Tag Archives: postfix

Postfix queue management bash scripts

Couple of scripts I used while cleaning up a mail server. I’m sure they can be improved, and the last one is quite specific to my own requirements, but I’ll put them here anyway.

Move emails with a particular subject from the hold queue to the deferred queue:

#change directory to postfix's queue directory#
cd $(postconf -h queue_directory)/hold
#loop over queue files
for i in * ; do
# postcat e file, grep for subject "test" and if found
# run postsuper -d to delete queue'd message
postcat $i |grep -q '^Subject: test' && postsuper -H $i

Delete emails in the hold queue that are being sent to a recipient that has already recieved an email (is in the mail log) or duplicate emails (with the same email/subject):

cd $(postconf -h queue_directory)/hold
#loop over queue files
for i in * ; do
   if [ -f "$i" ]; then
       IDENT=$(postcat $i | grep -A 1 "To:")
       RECIPIENT=$(postcat $i | grep "To:" | cut -c 5- )
       if grep -q "$RECIPIENT" /root/postfixtmp/logs/mailsent.log; then
           echo "* already sent to $RECIPIENT, deleting $i " | tee -a /root/postfixtmp/queueclean.log
           echo $IDENT | tee -a /root/postfixtmp/queueclean.log
           NUM=$[NUM + 1]
           postsuper -d $i
           echo "----" | tee -a /root/postfixtmp/queueclean.log
           for o in * ; do
              if [ -f "$o" ]; then
                  if [ $o != $i ]; then
                     CURRENT=$(postcat $o | grep -A 1 "To:")
                     if [ "$CURRENT" = "$IDENT" ]; then
                        echo " duplicate email, deleting $o *" | tee -a /root/postfixtmp/queueclean.log
                        echo $CURRENT | tee -a /root/postfixtmp/queueclean.log
                        NUM=$[NUM + 1]
                        postsuper -d $o
                        echo "----" | tee -a /root/postfixtmp/queueclean.log
echo "Deleted $NUM emails" | tee -a /root/postfixtmp/queueclean.log

Installing DKIM and DomainKeys for postfix on Ubuntu 10.04

Servername: web1.domain.com
From address: noreply@example.com

Aim: validate DKIM and DomainKeys for this email address sending from this server.

Requirements: access to enter TXT DNS records for domain.com and example.com, and root access to web1.domain.com server.

  1. apt-get install dkim-filter; apt-get install dk-filter
  2. vi /etc/dkim-filter.conf
    Uncomment UMask
    Uncomment Domain, and set to “*” (without quotation marks)
    Underneath Domain, create the following “KeyList    /etc/mail/dkim_domains.key”
    Uncomment Selector and set to “mail”
    You can also uncomment AutoRestart if you want and set to “yes”, and Statistics
    Do not uncomment Version – it’s not a valid setting
    Save and close
  3. vi /etc/postfix/main.cf
    Append the following:
    # DKIM & DomainKeys
    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891,inet:localhost:8892
    non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
  4. cd /etc/mail
  5. dkim-genkey -t -s mail -d web1.domain.com (dkim key)
  6. openssl genrsa -out domainkey.key 1024 (domainkeys private key)
  7. openssl rsa -in domainkey.key -out domainkey.pub -pubout -outform pem (domainkeys public key)
  8. mv mail.private mail
  9. vi /etc/default/dk-filter
    Uncomment out DAEMON_OPTS and SOCKET and set them like so:
    DAEMON_OPTS=”$DAEMON_OPTS -d example.com t -s /etc/mail/domainkey.key -S web1″ (the selector here is web1; this is because the DNS record has to go on example.com for DomainKeys, so for every server you want to send example.com mail for you’ll need a seperate record)
  10. Open up mail.txt; you need to create the DNS record for DKIM for web1.domain.com from this.  I use a managed DNS service for domain.com, so I put “mail._domainkey.web1” in the subdomain/selector, and paste the bit in quotes as the record content.  Notice the mail.txt file does not have the domain appended, but I’ve added my subdomain web1 in my record.
  11. Make two more DNS records, this time on example.com:
    _domainkey IN TXT “t=y; o=~;”
    web1._domainkey IN TXT “k=rsa; t=y; p=<INSERT KEY FROM DOMAINKEYS.PUB HERE>”
  12. vi /etc/mail/dkim_domains.key  (new file)
    Paste in the following:
  13. Start/restart services; service dkim-filter restart; service dk-filter restart; service postfix restart (dkim went a bit funny for me here; may be better for dkim-filter and dk-filter to stop, then start them)
  14. To check the DNS is set up properly, go to http://domainkeys.sourceforge.net/selectorcheck.html and put in web1._domainkey.example.com, then go to http://dkimcore.org/tools/dkimrecordcheck.html and put in mail for the selector, and web1.domain.com for the domain name.
  15. To check it works; send an email to yahoo address, and check out View Full Header (under the cog button), you should find a line:
    Authentication-Results: mta1066.mail.ird.yahoo.com  from=example.com; domainkeys=pass (ok);  from=web1.domain.com; dkim=pass (ok)


You’ll notice that DKIM and DomainKeys use different parts of the header for validation.  DKIM is looking at the server name given by postfix, and DomainKeys is looking at the domain of the From address.

With the solution above, for every additional server sending emails from example.com, you’ll need to set up a DKIM record for the server hostname, and a DomainKeys record for example.com (with a separate selector).