We had an issue where one of our email accounts got hacked (this can happen from time to time).\u00a0 The password was relatively secure but it got hacked anyway.\u00a0 As it was an unmonitored email we were unaware that it was being used to send spam far and wide on a routine basis.<\/p>\n
Eventually our sender reputation with the larger providers ended up in the gutter and as a result we got blocked by google and every message to hotmail ended up in the user’s spam folder.<\/p>\n
Once we identified the offending account (which was done through the logs)<\/p>\n
tail -f \/var\/log\/mail.log<\/pre>\nwe simply deleted the email account, but that was not the end of it.<\/p>\n
Postfix maintains a queue of deferred emails that it will keep trying to send over and over again in perpetuity until it is flushed.\u00a0 Even if you have resolved the issue by deleting the account any of these deferred emails that are stuck in the loop will remain there and keep trying to send, giving the appearance that the issue has not been resolved (this took a while to find)<\/p>\n
Postfix has a couple of utilities to resolve the problem called postqueue<\/strong> and postsuper<\/strong>.\u00a0 First use postqueue to list the emails that are stuck in the queue.<\/p>\n
sudo postqueue -p<\/pre>\nand then postsuper to delete them.\u00a0 Our server only looks after a limited number of accounts so we just purged the queue completely however in larger organisations it may be necessary to be\u00a0 a little more careful.\u00a0 I would recommend reading the man pages for both postqueue and postsuper in such circumstances.\u00a0 If you just want to go ahead and purge the queue then it is simply a matter of:<\/p>\n
sudo postsuper -d ALL<\/pre>\nThat should clear the queue and leave you with a clean server however you will still need to regain your sender reputation, and this takes time.<\/p>\n
<\/p>\n
Monitoring<\/h3>\n
A useful utility to monitor your server statistics is pflogsumm.\u00a0 It does this by parsing the log file and is available in the Debian repository:<\/p>\n
apt install pflogsumm<\/pre>\nUsing it is not entirely intuitive as you need to tell it where the log file is so the command involves some piping:<\/p>\n
sudo cat \/var\/log\/mail.log | sudo pflogsumm | less<\/pre>\nwill get you the results you want.<\/p>\n
NOTE:<\/strong>\u00a0 If you want to reset the statistics then simply clear the log file (you will need to do this as root or a super user – sudo will not work<\/strong>),<\/p>\n
echo > \/var\/log\/mail.log<\/pre>\nWhen our server was hacked it delivered 22,000 emails before the log had recycled when ordinarily our organisation only sends out around 50 a day at the most so it is a useful monitor.<\/p>\n
<\/p>\n
Once Bitten<\/h3>\n
So as with most things monitoring is key, but often forgot so we decided it would be wise to create a cron job to mail us our email statistics for the previous day.<\/p>\n
Here is the command to send the email using mutt<\/p>\n
cat \/var\/log\/mail.log | pflogsumm -d yesterday | mutt -s \"Mail Statistics\" myemail@mydomain.com<\/pre>\nSo now we can email the statistics all we need to do is set up a job to do this automatically.\u00a0 This used to be done as a cron job but as systemd has pretty much taken over everything we are going to use that instead by first creating a service and then a timer.<\/p>\n
Navigate to \/etc\/systed\/system<\/strong> and create a file called mail-monitor.service<\/strong>.\u00a0 Next edit the file and add the following (Requires Mutt to be configured already – Instructions on how to do that are on the bacula configuration page)<\/p>\n
# This service is used to email mail statistics\r\n\r\n[Unit]\r\nDescription=Send an email statistics report to the assigned recipient\r\nWants=mail-monitor.timer\r\n\r\n[Service]\r\nExecStart=\/bin\/sh -c 'cat \/var\/log\/mail.log | pflogsumm -d yesterday | mutt -s \"Postfix mail statistics\" me@mydomain.com'\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\n<\/pre>\nSave the file and you should be able to test the service by using.<\/p>\n
systemctl start mail-monitor<\/pre>\nIf all is well you should have received an email of the report, if something is wrong then have a look at the systemd journal to see what the problem is:<\/p>\n
journalctl -f<\/pre>\nNow all you need to do is create the timer.\u00a0 In the same directory create a file called mail-monitor-timer<\/strong>.\u00a0 Now edit that file as follows<\/p>\n
# This timer unit is used for periodic sending of postfix email statistics\r\n\r\n[Unit]\r\nDescription=Periodically send postfix statistics to recipient\r\nRequires=mail-monitor.service\r\n\r\n[Timer]\r\nUnit=mail-monitor.service\r\nOnCalendar=*-*-* 23:00:00 \r\n\r\n[Install]\r\nWantedBy=timers.target\r\n<\/pre>\n