Tait Grove wrote:
My queue is horribly backed up with over 4,000 messages and I can not
figure out how to shrink the queue. I do not have a bunch of
MAILER-DAEMON notices, I do have strange domain names in the mailq list
and handful of temporary failure messages. The issue is getting worst by
the minute. I followed the article here:
http://www.postfix.org/LOCAL_RECIPIENT_README.html and I think that we
are good as far as those settings. Any insight would be great as email
is severely delayed. Here is some data on our postfix setup:
OK. Pick a couple messages and see how they entered your
system (examine the log) and where they are going. Examine
the contents and see if they appear to be spam.
Today's wild guess:
Your webserver has been hacked and is being used to spam the
world. Turn off the webserver software until you get the
problem fixed.
*postconf –n:*
bounce_queue_lifetime = 8h
That's pretty short. 3-5 days is typical.
inet_interfaces = 127.0.0.1, localhost, $myhostname
"127.0.0.1, localhost" is redundant. Remove the "localhost" part.
invalid_hostname_reject_code = 450
This should probably be set to 550 unless you have a good
reason to use 450.
maps_rbl_reject_code = 450
This should be 554 unless you have a good reason to change it.
maximal_queue_lifetime = 8h
That's pretty short. Normal is 3-5 days.
non_fqdn_reject_code = 450
This should be 504 unless you have a good reason to change it.
relay_domains = $mydestination
This should probably be set empty. ie.
relay_domains =
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
OK.
smtpd_recipient_restrictions = permit_mynetworks,
check_policy_service inet:127.0.0.1:10031,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_unauth_destination, reject_invalid_helo_hostname,
reject_non_fqdn_sender, reject_unknown_recipient_domain,
Note that reject_unknown_recipient_domain can only reject your
own domain when it's after reject_unauth_destination. Best to
just remove it.
reject_non_fqdn_recipient, warn_if_reject
reject_non_fqdn_helo_hostname, warn_if_reject
reject_unknown_helo_hostname, warn_if_reject
reject_unknown_client, reject_unverified_recipient,
reject_unknown_sender_domain, reject_unverified_sender,
reject_unverified_sender shouldn't be used against every
connection; many admins consider it abusive and will blacklist
you for excessive probes.
If you feel you must use it, use it for selected domains from
an access map. Examples in the archives.
check_recipient_access hash:$config_directory/recipient.list,
reject_rbl_client cbl.abuseat.org, reject_rbl_client
list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
list.dsbl.org is (temporarily?) dead. Remove it.
Most folks prefer zen.spamhaus.org rather than sbl.spamhaus.org.
reject_rbl_client bl.spamcop.net, reject_rbl_client
dnsbl.sorbs.net=127.0.0.2, reject_rbl_client
dnsbl.sorbs.net=127.0.0.3, reject_rbl_client
dnsbl.sorbs.net=127.0.0.4, reject_rbl_client
dnsbl.sorbs.net=127.0.0.5, reject_rbl_client
dnsbl.sorbs.net=127.0.0.7, reject_rbl_client
dnsbl.sorbs.net=127.0.0.9, reject_rbl_client
dnsbl.sorbs.net=127.0.0.11, reject_rbl_client
dnsbl.sorbs.net=127.0.0.12, permit
OK.
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
All these checks are duplicated in
smtpd_recipient_restrictions. You can remove all these.
smtpd_tls_ask_ccert = yes
Some client may choke if you ask for a certificate. Usually
this parameter is best used only on the "submission" port or
other non-public interface.
*Qshape:*
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 4573 273 341 146 669 1451 1653 9 5 7 19
yahoo.com 164 7 5 7 34 50 61 0 0 0 0
gmail.com 118 15 9 3 14 30 47 0 0 0 0
agentimage.com 64 0 5 3 8 20 28 0 0 0 0
onclearcreek.com 59 3 0 9 2 12 10 4 3 4 12
alfonso.com 52 3 2 2 8 19 18 0 0 0 0
jones-healy.com 52 1 14 1 6 15 15 0 0 0 0
aol.com 51 1 2 2 5 23 18 0 0 0 0
hotmail.com 51 3 3 1 7 21 16 0 0 0 0
arbotco.com 46 6 4 2 5 2 27 0 0 0 0
traikos.us 41 3 30 0 1 6 1 0 0 0 0
thesaadteam.com 39 1 0 1 14 10 13 0 0 0 0
nostalgichomes.com 39 4 8 1 8 10 8 0 0 0 0
hiltonhyland.com 36 3 8 0 5 13 7 0 0 0 0
tetonvalleyrealty.com 35 0 1 5 2 13 14 0 0 0 0
carolinaproperties.com 35 4 0 1 4 12 14 0 0 0 0
comcast.net 34 2 7 2 2 11 10 0 0 0 0
georgetraikos.com 33 3 30 0 0 0 0 0 0 0 0
--
Noel Jones