Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: /var/spool/postfix/ full

  1. #1

    Default /var/spool/postfix/ full

    I have been running this suse server for over a year with no issues till a few days ago, vnc locked down as did my web server. Thanks to your members here we found out what was happening.
    Code:
    412M    /var/spool/postfix/deferred/8425M    /var/spool/postfix/deferred/A
    543M    /var/spool/postfix/deferred/D
    586M    /var/spool/postfix/deferred/6
    584M    /var/spool/postfix/deferred/B
    584M    /var/spool/postfix/deferred/2
    du: cannot access `/var/spool/postfix/deferred/3/36BDC1D3A2': No such file or directory
    du: cannot access `/var/spool/postfix/deferred/3/34E6344C36': No such file or directory
    555M    /var/spool/postfix/deferred/3
    562M    /var/spool/postfix/deferred/E
    557M    /var/spool/postfix/deferred/9
    482M    /var/spool/postfix/deferred/7
    494M    /var/spool/postfix/deferred/C
    573M    /var/spool/postfix/deferred/4
    548M    /var/spool/postfix/deferred/0
    153M    /var/spool/postfix/deferred/F
    7.8G    /var/spool/postfix/deferred
    4.0K    /var/spool/postfix/trace
    These big files filling up, no it took over a year for it to full up and after I ran the code below it deleted almost 63k messages.
    Code:
    ws-19476:/home/administrator # postsuper -d ALL deferred postsuper: Deleted: 62925 messages
    That free'd up 14 gigs of space for me. Less than 24hrs the exact same folders have filled up and locked the server down. What can I do to disable these messages or find out why its happening ? Should I disable them ? Can it be limited to only important things ?

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: /var/spool/postfix/ full

    On 2013-09-29 04:26, originalhandy wrote:

    > That free'd up 14 gigs of space for me. Less than 24hrs the exact same
    > folders have filled up and locked the server down. What can I do to
    > disable these messages or find out why its happening ? Should I disable
    > them ? Can it be limited to only important things ?


    They will also be listed in the log with the exact reason for each one.
    The output of the command "mailq" can be useful.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: /var/spool/postfix/ full

    On 2013-09-29 04:26, originalhandy wrote:

    > That free'd up 14 gigs of space for me. Less than 24hrs the exact same
    > folders have filled up and locked the server down. What can I do to
    > disable these messages or find out why its happening ? Should I disable
    > them ? Can it be limited to only important things ?


    You can post the output of "mailq" here, or part of it. If there is
    private information, obfuscate it, but say so.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  4. #4

    Default Re: /var/spool/postfix/ full

    This is the end of the file. It went by fast but that seemed to be it.

    Code:
    3869918566*   70184 Sat Sep 28 06:18:35  administrator@ws-19476.site
                                             guera52912@gmail.com
    
    B7D9575910*   21269 Sat Sep 28 17:13:07  administrator@ws-19476.site
                                             jfz1959@gmail.com
    
    3293278FB9*   61937 Sat Sep 28 17:51:45  administrator@ws-19476.site
                                             darkstartr@gmail.com
    
    B0D062EE25*   21441 Sat Sep 28 19:07:41  administrator@ws-19476.site
                                             jamessutphin14@gmail.com
    
    342B748986*   30821 Sat Sep 28 06:50:43  administrator@ws-19476.site
                                             andreadave1988@gmail.com
    
    D76C256E46*   39032 Sat Sep 28 14:28:17  administrator@ws-19476.site
                                             cawbjosh@gmail.com
    
    012CA8BBF9*   21437 Sat Sep 28 19:06:57  administrator@ws-19476.site
                                             pinkangels00@gmail.com
    
    DC39E75A3E*   21273 Sat Sep 28 17:13:00  administrator@ws-19476.site
                                             jonesmd47@gmail.com
    
    992A871B8F*   21269 Sat Sep 28 16:30:23  administrator@ws-19476.site
                                             dave098@gmail.com
    
    32D11491BA*   30819 Sat Sep 28 06:56:06  administrator@ws-19476.site
                                             partyfriendza@gmail.com
    
    9CCB68AFF*    21323 Sat Sep 28 04:15:27  administrator@ws-19476.site
                                             surajghosi@gmail.com
    
    316016D5EE*  147601 Sat Sep 28 08:48:46  administrator@ws-19476.site
                                             cheri.dowd@gmail.com
    
    227A955D8F*   39044 Sat Sep 28 14:11:35  administrator@ws-19476.site
                                             phillip.e.hand@gmail.com
    
    CA5F056009*   39046 Sat Sep 28 14:10:50  administrator@ws-19476.site
                                             dragondroid2416@gmail.com
    
    841618B949*   21437 Sat Sep 28 19:00:56  administrator@ws-19476.site
                                             dannyjsworld@gmail.com
    
    AC3924EC95*   39040 Sat Sep 28 13:23:51  administrator@ws-19476.site
                                             rodricusrich@gmail.com
    
    6084F5525F*   39036 Sat Sep 28 13:59:34  administrator@ws-19476.site
                                             timbug6.tb@gmail.com
    
    647E04F98C*   39032 Sat Sep 28 13:24:29  administrator@ws-19476.site
                                             rjadberg@gmail.com
    
    C032557DBA*   39050 Sat Sep 28 14:35:14  administrator@ws-19476.site
                                             derek.eichholz243@gmail.com
    
    56B1B1E890*   25391 Sat Sep 28 12:14:17  administrator@ws-19476.site
                                             phillmcmurtrie@gmail.com
    -- 497636 Kbytes in 12735 Requests.

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: /var/spool/postfix/ full

    On 2013-09-29 07:16, originalhandy wrote:
    >
    > This is the end of the file. It went by fast but that seemed to be it.
    >


    (it is best to obfuscate real emails)

    > Code:
    > --------------------
    >
    > 3869918566* 70184 Sat Sep 28 06:18:35 administrator@ws-19476.site
    > NAME_1@gmail.com
    >
    > B7D9575910* 21269 Sat Sep 28 17:13:07 administrator@ws-19476.site
    > NAME_2@gmail.com


    ....

    > -- 497636 Kbytes in 12735 Requests.
    > --------------------


    There is some information missing: the status of each mail. Maybe it is
    just trying to send, or waiting.

    I expected things like this:


    Code:
    -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
    2CE978241CE      984 Thu Dec 13 17:25:42  name@domain.com
    (host c.mx.mail.yahoo.com[68.142.237.182] refused to talk to me: 421
    Message from (165.98.138.52) temporarily deferred - 4.16.50. Please
    refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html)
    othername@yahoo.com


    Ok, what it seems is that your system is trying to send emails with a
    from address that DOES NOT EXIST to gmail, and gmail will reject them.
    This may take time to be rejected, and in that time more are generated.

    And each email is sent to a different gmail user. By the hundreds. So...
    the question is, either you are sending spam, you have been hacked, or
    you have a mail list badly configured. Or, if you act as server for some
    people, some one is abusing.

    I would consider taking your machine off the internet, or your IP will
    be blacklisted and blocked soon, if it is not already. And worse.


    Then pick any one of those emails, by the "Queue ID". Find log entries
    for it in the log, track it back and forth. The string to search for may
    change on each line.

    Or, try to read one of those emails.

    Code:
    postcat -q queue_id | less
    Find the message ID in the text and track it in the log.

    What you have to find out is who is sending those emails on your system.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  6. #6

    Default Re: /var/spool/postfix/ full

    Code:
    postcat: fatal: open queue file queue_id: No such file or directory
    The server is only used to host Joomla and Teamspeak. I dont have any mailing lists at all, I cant find any suspicious files in Joomla either. I am the only one that hosts on that server.
    Is there a way to disable mail sending to stop it shooting out ? I do use Joomla to send mail to users, but I use SMTP from a different host. Would I be able to disable my servers mail sending and still use joomla with my other hosts SMTP ?

    Any other ideas on finding out the source to stop it ?

  7. #7

    Default Re: /var/spool/postfix/ full

    Google webmaster and AVG both spot no spyware, as does sucuri.

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: /var/spool/postfix/ full

    On 2013-09-29 17:46, originalhandy wrote:
    >
    > Code:
    > --------------------
    >
    > postcat: fatal: open queue file queue_id: No such file or directory
    >
    >
    > --------------------


    Well, you have to replace queue_id with the queue id number. It was not
    supposed you would type that verbatim.



    > Is there a way to disable mail sending to stop it shooting out ?


    They would still be queued.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  9. #9

    Default Re: /var/spool/postfix/ full

    I replaced queue_id with 32D11491BA* and and got an error message, I never did write it down. My cron cleared the mail q so I have none to check now.

  10. #10

    Default Re: /var/spool/postfix/ full

    I ran rkhunter -c

    Code:
    [14:17:50]   /usr/bin/ldd                                    [ Warning ]
    Checking for passwd file changes                         [ Warning ]
    Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text
    [14:17:53]   /sbin/chkconfig                                 [ Warning ]
    [14:17:53] Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script text
    [14:17:54]   /sbin/ifup                                      [ Warning ]
    [14:17:54] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text
    [14:19:19]   Checking if SSH root access is allowed          [ Warning ]
    [14:19:19] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
               The default value may be 'yes', to allow root access.
    [14:19:19]   Checking if SSH protocol v1 is allowed          [ Warning ]
    [14:19:19] Warning: The SSH configuration option 'Protocol' has not been set.
               The default value may be '2,1', to allow the use of protocol version 1.
    [14:19:19]   Checking for running syslog daemon              [ Found ]
    [14:19:19] Info: Found rsyslog configuration file: /etc/rsyslog.conf
    [14:19:19]   Checking for syslog configuration file          [ Found ]
    
    
    [14:20:08] System checks summary
    [14:20:08] =====================
    [14:20:08]
    [14:20:08] File properties checks...
    [14:20:08] Required commands check failed
    [14:20:08] Files checked: 149
    [14:20:08] Suspect files: 3
    [14:20:08]
    [14:20:08] Rootkit checks...
    [14:20:08] Rootkits checked : 245
    [14:20:08] Possible rootkits: 0
    [14:20:08]
    [14:20:08] Applications checks...
    [14:20:08] Applications checked: 4
    [14:20:08] Suspect applications: 0
    [14:20:08]
    [14:20:08] The system checks took: 2 minutes and 24 seconds
    [14:20:08]
    [14:20:08] Info: End date is Sun Sep 29 14:20:08 CDT 2013
    /user/bin/ldd
    /sbin/chkconfig
    /sbin/ifup

    I guess the three above are the suspicious files, I looked at them and didnt see anything in there.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •