Logwatch postfix report. Where does this "Deferrals" come from and how to stop it?

Question

I'm using logwatch to monitor the logs on my server and I'm trying to make sense out of the postfix report. (See the report below.)

By looking at /var/log/mail.log I saw that this mail seems to be bouncing for a long time.

How can I stop this? Also I would like to know how to lockdown this mailserver so it only can send mails to one specific mail? (E.g. mine for logwatch reports, crontabs etc)

--------------------- Postfix Begin ------------------------

 ****** Summary ******************************************

   68.397K  Bytes accepted                              70,039
   67.161K  Bytes sent via SMTP                         68,773
    1.236K  Bytes delivered                              1,266
 ========   ==================================================

        2   Accepted                                   100.00%
 --------   --------------------------------------------------
        2   Total                                      100.00%
 ========   ==================================================

        2   Removed from queue
        1   Delivered
        1   Sent via SMTP
        1   Deferred
       20   Deferrals

 ****** Detail (1) *******************************************

        1   Delivered ------------------------------------
        1      12345.myserver.net

        1   Sent via SMTP --------------------------------
        1      example.de

       20   Deferrals ------------------------------------
       20      4.1.7: Transient failure: Addressing status: Bad sender's mailbox address syntax
       20      450 4.1.7 <www-data@12345.myserver.net>: Sender address rejected...
       20      unknown-domain.de
       20           unkownname
       20               85.13.135.56     mail.unknown-domain.de

 === Delivery Delays Percentiles ============================================================
                     0%       25%       50%       75%       90%       95%       98%      100%
 --------------------------------------------------------------------------------------------
 Before qmgr       0.11 329151.25 351203.50 373258.50 386491.90 390902.00 393548.00 395312.00
 In qmgr           0.01      0.02      0.02      0.02      0.03      0.03      0.03      0.03
 Conn setup        0.00      0.09      0.21      0.31      0.37      0.94      0.98      0.99
 Transmission      0.02      0.07      0.10      0.39      0.49      0.55      0.60      0.63
 Total             0.15 329152.25 351204.00 373258.50 386491.90 390902.95 393549.00 395313.00
 ============================================================================================

 ---------------------- Postfix End -------------------------

Related: [What does “Mail Deferred:” mean in Linux Logwatch](https://serverfault.com/questions/339662/what-does-mail-deferred-mean-in-linux-logwatch) — sebix, Jul 23 '15 at 10:13

sebix · Accepted Answer · 2015-07-23T10:29:08.427

2

Can anyone explain what this means or point me to some documentation that a server-admin noob understands?

A server-admin noob should not run a public facing mail server!

Does that mean somebody is misusing our mailserver?)

Can't be answered with this amount of information.

Defering is a temproary delivery failure, e.g. unreachable destinations, temproary failures on the next hop or with local delivery. You also summarize this to a temproary reject.

Citing the manpage of postfix-logwatch:

Deferrals
Deferred
Message delivery deferrals. A single deferred message will have
one or more deferrals many times.

So one message has been deferred 20 times. The one message was undeliverable and as postfix got a temporary error code, the delivery is retried, resulting in 20 deferrals.

Have a look at the log files at /var/log/mail.log* to find out where the message is coming from and why it is rejected in detail. You can also look at the message it self using mailq (show message id) and postcat (show message).

edited Jul 23 '15 at 10:29

answered Jul 23 '15 at 10:21

sebix

4,175
2
25
45

I took a look into the logs. This is an example log entry: `Jul 21 09:01:57 12345 postfix/smtp[27816]: 42B5E17FD9E: to=, relay=mail.example.de[98.76.543.21]:25, delay=344903, delays=344903/0.02/0.32/0.07, dsn=4.1.7, status=deferred (host mail.example.de[98.76.543.21] said: 450 4.1.7 : Sender address rejected: unverified address: connect to 12345.myserver.net[1.23.456.789]:25: Connection timed out (in reply to RCPT TO command))` `mailq` responds with `Mail queue is empty` – fabianmoronzirfas Jul 23 '15 at 11:13
1

About that noob thing: I know but it came with the job ;-) That's why I'm asking here to make it safe. I would love to shut it down completely or better to just be able to send mails to my address. – fabianmoronzirfas Jul 23 '15 at 11:13
`postcat 42B5E17FD9E` gives the content of the email if still in delivery queue. Grepping for the same string in `/var/log/mail.log*` should give you the origin of the mail if it came via SMTP. Otherwise have a look at `/var/mail/root` (www-data should be an alias of root, see `/etc/aliases`). – sebix Jul 23 '15 at 12:19
postcat gives me `postcat: fatal: open 42B5E17FD9E: No such file or directory` the latest entries in /var/log/mail.log indicate that the mail was removed: `42B5E17FD9E: sender non-delivery notification` and `postfix/qmgr[3256]: 42B5E17FD9E: removed`. Anyway I'm still wondering where this mail came. I'm trying to close down that mailserver. It's not needed. Thanks for your help. – fabianmoronzirfas Jul 23 '15 at 12:50
As I said, look in the mailbox of the sender, www-data or root as alias. – sebix Jul 23 '15 at 13:29
hm. There are no mailboxes. `/var/mail/root` sends me to the home directory of root and `/var/mail/www-data` to `/var/www/` also `/var/spool/mail/*` does the same thing. I'm pretty confused. – fabianmoronzirfas Jul 23 '15 at 13:34
For now I closed down all outgoing mail except mails that are directed to myself we will see how this turns out (using postfix transport http://www.postfix.org/transport.5.html ) Thanks a lot for helping me out – fabianmoronzirfas Jul 23 '15 at 15:26
Whats the content of `/etc/aliases`? The output of `echo $MAIL` as root should give it's mail destination. And what is `postconf home_mailbox` (or the `mailbox_*` values)? – sebix Jul 23 '15 at 15:49
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/26154/discussion-between-fabiantheblind-and-sebix). – fabianmoronzirfas Jul 23 '15 at 17:21

Logwatch postfix report. Where does this "Deferrals" come from and how to stop it?

1 Answers1