On Tue, Aug 30, 2022 at 11:27:19AM +0000, Frank Brendel wrote:
> > Are you using MailScanner or other non-Postfix software that
> > reads or updates Postfix queue files?
> >
> > Wietse
>
> No, only Postfix and Dovecot with replication. I've attached the
> postconf output.
>
> But regarding 'queue files' I have about 265.000 deferred mails
> (recipients mailbox full).
You really should do something about that, build a table of over-quota
recipients, and tempfail new mail for such users when briefly over
quota, and ultimately reject if long-term over-quota.
If the users don't resolve this condition, you'll be sending over a
quarter million bounces. This is likely a bigger issue that the
occasional corrupt message.
> Filesystem is UFS2.
To make progress, you'll need detail the milters you're using, and share
complete logs and make available the raw binary queue file for at least
one corrupt spammy message with sufficiently non-sensitive content.
Please also report:
$ postconf mail_version
and whether you're running Postfix from base or ports. Also
the OS release and patch level, and if from ports the package
version.
> header_checks = pcre:/etc/postfix/header_checks.pcre
> milter_default_action = accept
> milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
> milter_protocol = 6
> smtpd_helo_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_helo_access
> pcre:/etc/postfix/helo_exceptions.pcre, reject_non_fqdn_hostname,
> reject_invalid_helo_hostname, check_helo_access
> pcre:/etc/postfix/helo_checks.pcre, permit
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> reject_unlisted_recipient, check_recipient_access
> pcre:/etc/postfix/whitelist_checks.pcre permit
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
> pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain,
> permit
Do the header_checks and/or restrictions affect which if any milters are
ultimately used? Under what conditions?
> notify_classes = software
On a high-volume mail servers, I recommend empty notify_classes, and
monitor your logs instead.
> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter.map
> smtpd_milters = inet:aaaaaa.aaaaaaa.aaa:dddd
Which milters are expected to have been used with the corrupt messages?
--
Viktor.
