> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:owner-postfix- > [EMAIL PROTECTED] On Behalf Of Noel Jones > Sent: Friday, August 01, 2008 2:23 PM > To: Tait Grove > Cc: 'postfix users list' > Subject: Re: Delayed Email Issues > > Tait Grove wrote: > > My queue is horribly backed up with over 4,000 messages and I can not > > figure out how to shrink the queue. I do not have a bunch of > > MAILER-DAEMON notices, I do have strange domain names in the mailq list > > and handful of temporary failure messages. The issue is getting worst by
> > the minute. I followed the article here: > > http://www.postfix.org/LOCAL_RECIPIENT_README.html and I think that we > > are good as far as those settings. Any insight would be great as email > > is severely delayed. Here is some data on our postfix setup: > > OK. Pick a couple messages and see how they entered your > system (examine the log) and where they are going. Examine > the contents and see if they appear to be spam. > > Today's wild guess: > Your webserver has been hacked and is being used to spam the > world. Turn off the webserver software until you get the > problem fixed. > > > *postconf -n:* > > bounce_queue_lifetime = 8h > > That's pretty short. 3-5 days is typical. > > > inet_interfaces = 127.0.0.1, localhost, $myhostname > > "127.0.0.1, localhost" is redundant. Remove the "localhost" part. > > > invalid_hostname_reject_code = 450 > > This should probably be set to 550 unless you have a good > reason to use 450. > > > maps_rbl_reject_code = 450 > > This should be 554 unless you have a good reason to change it. > > > maximal_queue_lifetime = 8h > > That's pretty short. Normal is 3-5 days. > > > non_fqdn_reject_code = 450 > > This should be 504 unless you have a good reason to change it. > > > relay_domains = $mydestination > > This should probably be set empty. ie. > relay_domains = > > > > smtpd_data_restrictions = reject_unauth_pipelining, > > reject_multi_recipient_bounce, permit > > OK. > > > smtpd_recipient_restrictions = permit_mynetworks, > > check_policy_service inet:127.0.0.1:10031, > > permit_sasl_authenticated, permit_tls_clientcerts, > > reject_unauth_destination, reject_invalid_helo_hostname, > > reject_non_fqdn_sender, reject_unknown_recipient_domain, > > Note that reject_unknown_recipient_domain can only reject your > own domain when it's after reject_unauth_destination. Best to > just remove it. > > > reject_non_fqdn_recipient, warn_if_reject > > reject_non_fqdn_helo_hostname, warn_if_reject > > reject_unknown_helo_hostname, warn_if_reject > > reject_unknown_client, reject_unverified_recipient, > > reject_unknown_sender_domain, reject_unverified_sender, > > reject_unverified_sender shouldn't be used against every > connection; many admins consider it abusive and will blacklist > you for excessive probes. > If you feel you must use it, use it for selected domains from > an access map. Examples in the archives. > > > check_recipient_access hash:$config_directory/recipient.list, > > reject_rbl_client cbl.abuseat.org, reject_rbl_client > > list.dsbl.org, reject_rbl_client sbl.spamhaus.org, > > list.dsbl.org is (temporarily?) dead. Remove it. > Most folks prefer zen.spamhaus.org rather than sbl.spamhaus.org. > > > reject_rbl_client bl.spamcop.net, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.2, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.3, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.4, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.5, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.7, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.9, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.11, reject_rbl_client > > dnsbl.sorbs.net=127.0.0.12, permit > > OK. > > > smtpd_sender_restrictions = permit_mynetworks, > > reject_non_fqdn_sender, reject_unknown_sender_domain, permit > > All these checks are duplicated in > smtpd_recipient_restrictions. You can remove all these. > > > smtpd_tls_ask_ccert = yes > > Some client may choke if you ask for a certificate. Usually > this parameter is best used only on the "submission" port or > other non-public interface. > > > > > *Qshape:* > > > > T 5 10 20 40 80 160 320 640 1280 1280+ > > TOTAL 4573 273 341 146 669 1451 1653 9 5 7 19 > > yahoo.com 164 7 5 7 34 50 61 0 0 0 0 > > gmail.com 118 15 9 3 14 30 47 0 0 0 0 > > agentimage.com 64 0 5 3 8 20 28 0 0 0 0 > > onclearcreek.com 59 3 0 9 2 12 10 4 3 4 12 > > alfonso.com 52 3 2 2 8 19 18 0 0 0 0 > > jones-healy.com 52 1 14 1 6 15 15 0 0 0 0 > > aol.com 51 1 2 2 5 23 18 0 0 0 0 > hotmail.com 51 3 3 1 7 21 16 0 0 0 0 > arbotco.com 46 6 4 2 5 2 27 0 0 0 0 > traikos.us 41 3 30 0 1 6 1 0 0 0 0 > thesaadteam.com 39 1 0 1 14 10 13 0 0 0 0 > nostalgichomes.com 39 4 8 1 8 10 8 0 0 0 0 > hiltonhyland.com 36 3 8 0 5 13 7 0 0 0 0 > tetonvalleyrealty.com 35 0 1 5 2 13 14 0 0 0 0 > carolinaproperties.com 35 4 0 1 4 12 14 0 0 0 0 > comcast.net 34 2 7 2 2 11 10 0 0 0 0 > georgetraikos.com 33 3 30 0 0 0 0 0 0 0 0 > > > -- > Noel Jones ============================================================================ Wow Noel, I am not sure how you know all of this but this is awesome information! Thanks for all of the great advice. I am not sure about hacking, 95% of the domains look pretty legitimate. And I should have that type of traffic. We have over thirteen thousand email accounts sending email by the second. Our clients receive even more. I have been watching the multi-RBL's and nothing yet. I have also ran every type of open relay program checker and I am watching the traffic on the server and it looks normal too. Usually this happens after my SAN reboots and then the backup happens for a few days. Can you tell me if I am making the same types of mistakes in my master.cf too? MASTER.CF: smtp inet n - n - - smtpd -o content_filter=smtp-amavis:[127.0.0.1]:10024 pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - 500 smtp relay unix - - n - 275 smtp -o fallback_relay= -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache dovecot unix - n n - - pipe flags=DRhu user=dovecot:dovecot argv=/usr/local/libexec/dovecot/deliver -d ${recipient} vacation unix - n n - - pipe flags=DRhu user=vacation argv=/var/spool/vacation/vacation.pl 8080 inet n - n - - smtpd smtp-amavis unix - - n - 30 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - 30 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o mynetworks=127.0.0.0/8,10.0.0.0/8,38.119.86.0/25 -o smtpd_recipient_restrictions=permit_mynetworks, $transport_maps,reject -o strict_rfc821_envelopes=yes proxywrite unix - - n - - proxymap Thanks a billion, Tait
