Huge mail queue
- Hi All,Greetings!Our mail server configured Postfix version 2.4.5 with mailmarshal as content filter, recently mail server not responding because of huge mail queue, content filter cpu usage is 100%, my investigation found more than 18k mails are in que, sender email address is mail@...I have manually deleted mails in content filter queue and deferred mails in mail server, now mail server functioning normally.I wanted to investigate weather our mail server compromised or content filter (windows machine) infected.Please suggest methods to investigate so that will take precautions in future the same will not repeat.I would like to know how to load balancing mail server, due to above issue mail server was down for 24 hours, we have secondary mx which queues mails when primary mx is down, Is there any method where users can send or receive mails from secondary mx when primary is down.Thanks for suggestions.Regards,Ramesh
- On Tue, May 28, 2013 at 02:30:29PM +0800, Ramesh wrote:
> Our mail server configured Postfix version 2.4.5 with mailmarshal2.4.5 is very old. Is the rest of the system this old? Have you kept
up with all your OS distributor's security updates? Likewise, have
you kept up-to-date on any software you might have installed outside
the OS's packaging system?
> as content filter, recently mail server not responding because ofDid you save a spample (sample of the spams)?
> huge mail queue, content filter cpu usage is 100%, my investigation
> found more than 18k mails are in que, sender email address is
> I have manually deleted mails in content filter queue and deferred
> mails in mail server, now mail server functioning normally.
> I wanted to investigate weather our mail server compromised orGenerally I would not suspect Postfix of compromise, but there are
> content filter (windows machine) infected.
numerous attack vectors which are being probed every day on every
Internet-connected machine. Does the Postfix machine also run a web
server? A name server? An [in]secure shell server?
There have been numerous known exploits of those services over the
years since Postfix 2.4.5 (2007-07-31, nearly six years ago.)
> Please suggest methods to investigate so that will take precautionsSpecific suggestions would depend on knowing what happened. You would
> in future the same will not repeat.
need to share logs which show the *origin* of at least one of the
spams. An exploit on the Postfix machine itself would show logs from
"postfix/pickup" from the compromised account.
Of course, privilege escalation is a possibility as well, and you
must rule that out. If you do not, logs (and everything!) are of
Given the age of the Postfix, and the fact that 2.4.5 itself was 11
patchlevels behind the final update of Postfix 2.4 in 2011, I think
the best advice is to reinstall a recent release of your OS of
> I would like to know how to load balancing mail server, due toThat is not trivial, and is a matter outside the purview of Postfix.
> above issue mail server was down for 24 hours, we have secondary mx
> which queues mails when primary mx is down, Is there any method
> where users can send or receive mails from secondary mx when
> primary is down.
What you'd need is load balancing on your mail store, not your MTA.
When Postfix delivers a message, it is done with it. Postfix offers
the administrator the postsuper(1) and postcat(1) tools for dealing
with the queue and viewing queued mail, but these tools are not
suitable for end users (and I would absolutely not recommend trying
to work around that with a web frontend!)
Generally the best answer for people asking this is to improve the
security and reliability of the primary MX host, and do away with
your secondary MX spam magnet.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: