My mail server was accessed by an attacker who used it to send spam. I have changed the passwords and can see no new successful logins. However the system is still sending mails. I think these are re-tries rather than new mails. I want to clear them. I have tried postsuper -d ALL deferred but I still see them and the ./deferred folders still have messages in them.
After I do postsuper -d ALL deferred if I wait a few minutes and the do it again it says say "3 messages" i.e. more messages are being added to the defer queue all the time. Does this mean that new messages are being sent?
How can I definitely get rid of all pending messages?
With thanks
--Justin Wyllie
Last edit: Justin Wyllie 2014-07-07
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My mail server was accessed by an attacker who used it to send spam. I
have changed the passwords and can see no new successful logins. However
the system is still sending mails. I /think/ these are re-tries rather
than new mails. I want to clear them. I have tried postsuper -d ALL
deferred but I still see them and the ./deferred folders still have
messages in them.
How can I definitely get rid of all pending messages?
man postsuper
postsuper -d ALL
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is not a general Postfix help forum - this is for the separate package Postfix Admin which configures/maintains virtual domains & mailboxes using Postfix (plus MySQL, optionally maildrop, and Courier or Dovecot).
For Postfix help you should head over to postfix.org and check out the Postfix mailing lists.
However, this is something I can offer some advice - been there, done that :( Usually it's a customer who's had a machine compromised and they use my server as a relay host. Resetting the password will stop further traffic - then you leave it to the customer to clean up their own systems (or pay you to do it). Then I usually do "postsuper -h ALL" which puts all main on hold.
Normally there will be "real" mail that needs to be processed normally. So I wrote a script which basically does :
for a in $( mailq | grep '^[0-9A-F]*!' | cut -c1-11 )
do something
done
The something is the hard part - typically I look at the mail sender, recipient, or something in the message to work out if it's spam or not. You can get at the contents of the mail with "postcat -q ${a}".
If you really want to delete ALL held mail, then you can use "postsuper -d ${a}" for something and let rip ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Simon especially since this is not quite the right forum. Can I just check one thing? postsuper -d ${a} will delete all messages (with an 'a' in them?) and is thus in effect the same as doing postsuper -d ALL?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No, if you use the code snipped above (Bash script), then it'll iterate through all messages that are held and perform something for each message. Because I used "a" in the for loop, "${a}" will be the message ID each time through the loop.
Also, you may have to edit the command a bit. Earlier versions of Postfix use 11 character message IDs, IIRC later versions use a variable length - so you may have to use (in place of "cut -c 1-11") :
sed -re "s/^([0-9A-F])!.$/\1/"
which translates to : match the string that starts with any number of hex digits (remembering the string) followed by an !, any number of any character and the line end - and replace the whole lot with the remembered digits from the first set of ( ).
That's typed from memory, so it might be worth reading the man pages to check !
As I say, my requirements have been somewhat different from your stated ones (delete everything) as I've specifically needed to keep a lot of mail on what is normally a fairly busy server.
Last edit: Simon Hobson 2014-07-07
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My mail server was accessed by an attacker who used it to send spam. I have changed the passwords and can see no new successful logins. However the system is still sending mails. I think these are re-tries rather than new mails. I want to clear them. I have tried postsuper -d ALL deferred but I still see them and the ./deferred folders still have messages in them.
After I do postsuper -d ALL deferred if I wait a few minutes and the do it again it says say "3 messages" i.e. more messages are being added to the defer queue all the time. Does this mean that new messages are being sent?
How can I definitely get rid of all pending messages?
With thanks
--Justin Wyllie
Last edit: Justin Wyllie 2014-07-07
On 7/7/2014 10:21 AM, Justin Wyllie justinwyllie@users.sf.net wrote:
man postsuper
postsuper -d ALL
This is not a general Postfix help forum - this is for the separate package Postfix Admin which configures/maintains virtual domains & mailboxes using Postfix (plus MySQL, optionally maildrop, and Courier or Dovecot).
For Postfix help you should head over to postfix.org and check out the Postfix mailing lists.
However, this is something I can offer some advice - been there, done that :( Usually it's a customer who's had a machine compromised and they use my server as a relay host. Resetting the password will stop further traffic - then you leave it to the customer to clean up their own systems (or pay you to do it). Then I usually do "postsuper -h ALL" which puts all main on hold.
Normally there will be "real" mail that needs to be processed normally. So I wrote a script which basically does :
The something is the hard part - typically I look at the mail sender, recipient, or something in the message to work out if it's spam or not. You can get at the contents of the mail with "postcat -q ${a}".
If you really want to delete ALL held mail, then you can use "postsuper -d ${a}" for something and let rip ...
Thanks Simon especially since this is not quite the right forum. Can I just check one thing? postsuper -d ${a} will delete all messages (with an 'a' in them?) and is thus in effect the same as doing postsuper -d ALL?
No, if you use the code snipped above (Bash script), then it'll iterate through all messages that are held and perform something for each message. Because I used "a" in the for loop, "${a}" will be the message ID each time through the loop.
Also, you may have to edit the command a bit. Earlier versions of Postfix use 11 character message IDs, IIRC later versions use a variable length - so you may have to use (in place of "cut -c 1-11") :
which translates to : match the string that starts with any number of hex digits (remembering the string) followed by an !, any number of any character and the line end - and replace the whole lot with the remembered digits from the first set of ( ).
That's typed from memory, so it might be worth reading the man pages to check !
As I say, my requirements have been somewhat different from your stated ones (delete everything) as I've specifically needed to keep a lot of mail on what is normally a fairly busy server.
Last edit: Simon Hobson 2014-07-07
Thanks Simon. I see now what this does. For my purposes the simple postsuper -d ALL will do the trick.