How to definitely clear the mail queue

2014-07-07
2014-07-07
  • Justin Wyllie
    Justin Wyllie
    2014-07-07

    My mail server was accessed by an attacker who used it to send spam. I have changed the passwords and can see no new successful logins. However the system is still sending mails. I think these are re-tries rather than new mails. I want to clear them. I have tried postsuper -d ALL deferred but I still see them and the ./deferred folders still have messages in them.

    After I do postsuper -d ALL deferred if I wait a few minutes and the do it again it says say "3 messages" i.e. more messages are being added to the defer queue all the time. Does this mean that new messages are being sent?

    How can I definitely get rid of all pending messages?

    With thanks

    --Justin Wyllie

     
    Last edit: Justin Wyllie 2014-07-07
    • Charles
      Charles
      2014-07-07

      On 7/7/2014 10:21 AM, Justin Wyllie justinwyllie@users.sf.net wrote:

      My mail server was accessed by an attacker who used it to send spam. I
      have changed the passwords and can see no new successful logins. However
      the system is still sending mails. I /think/ these are re-tries rather
      than new mails. I want to clear them. I have tried postsuper -d ALL
      deferred but I still see them and the ./deferred folders still have
      messages in them.

      How can I definitely get rid of all pending messages?

      man postsuper

      postsuper -d ALL

       
  • Simon Hobson
    Simon Hobson
    2014-07-07

    This is not a general Postfix help forum - this is for the separate package Postfix Admin which configures/maintains virtual domains & mailboxes using Postfix (plus MySQL, optionally maildrop, and Courier or Dovecot).
    For Postfix help you should head over to postfix.org and check out the Postfix mailing lists.

    However, this is something I can offer some advice - been there, done that :( Usually it's a customer who's had a machine compromised and they use my server as a relay host. Resetting the password will stop further traffic - then you leave it to the customer to clean up their own systems (or pay you to do it). Then I usually do "postsuper -h ALL" which puts all main on hold.

    Normally there will be "real" mail that needs to be processed normally. So I wrote a script which basically does :

    for a in $( mailq | grep '^[0-9A-F]*!' | cut -c1-11 )
    do
    something
    done

    The something is the hard part - typically I look at the mail sender, recipient, or something in the message to work out if it's spam or not. You can get at the contents of the mail with "postcat -q ${a}".

    If you really want to delete ALL held mail, then you can use "postsuper -d ${a}" for something and let rip ...

     
  • Justin Wyllie
    Justin Wyllie
    2014-07-07

    Thanks Simon especially since this is not quite the right forum. Can I just check one thing? postsuper -d ${a} will delete all messages (with an 'a' in them?) and is thus in effect the same as doing postsuper -d ALL?

     
  • Simon Hobson
    Simon Hobson
    2014-07-07

    No, if you use the code snipped above (Bash script), then it'll iterate through all messages that are held and perform something for each message. Because I used "a" in the for loop, "${a}" will be the message ID each time through the loop.

    Also, you may have to edit the command a bit. Earlier versions of Postfix use 11 character message IDs, IIRC later versions use a variable length - so you may have to use (in place of "cut -c 1-11") :

    sed -re "s/^([0-9A-F])!.$/\1/"

    which translates to : match the string that starts with any number of hex digits (remembering the string) followed by an !, any number of any character and the line end - and replace the whole lot with the remembered digits from the first set of ( ).
    That's typed from memory, so it might be worth reading the man pages to check !

    As I say, my requirements have been somewhat different from your stated ones (delete everything) as I've specifically needed to keep a lot of mail on what is normally a fairly busy server.

     
    Last edit: Simon Hobson 2014-07-07
  • Justin Wyllie
    Justin Wyllie
    2014-07-07

    Thanks Simon. I see now what this does. For my purposes the simple postsuper -d ALL will do the trick.