How many of you closely examine mail logs daily? “Nope, not me” I hear you say! Well, perhaps you should glance at your messages & maillog occasionally because you might find something unexpected, as I did. Do the right thing and start managing your postfix outbound queue.
I take a serious look at logs once a month, maybe twice a month if I’m truly bored. Let’s face facts, the contents are as boring as bat shit and can’t get you hooked into the story line at all no matter how hard we try. Same old crap day-in & day-out.
But then a scary entry appears
When I say ‘scary’ I’m referring to scary for me. Perhaps you have a better understanding of the gibberish Postfix writes in logs than I do. I understand ‘success’ & ‘fail’ but everything in the middle is a mystery for my tiny, non-multitasking brain.
The following log entry appeared over & over again and had been appearing for many days.
Apr 25 06:40:28 moist postfix/smtp[3821]: \ 0A961606B9E2: to=someones-email-address, relay=extmail.optusnet.com.au[211.29.133.14]:25,\ delay=336859, delays=336858/0.07/0.63/0.14, dsn=4.2.2,\ status=deferred (host extmail.optusnet.com.au[211.29.133.14]\ said: 452 4.2.2 someones-email-address: Recipient address \ rejected: Mailbox full (in reply to RCPT TO command))
My eye was immediately drawn to the word ‘relay‘ and it raised alarm bells and sent me into panic-mode. I’ve worked hard ensuring I was not an open relay. As many security features I could muster were implemented. If I could have installed fingerprint, rectal scans & DNA tests I would have done it.
My reasonably happy & secure life came tumbling down because I saw the word ‘relay‘. Remember the old days when every SMTP Server was an open relay? Those days are gone thanks to scumbags, fraudsters & morons abusing what was an efficient and trusting method of communication.
What I eventually discovered was I was not an open relay. Days earlier an email had arrived for a non-existent user and Postfix did exactly what it should. It sent a reply to the sender informing them their precious communication could not be delivered. I could see from the log entries the guys’ mailbox was full so I can only assume he or she has some malicious activity going on.
Postfix commands which helped me
First I needed to know what the outgoing message said. At this point I had not realised the message was legitimate and figured I had some malicious code running somewhere. But, I needed to check the outbound mail queue just in case there were others waiting for delivery.
$ sudo mailq or $ sudo mailq > mailqueue.txt
The following output, or similar, will appear. Obviously if you have more items in the queue you will see more output.
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 0A961606B9E2 3653 Tue Apr 21 09:06:09 MAILER-DAEMON (host extmail.optusnet.com.au[211.29.133.14] said: 452 4.2.2 someones-email-address: Recipient address rejected: Mailbox full (in reply to RCPT TO command))
Note the first item (0A961606B9E2) is the message-id which we will use next. The output is displayed one line for each item in your queue, hence, if you have hundreds you should use the mailp > mailqueue.txt for easier viewing.
Display contents of message
Because you like snooping you will probably want to read some of the messages. Use the following command;
$ sudo postcat -vq message-id
or
$ sudo postcat -vq message-id > msg-message-id.txt
The entire message, including headers, will be displayed for you to examine and determine its legitimacy. It was at this point I realised the message was nothing more than Postfix doing its job.
Despite the fact all was well and I wasn’t an open relay I wanted to delete the message. There was no point sending it to the guy because I’d imagine he has bigger problems right now.
The following commands delete either all or deferred. Choose whichever method suits your needs;
Delete all queued mail $ sudo postsuper -d ALL Remove deferred only $ sudo postsuper -d ALL deferred
Deleting individual messages doesn’t seem to be something the folks at Postfix thought about. If it is, I haven’t figured it out yet.
If you want to test your mail server check out MX Toolbox which offer extensive free tests for websites, name servers and mail servers.
The moral to this story is “DON’T PANIC”, think McFly, think!