QMail - log analysis

CoXeY · 6th December 2006

Hi all,

This is a copy of a post i have on the Psoft forum but thought i'd put on here too to see if anyone has anythoughts...

We're having serious problems with our mailserver and I need help understading the qmail logs to determine the cause of the problem.

It appears we are experiencing an abnormal amount of email activity and the recent maillogs are exceeding 2GB in size!

I am not too linux savvy so i'm struggling to know where to turn but thought i'd first start by trying to understand why these logs are so large. Especially as before we started having problems these logs were only around 60MB in size.

At the moment i am not sure if qmail has its knickers in a twist or whether someone is trying to compromise our server so i need to ascertain some kind of behavioural pattern for our emails.

From what i can see there are a huge number of emails that seem to be destined for the same account, here's an example from the maillog:

Quote:

Nov 24 09:18:43 web qmail: 1164359923.602551 new msg 184487

Nov 24 09:18:43 web qmail: 1164359923.603869 info msg 184487: bytes 12616 from qp 7279 uid 399

Nov 24 09:33:17 web qmail: 1164360797.575379 starting delivery 3349641: msg 184487 to local duckworth-and-kent.com-wildcard@localdomain.com

Nov 24 09:33:18 web qmail: 1164360798.909860 end msg 184487

Now from what i can tell this is a log for an inbound message that is destined for one of our local domains. That's fine. But what's really puzzling me is that the wildcard / catchall feature for this domain was turned off a few days ago so why would qmail be trying to deliver the message to the wildcard address?

Is there anyway i can check whether the catchall is really turned off, from with HSphere it says so but i'm assuming there must be an underlying parameter to correspond to this.

Any help on the matter is going to be really appreciated here guys. This has fallen in my hand and i am by no means the best man for the job but i have customers who are experiencing huge delays on emails and need to get the problem sorted asap!

Dan.

dch · 6th December 2006

Hi Dan,

I didn't notice the post over at PSoft yet - I will go and take a look and add some more details if possible...

But with volumes like that is is probably a dictionary attack on a catchall - the /var/hsphere/mail/logs/stats file is a live log for mail accepted (or rejected sue to Clam/SA) - maybe just do a

Code:

tail -f /var/hsphere/mail/logs/stats

on it to see if you can quickly see the pattern.

May also be worth checking to see how many of your accounts have catch all enabled.

Cheers,
Sean

othellotech · 7th December 2006

Quote:

Originally Posted by CoXeY

Is there anyway i can check whether the catchall is really turned off

Restart qmail, in case its just not re-read the settings
You should be able to see the catchall in the valiases/virtusers files

CoXeY · 7th December 2006

Restarting Qmail has no affect and I am unable to find the valiases/virtusers files - any ideas where these are?

Also, have a look at the logs below, what do you make of them:

Quote:

Dec 7 11:56:57 web named[1754]: MAXQUERIES exceeded, possible data loop in resolving (externaldomain.com)

and

Dec 7 11:56:58 web named[1754]: Lame server on 'externaldomain.com' (in 'externaldomain.com'?): [66.218.xx.xxx].53 'yns1.yahoo.com': learnt (A=194.203.xx.xx,NS=194.203.xx.xx)

The 194.203.xx.xx entry in the second log a DNS forwarder server that we use to resove DNS on our network.

CoXeY · 8th December 2006

Problem solved!

Needed to delete the queue in order to the clear the backlog and now everything seems to be ticking along just fine.

Thanks again guys

Dan.