+		close(config.debugfd);
+		config.debugfd = -1;
+	}
+}
+
 ssize_t
 send_remote_command(int fd, const char* fmt, ...)
 {
@@ -95,6 +119,8 @@ send_remote_command(int fd, const char* fmt, ...)
 	strcat(cmd, "\r\n");
 	len = strlen(cmd);
 
+	debug_log("C", cmd, len);
+
 	if (((config.features & SECURETRANS) != 0) &&
 	    ((config.features & NOSSL) == 0)) {
 		while ((s = SSL_write(config.ssl, (const char*)cmd, len)) <= 0) {
@@ -160,6 +186,9 @@ read_remote(int fd, int extbufsize, char *extbuf)
 					goto error;
 				}
 			}
+
+			debug_log("S", buff + len, rlen);
+
 			len += rlen;
 
 			copysize = sizeof(neterr) - strlen(neterr) - 1;