In case your server gets listed on blacklists, mails will get refused by destination servers and stick in the deferred mail queue for some time until the sender finally gets a mailer daemon.
As it takes some time until the sender gets the mailer daemon and informs the server admin, it would be better if you could directly get notified by Icinga/Nagios when a mail is in the deferred queue because the destination server refused it.
Therefore I wrote a small shell script which I want to share with you here. I am assuming Debian Wheezy with Icinga and a postfix mailserver.
Create the shell script with the actual plugin in
/usr/lib/nagios/plugins/check_mailq_blacklist :
#!/bin/sh # detects if mails in mail queue were refused by destination server (because of blacklist?) # From https://blog.christosoft.de/2014/08/icinga-monitor-refused-mails-postfix-mailqueue/ # Version: 2017-03-07 if mailq | grep -qP "(refused to talk to me(?!(.*out of connection slots)))|(unsolicited mail originating from your IP)|(temporarily deferred due to user complaints)" then mails=`mailq | grep -oP "(refused to talk to me(?!(.*out of connection slots)))|(unsolicited mail originating from your IP)|(temporarily deferred due to user complai$ echo "$mails mail(s) were refused, check mailq!" if [ "$mails" -le 10 ] && [ "$mails" -gt 1 ]; then # 2-10 mails -> warning echo "\nWarning. | refused=$mails;2;11;0" return 1; fi if [ "$mails" -gt 10 ]; then # more than 10 mails -> critical echo "\nCriticial! | refused=$mails;2;11;0" return 2; fi return 1; else echo "Ok, there seems to be no refused mail in the mailq | refused=0;2;11;0" exit 0; fi
This will check for the texts “refused to talk to me” (not followed by “out of connection slots”) and “unsolicited mail originating from your IP” in the mailq output. These are the most common errors you get when the destination server has your server’s IP blacklisted. In case at least one mail was refused, this causes a warning state in icinga. If more than 10 mails were refused, it causes a critical state.
Now you need to make this script executable:
chmod +x /usr/lib/nagios/plugins/check_mailq_blacklist
Now create the config file for the plugin in
/etc/nagios-plugins/config/mailq_blacklist.cfg :
# 'check_mailq_blacklist' command definition define command{ command_name check_mailq_blacklist command_line /usr/lib/nagios/plugins/check_mailq_blacklist }
So now we have the command and need to define a service that uses it. Let’s say we use this locally for localhost. In
/etc/icinga/objects/localhost_icinga.cfg
add:
define service{ use generic-service host_name localhost service_description Mail Queue Refused Mail check_command check_mailq_blacklist }
This is it, just restart icinga and you are done:
service icinga restart
I hope this is of use to somebody.
Of course it is also useful to monitor in Icinga, if you are on some of the most used blacklists. A script to do this can be found here.