What is flooding my postfix mail queue?

4 posts / 0 new
Last post
#1 Thu, 10/13/2016 - 10:23
marceld202

What is flooding my postfix mail queue?

I searched my butt of finding a straight forward answer on how to debug the source of e-mails in the postfix mailqueue.

The thing is, my postfix mailqueue is flooded. Like 10k messages are in the queue. I just cannot detect the source.

What I did is changed the PHP.ini configuration to do php mail logging:

mail.add_x_header On mail.log /var/log/phpmail.log However, the phpmail.log is never being changed. Does this mean it is not flooded by a PHP script?

I also checked all the configs like a thousand times. I did open relay test, and all seems very solid.

So what is actually flooding my postfix queue? Any tips and directions or commands I can run to get more info from the logs.

Thu, 10/13/2016 - 11:44
andreychek

Howdy,

My best guess would be that either someone guessed an email user's password, or that a malicious user or bot broke into a website on your server.

You may want to review the headers of some of the emails in the queue there for clues as to what user is generating them. You should be able to use that to determine whether it's an email user, or whether it's coming from the Virtual Server owner (which would likely indicate that a website was broken into).

-Eric

Thu, 10/13/2016 - 12:34
marceld202

Thanks a bunch Eric! I did look at the headers but at that moment I did not see anything special with it. And I emptied the entire queue because I thought I just let a couple messages come in and then I'll stop postfix to do some debugging, however since I emptied the queue and restarted postfix, there are no new spam mails coming in :S So I have nothing to look at anymore.

As soon as new spam comes in I'll make sure to take a look at the header. What fields should give me a clue?

Thu, 10/13/2016 - 12:40
marceld202

Do you btw have an example postfix main.cf which should be really safe and works with virtualmin user setup?

Because I modified the config a couple of times to optimize security and I do understand that the rules should be different for every setup. However, for a simple virtualmin setup with a Wordpress website on it. Do you have a simple example config?

Topic locked