Re: Alert of unusually large queue

Fri, 26 Oct 2012 11:56:16 -0700 

On 10/16/12 8:15 AM, Wietse Venema wrote:

Kaleb Hosie:

We host a mail server which runs Postfix and there has been a few
times where one of our clients computers becomes infected with
malware and the password is compromised.

How this has come to my attention is because every once in a while,
I will login to the mail server and see an unusually large mail
queue which is all being sent to one domain.

Is it possible to monitor the queue automatically and have it send
me an alert if the postfix queue reaches over a certain threshold?

To fight symptoms, run a cron job every 10 minutes or so:

     #!/bin/sh

     postqueue -p | awk '
        BEGIN { limit = 10240 }
        /^-- .+ Kbytes in .+ Request/ { queue_len = $5}
        END { if (queue_len > limit)
            print "Queue size", queue_len | "mail -s 'Queue size problem' root"
        }
     '

To throttle clients that send too much mail, see postfwd, policyd
and the like.

        Wietse
Another method would be to use SNMP monitoring, which we have setup and works quite nicely as our monitoring system will send email alerts, sms messages, and phone calls. On the mail server (centos 5/6) there is a script that is grabbing the size of the mailq: 

mon_queue.sh

   #!/bin/bash

   # assume queue length of zero
   count=0

   # Place the output of postqueue into the array variable
   # Output should look something like:
   # -- 285 Kbytes in 20 Requests.
   # (without the leading "# ")
   queuelength=( $(/usr/sbin/postqueue -p | tail -n 1) )

   # Make sure the array has six elements, we are interested in the
   # fifth element (index 4 because arrays in BASH are 0-based)
   if (( ${#queuelength[*]} == 6 ))
   then
      if (( queuelength[4] > 0 ))
      then
        count=${queuelength[4]}
      else
        count=0
      fi
   elif (( ${#queuelength[*]} == 4 )) && [[ ${queuelength[*]} = "Mail
   queue is empty" ]]
   then
      count=0
   else
      # unknown output from postqueue
      count="0"
   fi

   echo ${count}

   exit

Then inside snmpd.conf add the line:

   exec postqueue /usr/bin/sudo /path/to/script/mon_queue.sh
Now you should have an snmp oid of something like .1.3.6.1.4.1.2021.8.1.101.1 which can be used to query. Then setup your SNMP monitoring server with thresholds for queue size, and enjoy having a historical perspective on queues.

Reply via email to