Loading ...
Sorry, an error occurred while loading the content.
 

Huge mail queue

Expand Messages
  • Ramesh
    Hi All, Greetings! Our mail server configured Postfix version 2.4.5 with mailmarshal as content filter, recently mail server not responding because of huge
    Message 1 of 2 , May 27, 2013


      Hi All,

      Greetings!

      Our mail server configured Postfix version 2.4.5 with mailmarshal as content filter, recently mail server not responding because of huge mail queue, content filter cpu usage is 100%, my investigation found more than 18k mails are in que, sender email address is mail@...

      I have manually deleted mails in content filter queue and deferred mails in mail server, now mail server functioning normally.

      I wanted to investigate weather our mail server compromised  or content filter (windows machine) infected.
      Please suggest methods to investigate so that will take precautions in future the same will not repeat. 

      I would like to know how to load balancing  mail server, due to above issue mail server was down for 24 hours, we have secondary mx which queues mails when primary mx is down, Is there any method where users can send or receive mails from secondary mx when primary is down.

      Thanks for suggestions.

      Regards,
      Ramesh 
    • /dev/rob0
      ... 2.4.5 is very old. Is the rest of the system this old? Have you kept up with all your OS distributor s security updates? Likewise, have you kept up-to-date
      Message 2 of 2 , May 28, 2013
        On Tue, May 28, 2013 at 02:30:29PM +0800, Ramesh wrote:
        > Our mail server configured Postfix version 2.4.5 with mailmarshal

        2.4.5 is very old. Is the rest of the system this old? Have you kept
        up with all your OS distributor's security updates? Likewise, have
        you kept up-to-date on any software you might have installed outside
        the OS's packaging system?

        > as content filter, recently mail server not responding because of
        > huge mail queue, content filter cpu usage is 100%, my investigation
        > found more than 18k mails are in que, sender email address is
        > mail@...
        >
        > I have manually deleted mails in content filter queue and deferred
        > mails in mail server, now mail server functioning normally.

        Did you save a spample (sample of the spams)?

        > I wanted to investigate weather our mail server compromised  or
        > content filter (windows machine) infected.

        Generally I would not suspect Postfix of compromise, but there are
        numerous attack vectors which are being probed every day on every
        Internet-connected machine. Does the Postfix machine also run a web
        server? A name server? An [in]secure shell server?

        There have been numerous known exploits of those services over the
        years since Postfix 2.4.5 (2007-07-31, nearly six years ago.)

        > Please suggest methods to investigate so that will take precautions
        > in future the same will not repeat. 

        Specific suggestions would depend on knowing what happened. You would
        need to share logs which show the *origin* of at least one of the
        spams. An exploit on the Postfix machine itself would show logs from
        "postfix/pickup" from the compromised account.

        Of course, privilege escalation is a possibility as well, and you
        must rule that out. If you do not, logs (and everything!) are of
        dubious value.

        Given the age of the Postfix, and the fact that 2.4.5 itself was 11
        patchlevels behind the final update of Postfix 2.4 in 2011, I think
        the best advice is to reinstall a recent release of your OS of
        choice.

        > I would like to know how to load balancing  mail server, due to
        > above issue mail server was down for 24 hours, we have secondary mx
        > which queues mails when primary mx is down, Is there any method
        > where users can send or receive mails from secondary mx when
        > primary is down.

        That is not trivial, and is a matter outside the purview of Postfix.
        What you'd need is load balancing on your mail store, not your MTA.
        When Postfix delivers a message, it is done with it. Postfix offers
        the administrator the postsuper(1) and postcat(1) tools for dealing
        with the queue and viewing queued mail, but these tools are not
        suitable for end users (and I would absolutely not recommend trying
        to work around that with a web frontend!)

        Generally the best answer for people asking this is to improve the
        security and reliability of the primary MX host, and do away with
        your secondary MX spam magnet.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.