Tips
[root@mail ~]# useradd -m u1 -s /sbin/nologin
User Delete: userdel -r u1 User Lock# passwd -l u1
# updatedb
[root@mail]# locate 2366F12080DE [ mail id ]
OR postcat -q 2366F12080DE
/var/spool/postfix/defer/2/2366F12080DE
/var/spool/postfix/deferred/2/2366F12080DE
[root@ho 5]# cd /var/spool/postfix/deferred/2/
# postsuper -d ALL [mail Q Delete]
# postsuper -d ALL deferred [remove all mails in the deferred queue ]
# mailq| grep '^[A-Z0-9]'|grep user@worldcm.net|cut -f1 -d' ' |tr -d \*|postsuper -d -Perform actions on the Queue
Remove all unsent mailer daemon notifications
mailq|awk ' /^[0-9A-F][0-9A-F]*[^*].*MAILER-DAEMON$/ {print $1}'|sudo xargs -rn1 postsuper -d#delete based on the from address:
mailq|awk ' /^[0-9A-F][0-9A-F]*.*mail.ru$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d
#tail -f /var/log/maillog
#cat /var/log/maillog
# cat /var/log/maillog | grep worldcm.netFind text in files using the Linux grep command
grep -R "content_to_search" /path/to/directory
# grep -r "mailbackup" /etc/postfix/
/etc/postfix/main.cf:always_bcc = mailbackup
Mail Box ownership
# cd /home [ if mail box coppy]
chown -R mamun:mamun mamun
/home/mamun/Maildir/cur [mail inbox ]
/home/mamun/Maildir/.Sent/cur [send mail]
To delete all files and directories within the current directory - 30 Days OLD-- * if [ -bash: /usr/bin/find: Argument list too long]
# cd /home/accesstel/Maildir/cur/
find . -mtime +30 | xargs rm -Rf [-- Best---]
Delete messages from .maildir/cur/ with custom subject [sub: lfd on mail]
# egrep -R -l "lfd on mail" | xargs rm -f
[root@localhost ~]# openssl passwd -crypt dha@a9A34
VCX97jg6iZebc
useradd -m -p <password> -s /sbin/nologin <user>
# useradd -m -p Bay1cN04XNI0M -s /sbin/nologin u4
View the postfix version :
# postconf mail_version
mail_version = 2.3.3
Check the postfix installation :
# postfix check
Show default postfix values :
# postconf -d
To show non default postfix values :
# postconf -n
To restart postfix mail server :
# postfix reload
Flush the mail queue :
# postfix flush
Or you can use:
# postfix -f
To see mail queue :
# mailq
( in send mail sendmail -bp )
# mailq | wc -l
(will give the total no of mails in queue )
To remove all mail from the queue :
# postsuper -d ALL
To remove all mails in the deferred queue :
# postsuper -d ALL deferred
To see the mails in a tree structure :
# qshape
# postsuper -d ALL [mail Q Delete]
# postsuper -d ALL deferred [remove all mails in the deferred queue ]
# mailq| grep '^[A-Z0-9]'|grep user@adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d -
# mailq| grep '^[A-Z0-9]'|grep user|cut -f1 -d' ' |tr -d \*|postsuper -d -
View the mail content :
# postcat -q AFD4A228 37C
You will get the above id from mailq . Or you can view the mails from postfix mail spool. Usually postfix will store the mails in /var/spool/postfix/active/ from this location also you can view the mails . We can change the queue directory from the postfix conf.
Sort by from address :
# mailq | awk '/^[0-9,A-F]/ {print $7}' | sort | uniq -c | sort -n
To remove all mails sent by user@adminlogs.info from the queue :
# mailq| grep '^[A-Z0-9]'|grep user@adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d -
To remove all mails being sent using the From address “user@adminlogs.info” :
# mailq | awk '/^[0-9,A-F].*user@adminlogs.info / {print $1}' | cut -d '!' -f 1 | postsuper -d -
To remove all mails sent by the domain adminlogs.info from the queue :
# mailq| grep '^[A-Z0-9]'|grep @adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d -
Test your own Mailserver against attacks :
-----------Mail Attachment size---------------
postconf | grep message_size_limit
message_size_limit = 10240000 [~10-0MB.]
message_size_limit = 20480000 [~20-MB.]
postconf -e message_size_limit=52428800 [50-MB.]
-------------------------
postfix check
postconf -v
postconf -h
Count and sort success SMTP postfix logins (useful for tracking spammer)
# grep -i "sasl_username" /var/log/maillog |awk {'print $9'}|sort|uniq -c|sort -n
tail -f /var/log/maillog|grep postfix
tail -f /var/log/maillog|grep SASL
Delete Root Mails (Mailbox) File in Linux
yum install mailx
dnf install mailx
Simply type the following command:
OR
mailx
Delete root user’s mailbox/inbox file in Linux or Unix
> /var/spool/mail/root
Verify it with the following command or cat command or ls command:
cat /var/spool/mail/root
ls -l /var/spool/mail/root
email every day using cron job
@daily > /var/spool/mail/root
---------------X-----------
# yum -y install mailx
# > /var/spool/mail/root
# cat /dev/null > /var/spool/mail/root
OR
# echo 'd *' | mail -N
# > /var/mail/root
# > /var/spool/mail/root
# cat /dev/null > /var/mail/root
**** adding a crontab job
# 0 0 * * * cat /dev/null > /var/spool/mail/root 2>&1 > mail.log
-------
Method 1:
Remove all emails of root or any other user on the Linux system using the following command.
echo 'd *' | mail -N
Method 2:
Empty the mailbox file for any user. Generally the Linux system keeps the email under /var/mail/root or /var/spool/mail/root (for root account).
# > /var/mail/root
# > /var/spool/mail/root
0 0 * * * cat /dev/null > /var/spool/mail/root 2>&1 > mail.log
day using cron job
@daily > /var/spool/mail/root
--Dovecot-----Show username for "SASL LOGIN authentication failed: UGFzc3dvcmQ6-----------------
# vi /etc/dovecot/conf.d/10-logging.conf
auth_verbose = yes
mail_debug = yes
---x----
the dovecot.conf file (should be /etc/dovecot/dovecot.conf) and add these two lines to enable verbose logging:
auth_verbose = yes
mail_debug = yes
then restart dovecot. If you get too much verbose output, then just try auth_verbose only. SASL LOGIN authentication failed != hacked
it is useful to show user name. As we can know which email account are in high risk and let me to do more step to prevent hacker try to hack password
Some useful postfix commands
POSTFIX USEFUL COMMANDS
To Check Postfix Queue
#mailq
To Check Sasl Auth
#tail -f /var/log/messages|grep sasl
To Check Posfix Logs
#tail -f /var/log/maillog|grep postfix
List of domains that are being deferred
#qshape-maia -s deferred
Checking Specific Mail From Queue
—————————————
To view the full mails
#postcat -q D5EB71AEA45
If you an error postcat: fatal: open queue file D5EB71AEA45: No such file or directory, Then it means mail has been delivered or removed using postsuper
If you want to remove specific mail from queue
#postsuper -d D5EB71AEA45
Sorting Queued Mails By From Address:
# mailq | awk ‘/^[0-9,A-F]/ {print $7}’ | sort | uniq -c | sort -n
Removing Mails Based On Sender Address
# mailq| grep ‘^[A-Z0-9]’|grep peggysj@msn.com|cut -f1 -d’ ‘ |tr -d \*|postsuper -d –
or, if you have put the queue on hold, use
# mailq | awk ‘/^[0-9,A-F].*capitalone@mailade.com/ {print $1}’ | cut -d ‘!’ -f 1 | postsuper -d –
to remove all mails being sent using the From address “capitalone@mailade.com”.
if you want to remove all mails sent by the domain msn.com from the queue
# mailq| grep ‘^[A-Z0-9]’|grep @msn.com|cut -f1 -d’ ‘ |tr -d \*|postsuper -d –
Counting maillog entries [display different frequencies of e-mails sent from your mail serve]
grep "status=sent" /var/log/maillog |cut -d "=" -f 2 |cut -d ">" -f 1 |cut -d "<" -f 2 |sort -n |uniq -c
Finding brute-force logins and blocking them
grep "dovecot" /var/log/maillog |grep "Aborted login" |cut -d "," -f 3 |cut -d ":" -f 4 |sort -n |uniq -c
Check 25 port when status=deferred Connection timed out
[root@mail ~]# traceroute -n -T -p 25 alt4.gmail-smtp-in.l.google.com
# telnet gmail-smtp-in.l.google.com 25
//postqueue -p is the same as mailq
List mail queue and MAIL_ID’s, list mail queue
postqueue -p
mailq
Reload config
service postfix reload
Restart postfix server
service postfix restart
View the postfix version
postconf mail_version
Show default postfix values
postconf -d
Show non default postfix values
postconf -n
Flush mail queue
postfix flush
Process the queue now
postqueue -f
Process all emails stuck in the queue
postsuper -r ALL && postqueue -f
Read email from mail queue
postcat -q MAIL_ID
To remove MAIL_ID mail from the queue
postsuper -d MAIL_ID
To remove all mail from the queue
postsuper -d ALL
To remove all from mail queue FAST
find /var/spool/postfix/deferred/ -type f | xargs -n1 basename | xargs -n1 postsuper -d
To remove all mails in the deferred queue
postsuper -d ALL deferred
Sort and count emails by “from address”
postqueue -p | awk '/^[0-9,A-F]/ {print $7}' | sort | uniq -c | sort -n
Removing all emails sent by: mailto:user@adminlogs.info
postqueue -p|grep '^[A-Z0-9]'|grep user@adminlogs.info|cut -f1 -d' '|tr -d \*|postsuper -d -
Remove all email sent from user@admin.info
postqueue -p|awk '/^[0-9,A-F].*user@admin.info / {print $1}'|cut -d '!' -f 1|postsuper -d -
Remove all email sent by domain adminlogs.info
postqueue -p | grep '^[A-Z0-9]'|grep @adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d -
Mail queue stats short
postqueue -p | tail -n 1
Number of emails in Mail queue
postqueue -p | grep -c "^[A-Z0-9]"
Fast count of emails in mail queue
find /var/spool/postfix/deferred -type f | wc -l
Watch Log Live
tail -f /var/log/maillog
Checking Mail Queue and Identifying
2. To know the number of messages sitting in the deferred queue (The command will return the number of deferred emails):
# find /var/spool/postfix/deferred -type f | wc -l
~~~~~~
17
~~~~~~
3. To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list:
# mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail
~~~~~~
17 info@virtualization.network
27 accounts@prithvilogistics.com
39 musarrat@1lotusmarketresearch.com
281 MAILER-DAEMON
~~~~~~
4. Removing all emails sent by: mailto:user@adminlogs.info
~~~~~~
# postqueue -p|grep '^[A-Z0-9]'|grep user@adminlogs.info|cut -f1 -d' '|tr -d \*|postsuper -d
~~~~~~
5. Remove all email sent from user@admin.info
~~~~~~
# postqueue -p|awk '/^[0-9,A-F].*user@admin.info / {print $1}'|cut -d '!' -f 1|postsuper -d
~~~~~~
6. Remove all email sent by domain adminlogs.info
~~~~~~
# postqueue -p | grep '^[A-Z0-9]'|grep @adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d
~~~~~~
7. To remove all from mail queue FAST
~~~~~~
# find /var/spool/postfix/deferred/ -type f | xargs -n1 basename | xargs -n1 postsuper -d
~~~~~~
8. To check headers of an email in postfix queue:
# postcat -vq XXXXXXXXXX
~~~~~~
root@:~# postcat -q 6761B21C519
*** ENVELOPE RECORDS active/6761B21C519 ***
message_size: 470 115
1 0
message_arrival_time: Sat Jul 15 14:56:33 2006
sender_fullname: www-data
sender: www-data@Webserver.local
*** MESSAGE CONTENTS active/6761B21C519 ***
Received: by Webserver (Postfix, from userid 33)
id 6761B21C519; Sat, 15 Jul 2006 14:56:33 -0700 (PDT)
Subject: Auto message allert for new user barbe !
From: beckie@bizhat.com
X-Mailer: MyCP add user auto mailer
Message-Id: <20060715215633.6761B21C519@Webserver>
Date: Sat, 15 Jul 2006 14:56:33 -0700 (PDT)
Hello barbe !
Test mail from BizHat.com
Good luck!
*** HEADER EXTRACTED active/6761B21C519 ***
original_recipient: info@bizhat.com
recipient: info@bizhat.com
*** MESSAGE FILE END active/6761B21C519 ***
~~~~~~
9.Get the mailids of all email currently in queue:
# postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'
~~~~~~
E14BA10A986
E4C1610AB8C
EAA83105214
E868A10AB08
E295E10A58A
E59D410AB03
E182F10AB01
EF23110AA7B
~~~~~~
10. To flush the mail queue:
~~~~~~
# postfix flush OR postfix -f
~~~~~~
11. To remove all mails from the queue:
~~~~~~
# postsuper -d ALL
~~~~~~
12. To remove all mails in the deferred queue:
~~~~~~
# postsuper -d ALL deferred
~~~~~~
13. Display differed queue and hold queue
# qshape deferred
Running the following command will show you the number of deferred emails for each domain. If you see mails to one or more domain only being deferred, check if you can connect to those servers from the server.
Output:
~~~~~~
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 0 0 0 0 0 0 0 0 0 0 0
-----------