Postfix
Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is released under the IBM Public License 1.0 which is a free software license. Alternatively, starting with version 3.2.5, it is available under the Eclipse Public License 2.0 at the user’s option.
All information about Postfix here is in relation to Plesk.
Postfix is an MTA currently used by Plesk. Like exim on cPanel, postfix acts as a drop-in replacement for sendmail.
Am I Running Postfix?
Some older versions of Plesk ran qmail rather than postfix. To check which SMTP service your server is running, WebPros recommends the following one-liner:
/usr/local/psa/admin/sbin/mailmng --features | grep SMTP_Server
The output will indicate which you are running.
I’m Not Running Postfix. How Can I Upgrade To Postfix?
The below command will do the following things:
- flush the qmail queue (yes, you have to run a kill command to flush the qmail queue)
- stop qmail from running completely
- install postfix
kill -ALRM `pidof qmail-send` /usr/local/psa/admin/sbin/mailmng --stop-smtpd /usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix
Running this command could result in data loss if you any email on the server. Only run if this command if you are sure your data is backed up.
Command-line Commands
The complete list of commands and functions can be found in the Postfix official documentation.
Postfix Start/Stop/Restart
postfix stop postfix start postfix restart
Stop, start, and restart do just what you think they would.
postfix abort
This command is like postfix stop, in that it stops postfix. It differs in that while postfix stop does a clean shutdown, postfix abort basically kills everything with a -9 flag. Due to the modular design of postfix, you can’t just kill -9 the postfix process; there are too many postfix processes for that.
You should only need to rely on postfix abort if the box is threatening to OOM and a postfix stop would either take too long or is currently hanging.
postfix status
`postfix status` is analogous to `exiwhat` in exim, except that it displays even less information. It merely states whether postfix is running, and if it is, the PID.
postfix check
This command ferrets out the following information regarding the way postfix is configured:
- bad file/directory ownership
- bad file/directory permissions
- missing directories
postfix reload
This command reloads the main postfix configuration live, without a full restart of postfix. This must be run for any changes made in main.cf to take effect.
postfix flush
`postfix flush` flushes the postfix queue, attempting to deliver all mail.
postcat
This command displays the contents of mail queue files. It takes the path to the file as an argument.
postqueue -p
This prints the messages in the queue with message id.
postcat -q $messageid
This prints the email message so it can be read in the terminal.
qshape
This helps the administrator understand the Postfix queue message distribution in time and by sender domain or recipient domain.
Forwarders
Forwarders are stored in /var/qmail/mailnames/domain.com/user/.qmail and should be preceded by an ampersand (&).
[root@host /var/spool/postfix/plesk]# cat /var/qmail/mailnames/domain.com/user/.qmail | true | /usr/bin/deliverquota ./Maildir &user@gmail.com
So user@domain.com in this case is forwarding to user@gmail.com. The second line regarding deliverquota is used to tell Postfix to deliver mail to the mailbox as well.
The mailbox can be disabled within Plesk, by going under Mail for the domain in question and clicking on the email address in question and then uncheck Mailbox. This can also be changed via command line.
[root@plesk10train test]# cat /var/qmail/mailnames/plesk10train.pleskalations.com/test/.qmail | true &ckelley@liquidweb.com | /usr/bin/deliverquota ./Maildir [root@plesk10train test]# /usr/local/psa/bin/mail --update test@plesk10train.pleskalations.com -mailbox false SUCCESS: Update of mailname 'test@plesk10train.pleskalations.com' complete [root@plesk10train test]# !cat cat /var/qmail/mailnames/plesk10train.pleskalations.com/test/.qmail | true &ckelley@liquidweb.com [root@plesk10train test]# /usr/local/psa/bin/mail --update test@plesk10train.pleskalations.com -mailbox true SUCCESS: Update of mailname 'test@plesk10train.pleskalations.com' complete
With the mailbox disabled, email should only be forwarded. This also doesn’t remove the mail directory.
[root@plesk10train Maildir]# ls -lah total 28K drwx------ 6 popuser popuser 4.0K Sep 23 08:05 . drwx------ 5 popuser popuser 4.0K Sep 23 16:16 .. drwx------ 2 popuser popuser 4.0K Sep 23 08:05 cur -rw-r--r-- 1 popuser popuser 31 Sep 23 08:05 maildirsize drwx------ 2 popuser popuser 4.0K Sep 23 08:05 new drwx------ 5 popuser popuser 4.0K Sep 23 08:05 .Spam drwx------ 2 popuser popuser 4.0K Sep 23 08:05 tmp [root@plesk10train Maildir]# /usr/local/psa/bin/mail --update test@plesk10train.pleskalations.com -mailbox false SUCCESS: Update of mailname 'test@plesk10train.pleskalations.com' complete [root@plesk10train Maildir]# ls -lah total 28K drwx------ 6 popuser popuser 4.0K Sep 23 08:05 . drwx------ 5 popuser popuser 4.0K Sep 23 16:17 .. drwx------ 2 popuser popuser 4.0K Sep 23 08:05 cur -rw-r--r-- 1 popuser popuser 31 Sep 23 08:05 maildirsize drwx------ 2 popuser popuser 4.0K Sep 23 08:05 new drwx------ 5 popuser popuser 4.0K Sep 23 08:05 .Spam drwx------ 2 popuser popuser 4.0K Sep 23 08:05 tmp
Aliases
Unlike Exim, aliases cannot be edited in files, as postfix stores aliases in an SQLite database. If you want to edit them from the command line, you will need to use the postalias and newaliases commands. That said, it is easier to use the plesk interface for aliases (provided the Plesk interface is working).
Configuration
Both of these files will (should) be found in /etc/postfix/ on Linux systems
main.cf
This is the main postfix configuration file. Currently there aren’t any common configuration options that need changing in this section, but if you find one in the course of supporting postfix, please add it.
Any change that you make to this file must be followed by `postfix reload`.
master.cf
This file contains configurations specific to particular postfix components. This is the file used to add additional SMTP ports. After making a change here, parallels recommends a full restart of postfix:
/usr/local/psa/admin/sbin/mailmng --reload-service
Adding SMTP Ports
Add this one-liner to master.cf:
<IP_Address>:<port> inet n - - - - smtpd
I added it like this on Plesk 11 (for all Ip addresses):
26 inet n - n - - smtpd
Then restart postfix:
/usr/local/psa/admin/sbin/mailmng --reload-service
To set postfix to listen to port 587 edit the /etc/postfix/master.cf file:
vim /etc/postfix/master.cf
Now uncomment this line:
#submission inet n – n – – smtpd
Save and exit the file. Now restart postfix:
/etc/init.d/postfix restart
To verify your work, run this command:
netstat -lpn | grep :587
Should see this:
[root@new ~]# netstat -lpn | grep :587 tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 23117/master tcp 0 0 :::587 :::* LISTEN 23117/master
Re-Direct the desired port to the existing, open port:
iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 25 iptables-save
Restore Default Configuration
Sometimes you may find that you want to just restore postfix to plesk’s default configuration. Simply run this command:
/usr/local/psa/admin/sbin/mchk
with one of three flags:
--without-spam # restores just postfix defaults --with-spam # restores both postfix and spamassassin defaults --spam-only # restores just spamassassin defaults
Spool
The mail spool is located here:
/var/spool/mail
The spool is divvied up into mbox-type files, one per plesk user.
There is another spool for internal postfix usage:
/var/spool/postfix
Managing mail queue
You can log into plesk, there is a mail queue manager, where you can view. sort and remove messages.
The `postsuper` utility can be used to manage the mail queue. There is no nukespam for postfix, only postsuper. postsuper lets the mail administrator perform the following actions:
- postsuper -d <message-ID> deletes a specific message from the queue
- postsuper -h moves messages to a Hold queue
- postsuper -r <message-ID> requeue a specific message from Hold to an active queue
The Hold queue is a spot for messages to sit things out while you figure out just what you’re going to do with them. This can be useful for a box experiencing spams. If there is a lot of spam in the queue, try the following:
postsuper -h ALL
This will move everything in the queue to the Hold queue. Here you can start to triage.
mailq | less
Start eyeballing the queue for an address or hostname that looks to be spamming, either internally or externally.
mailq | grep "badActor" > spammyspams.txt
This will put all the bad actors in one easy-to-parse file. It does not hurt to eyeball this file in order to make sure that it grabbed what you hoped it would grab. “badActor” is either going to be an address, an IP, a hostname, or possibly a subject line from spam.
awk '{ print $1 }' spammyspams.txt | postsuper -d -
This deletes all of the messages specified in spammyspams.txt. Sometimes there are silly delimiters in the mailq ID that can throw off the awk – specifying the delimiter in the awk command should present a workaround:
# awk '{ print $1 }' spammyspams.txt | postsuper -d -
postsuper: warning: invalid mail queue id: 7CBC8904487!
# awk 'BEGIN { FS = "!" } ; { print $1 }' spammyspams.txt | postsuper -d -
postsuper: Deleted: 33992 messages
postsuper -r ALL
This puts the remaining mails back into the active queue. If you get “command not found” with mailq above, check this out instead:
/usr/local/psa/admin/sbin/mailqueuemng --help
The Fast Way To Check Your Queue Size
postqueue -p | grep -c '^[0-9A-Z]'
This will tell you how many emails are in the queue – useful when you just need a quick snapshot. This provides NO other information. If the above command is taking way to long or if the queue is massive an alternative method is to check the file structure:
ll /var/spool/postfix/active | wc -l
There is one file per email in the queue. Please bear in mind that the above command only lists emails in /var/spool/postifx/active, not deferred emails. So this may not be an accurate method 100% of the time.
PHP scripts sending mail?
If you’re looking for spam coming from PHP scripts, all you should need to do is check the php_maillog (/var/log/php_maillog):
Access and Error log:
/usr/local/psa/var/log/maillog
PHP Maillog:
/var/log/maillog
Here is a one-liner that should help find helpful information:
egrep -o "/var/www/vhosts[^:]*" /var/log/maillog|sort|uniq -c|sort -rnk1|head
Obviously there are a number of ways to grep, sort, and awk for the info you need from this file and the above is just something to help get you started. Essentially all you need from the php_maillog is:
* The cwd (Current Working Directory) * The file that is being used (usually privided to you at the end of the cwd)
Remember to STAT the potentially compromised files before viewing them.
You can start digging further into the spamming domains by grepping for “POST” inside the domain logs & Apache access log.
/var/www/vhosts/$DOMAIN.EXT/logs/error_log
/var/www/vhosts/$DOMAIN.EXT/logs/access_log
/var/www/vhosts/$DOMAIN.EXT/logs/access_ssl_logAgain, be sure to STAT files that look like they may have been used to gain access to the account or may have been spamming at some point.
This should give you a solid foundation and make hunting for spam on a plesk server feel a bit more akin to the cPanel environment.
How do I find them?!
Even though Postfix generously offers next to nothing in the way of spam detection, queue handling, or log management we can simply run this:
mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail
If the mailq binary doesn’t exist, substitute it with sendmail -bp or postqueue -p.
This 1-liner isn’t extremely elegant but the output is, in a very basic way, similar to the output of the spamfu.sh script. This certainly requires additional research, as someone appearing on this report is not a “smoking gun” when dealing with spam. At the very least a maldet should be run (once for httpdocs and a second time for httpsdocs).
Spam tickets for Postfix need to be thoroughly noted and documented, as there is a high likelihood of false positives. Be absolutely certain before you remove content from the queue!
Checking for most email from authenticated users:
egrep sasl_username /usr/local/psa/var/log/maillog |awk '{print $9}'|sort |uniq -c|sort -n|tail -n5
What is the shape of the mail queue?
The qshape program helps the administrator understand the Postfix queue message distribution in time and by sender domain or recipient domain. The program needs read access to the queue directories and queue files, so it must run as the superuser or the mail_owner specified in main.cf (typically postfix). By default the recipient distribution is displayed.
T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 0 0 0 0 0 0 0 0 0 0 0
Logs
The main maillog is here:
/usr/local/psa/var/log/maillog
This file is not as dense as Exim’s mail logs. However, it is informative.
May 7 06:30:06 plesk10train postfix/pickup[15193]: 0B2A935D811: uid=100 from=<root> May 7 06:30:06 plesk10train postfix/cleanup[15608]: 0B2A935D811: message-id=<20120507103006.0B2A935D811@plesk10train.liquidweb.com> May 7 06:30:06 plesk10train postfix/qmgr[30805]: 0B2A935D811: from=<root@plesk10train.liquidweb.com>, size=918, nrcpt=1 (queue active) May 7 06:30:06 plesk10train postfix/cleanup[15608]: 5BEAF35D812: message-id=<20120507103006.0B2A935D811@plesk10train.liquidweb.com> May 7 06:30:06 plesk10train postfix/qmgr[30805]: 5BEAF35D812: from=<root@plesk10train.liquidweb.com>, size=1068, nrcpt=1 (queue active) May 7 06:30:06 plesk10train postfix/local[15610]: 0B2A935D811: to=<drweb@localhost.localdomain>, orig_to=<drweb>, relay=local, delay=0.5, delays=0.41/0.09/0/0.01, dsn=2.0.0, status=sent (forwarded as 5BEAF35D812) May 7 06:30:06 plesk10train postfix/qmgr[30805]: 0B2A935D811: removed May 7 06:30:06 plesk10train postfix/smtp[15611]: certificate verification failed for mxgate-03.liquidweb.com[209.59.139.131]:25: untrusted issuer /C=US/ST=Michigan/L=Lansing/O=Liquid Web LLC./OU=Secure Services/CN=swift.liquidweb.com/emailAddress=support@liquidweb.com May 7 06:30:06 plesk10train postfix/smtp[15611]: 5BEAF35D812: to=<phawkins@liquidweb.com>, orig_to=<drweb>, relay=mxgate-03.liquidweb.com[209.59.139.131]:25, delay=0.14, delays=0/0.06/0.05/0.02, dsn=2.0.0, status=sent (250 OK id=1SRLCg-0000yS-G9) May 7 06:30:06 plesk10train postfix/qmgr[30805]: 5BEAF35D812: removed
The format of the logfile is this:
month day time:stamp hostname mailhandler/action [PID] id_code: actions
The Postfix log is very similar to the exim_mainlog format. It’s important to note, though, that not every installation of Postfix allows for the subject line to be recorded. Although this can make a spam investigation troublesome, we have other tools that we can employ for this purpose.
Increase max attachment size
Confirm the current size first. This will be listed in bytes:
postconf | grep message_size_limit
Edit main.cf:
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.lwbak$DATE vim /etc/postfix/main.cf
Add or edit this line, then save & quit:
message_size_limit = XXXXX (insert appropriate size in bytes)
Be sure to “service postfix reload” and then run the postconf/ grep as above to confirm the changes.
Enable soft bounces
Soft bounces will cause an NDR to not get queued on postfix.
postconf -e "soft_bounce=yes"
Messages that bounce to invalid users will not receive a non-delivery-report, instead this is logged in the mail log on postfix:
Oct 9 16:51:00 plesk11train postfix/smtpd[7232]: NOQUEUE: reject: RCPT from email.liquidweb.com[67.227.164.41]: 450 4.1.1 <steves@plesk11train.pleskalations.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<ssublett@liquidweb.com> to=<steves@plesk11train.pleskalations.com> proto=ESMTP helo=<email.liquidweb.com>
Notice 450 4.1.1, normal bouncebacks get 550 5.1.1 and a bounceback notification is sent back to the sender.
Only try to deliver NDR or bounce message one time. (default is 5 days of trying)
postconf -e "bounce_queue_lifetime=0"