Script to check mailq, go above limit, send telegram chat.

Discussion in 'ISPConfig 3 Priority Support' started by pvanthony, Dec 8, 2020.

  1. pvanthony

    pvanthony Member HowtoForge Supporter

    Anyone know of a ready made solution that would do the following?
    1. check mailq periodically. like every five minutes.
    2. if mailq goes above, say about 200.
    3. using the firewall, close port 25.
    4. then send a telegram chat to the sysadmin.
    I choose telegram because I think it allows to receive from an api. Not like whatsapp.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. pvanthony

    pvanthony Member HowtoForge Supporter

  4. pvanthony

    pvanthony Member HowtoForge Supporter

    Here is a link to a posible solution using monit.
    https://serverfault.com/questions/697670/how-to-monitor-the-postfix-mail-queue-using-monit
    While searching the net, came across netdata. It has telegram integration along with other chats.
    https://www.netdata.cloud/integrations/#notifications
    Checkout what netdata is all about. Looks really impressive.
    https://www.netdata.cloud/agent/
    Open source and we do not have to use the cloud part.
    Now need some advice on what to use with ispconfig. Monit or Netdata?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It doesn't really matter, you can currently add monit to the panel but we might have to remove this as it is not working right now.
     
  6. pvanthony

    pvanthony Member HowtoForge Supporter

    Thank you for the advice. I will try netdata then.
     
  7. pvanthony

    pvanthony Member HowtoForge Supporter

    Installed netdata following this link. Really is an easy one line installation.
    https://learn.netdata.cloud/docs/get
    Then configure the alarm for postfix mail queue using the following config.
    /etc/netdata/health.d/postfix.conf
    Code:
    template: postfix_local_queue
          on: postfix.qemails
       every: 10s
        calc: $emails
        warn: $this > 10
        crit: $this > 100
          to: sysadmin
        info: number of emails in the postfix queue
    
    Got the config from the following link.
    https://jpmrblood.github.io/notes/netdata-postfix/
    Next configured netdata notifications following this link. By the way email notifications is already default. I wanted telegram notifications.
    https://learn.netdata.cloud/docs/agent/health/notifications/
    For telegram.
    https://learn.netdata.cloud/docs/agent/health/notifications/telegram
    Happy to say it works.
    Now have to figure out how to close port 25 when the postfix queue critical alarm is triggered.
     
  8. pvanthony

    pvanthony Member HowtoForge Supporter

  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I must have misunderstood the problem you were trying to solve, I thought you wanted to close incoming port 25, but you intend to catch larger batches of outgoing mail (eg. from an abused account I presume) and prevent it from going out, and alert the admin to look at it? There may be better long-term solutions to that, but it's an interesting approach.

    As for example commands, the letsencrypt pre hook and post hook perform a very similar task.
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    One custom solution that comes to mind is to identify the sender address of the messages and if an individual sender is over some threshold, "disable" their mail account (set mail_user.postfix='n' for the matching email), then move all the mail from that user into postfix's hold queue. Your other mail will still continue as normal (no port 25 blocks).

    Those are based on queue size though, and what you probably want is to trigger on the number of messages sent in some timeframe, as quite a bit of mail can process through a mail server without pushing the queue up terribly high. High volume spam runs used to be more common a few years ago, and they do still happen occasionally, but most of them now-a-days are lower volume to avoid obvious detection.
     
    Th0m likes this.
  11. pvanthony

    pvanthony Member HowtoForge Supporter

    I want to allow incoming port 25 so that emails from outsite can be received. Rspamd's rate limit will stop an abused email account that can only send by port 587. So when there is some form of attack through a website or something, netdata will be monitoring the postfix queue every 10secs. The moment postfix queue goes above 10, the admin will receive an email and a telegram message.
    Upto here it is working great. Telegram and emails are coming in.
    When the postfix queue goes above 100, netdata will still send the email and telegram message plus will close the outgoing port 25. I do not know what command to run to close outgoing port 25 and open outgoing port 25. Can help with the commands?
    Cool.
    If something like this is builtin ispconfig, that would be great.
     
  12. pvanthony

    pvanthony Member HowtoForge Supporter

    Unfortunately, it was not a user account that was sending the emails. It was a php script using sendmail binary. So no account to stop.
     
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The letsencrypt pre hook opens port 80 (so you would use very similar code with a different chain name and port number in your "unblock port 25" commands), and the post script closes port 80 (so corresponds to your "block port 25" commands).
     

Share This Page