Re: Delayed Email Issues

Fri, 01 Aug 2008 14:23:50 -0700 

Tait Grove wrote:
My queue is horribly backed up with over 4,000 messages and I can not figure out how to shrink the queue. I do not have a bunch of MAILER-DAEMON notices, I do have strange domain names in the mailq list and handful of temporary failure messages. The issue is getting worst by the minute. I followed the article here: http://www.postfix.org/LOCAL_RECIPIENT_README.html and I think that we are good as far as those settings. Any insight would be great as email is severely delayed. Here is some data on our postfix setup: 


OK. Pick a couple messages and see how they entered your 
system (examine the log) and where they are going.  Examine 
the contents and see if they appear to be spam.


Today's wild guess:

Your webserver has been hacked and is being used to spam the 
world.  Turn off the webserver software until you get the 
problem fixed.



*postconf –n:*
bounce_queue_lifetime = 8h


That's pretty short.  3-5 days is typical.


inet_interfaces = 127.0.0.1, localhost, $myhostname


"127.0.0.1, localhost" is redundant.  Remove the "localhost" part.


invalid_hostname_reject_code = 450



This should probably be set to 550 unless you have a good 
reason to use 450.



maps_rbl_reject_code = 450


This should be 554 unless you have a good reason to change it.


maximal_queue_lifetime = 8h


That's pretty short.  Normal is 3-5 days.


non_fqdn_reject_code = 450


This should be 504 unless you have a good reason to change it.


relay_domains = $mydestination


This should probably be set empty.  ie.
relay_domains =



smtpd_data_restrictions = reject_unauth_pipelining,        
reject_multi_recipient_bounce,        permit


OK.


smtpd_recipient_restrictions = permit_mynetworks,        
check_policy_service inet:127.0.0.1:10031,        
permit_sasl_authenticated,        permit_tls_clientcerts,        
reject_unauth_destination,        reject_invalid_helo_hostname,        
reject_non_fqdn_sender,        reject_unknown_recipient_domain, 



Note that reject_unknown_recipient_domain can only reject your 
own domain when it's after reject_unauth_destination.  Best to 
just remove it.



reject_non_fqdn_recipient,        warn_if_reject 
reject_non_fqdn_helo_hostname,        warn_if_reject 
reject_unknown_helo_hostname,        warn_if_reject 
reject_unknown_client,        reject_unverified_recipient,        
reject_unknown_sender_domain,        reject_unverified_sender,        



reject_unverified_sender shouldn't be used against every 
connection; many admins consider it abusive and will blacklist 
you for excessive probes.
If you feel you must use it, use it for selected domains from 
an access map.  Examples in the archives.



check_recipient_access  hash:$config_directory/recipient.list,        
reject_rbl_client cbl.abuseat.org,        reject_rbl_client 
list.dsbl.org,        reject_rbl_client sbl.spamhaus.org,        


list.dsbl.org is (temporarily?) dead.  Remove it.
Most folks prefer zen.spamhaus.org rather than sbl.spamhaus.org.


reject_rbl_client bl.spamcop.net,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.2,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.3,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.4,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.5,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.7,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.9,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.11,        reject_rbl_client 
dnsbl.sorbs.net=127.0.0.12,        permit


OK.


smtpd_sender_restrictions = permit_mynetworks,    
reject_non_fqdn_sender,    reject_unknown_sender_domain,    permit



All these checks are duplicated in 
smtpd_recipient_restrictions.  You can remove all these.



smtpd_tls_ask_ccert = yes



Some client may choke if you ask for a certificate.  Usually 
this parameter is best used only on the "submission" port or 
other non-public interface.




*Qshape:*

T   5  10  20  40   80  160 320 640 1280 1280+
TOTAL 4573 273 341 146 669 1451 1653   9   5    7    19
yahoo.com  164   7   5   7  34   50   61   0   0    0     0
gmail.com  118  15   9   3  14   30   47   0   0    0     0
agentimage.com   64   0   5   3   8   20   28   0   0    0     0
onclearcreek.com   59   3   0   9   2   12   10   4   3    4    12
alfonso.com   52   3   2   2   8   19   18   0   0    0     0
jones-healy.com   52   1  14   1   6   15   15   0   0    0     0
aol.com   51   1   2   2   5   23   18   0   0    0     0
hotmail.com   51   3   3   1   7   21   16   0   0    0     0
arbotco.com   46   6   4   2   5    2   27   0   0    0     0
traikos.us   41   3  30   0   1    6    1   0   0    0     0
thesaadteam.com   39   1   0   1  14   10   13   0   0    0     0
nostalgichomes.com   39   4   8   1   8   10    8   0   0    0     0
hiltonhyland.com   36   3   8   0   5   13    7   0   0    0     0
tetonvalleyrealty.com   35   0   1   5   2   13   14   0   0    0     0
carolinaproperties.com   35   4   0   1   4   12   14   0   0    0     0
comcast.net   34   2   7   2   2   11   10   0   0    0     0
georgetraikos.com   33   3  30   0   0    0    0   0   0    0     0



--
Noel Jones























					Reply via email to