Read Email Queue

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Puma1337
Posts: 13
Joined: Sat Sep 13, 2014 12:54 am

Read Email Queue

Post by Puma1337 »

Hi,
There is a message that is in my email queue mail "mailer-daemon" to "info@brochureweeklyj.com" that is failing to send. I am trying to figure out where this email came from.
Here is what the mail.log says:
Dec 7 00:41:13 mail postfix/smtpd[29973]: connect from localhost[127.0.0.1]

Dec 7 00:41:13 mail postfix/smtpd[29973]: 694C62686A9: client=localhost[127.0.0.1]

Dec 7 00:41:13 mail postfix/cleanup[29397]: 694C62686A9: message-id=

Dec 7 00:41:13 mail postfix/smtpd[29973]: disconnect from localhost[127.0.0.1]

Dec 7 00:41:13 mail postfix/qmgr[10668]: 694C62686A9: from=<>, size=1316, nrcpt=1 (queue active)

Dec 7 00:41:15 mail postfix/smtp[29398]: 31F7C26869E: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=48, delays=2.6/0/6.7/39, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=11261-20, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 694C62686A9)

Dec 7 00:41:15 mail postfix/qmgr[10668]: 31F7C26869E: removed

Dec 7 00:41:43 mail postfix/smtp[30008]: connect to smtprcvr.brochureweeklyj.com[208.86.250.82]:25: Connection timed out

Dec 7 00:41:44 mail postfix/smtp[30008]: 694C62686A9: to=, relay=none, delay=30, delays=0.38/0.05/30/0, dsn=4.4.1, status=deferred (connect to smtprcvr.brochureweeklyj.com[208.86.250.82]:25: Connection timed out)

Dec 7 00:41:46 mail postfix/smtpd[29973]: connect from localhost[127.0.0.1]
Is there any way for me to read this message or get any more information about it?
Thanks.
ArcaneMagus
Elite member
Elite member
Posts: 1138
Joined: Fri Sep 12, 2014 10:25 pm

Read Email Queue

Post by ArcaneMagus »

Well it came from the web client, you might look into /opt/zimbra/log/audit.log, as for the contents if it is still in the queue you should just be able to go to the queue directory and view the contents of the message there...
Puma1337
Posts: 13
Joined: Sat Sep 13, 2014 12:54 am

Read Email Queue

Post by Puma1337 »

[quote user="ArcaneMagus"]Well it came from the web client, you might look into /opt/zimbra/log/audit.log, as for the contents if it is still in the queue you should just be able to go to the queue directory and view the contents of the message there...[/QUOTE]
Thanks for the response. Do you by chance know where the queue directory is located? I have tried searching, but can't seem to find it.
Thanks.
ArcaneMagus
Elite member
Elite member
Posts: 1138
Joined: Fri Sep 12, 2014 10:25 pm

Read Email Queue

Post by ArcaneMagus »

/opt/zimbra/data/postfix/spool ;)
Puma1337
Posts: 13
Joined: Sat Sep 13, 2014 12:54 am

Read Email Queue

Post by Puma1337 »

Thanks for the location. Here is what is contained in the email:
CO 1316 600 1 0 1316T?1260164473 415301A?create_time=1260164473A?rewrite_context=localS
Anyone have any idea what this means?
Puma1337
Posts: 13
Joined: Sat Sep 13, 2014 12:54 am

Read Email Queue

Post by Puma1337 »

Just wanted to follow up on this in case anyone else experiences anything similar.
I went to /opt/zimbra/data/postfix/spool/deferred/[beginning number or letter of ID in queue]/[ID NUMBER]
The first time I tried to open the message, I did it in Notepad, and I got the result in the last post. Then I tried in wordpad and I could see the full message.
It turns out the email was a spam email that was received into someone's email and they had a Vacation Auto Responder turned on, so it was trying to send an email back to the spam sender, which obviously failed.
Hope this helps if someone needs it in the future.
sb0373
Posts: 22
Joined: Tue Sep 15, 2015 9:59 am

Re: Read Email Queue

Post by sb0373 »

I doubt this is still relevant but wanted to share my experience as I had something similar today (but probably not 100% the same) and this was the first post showing up on google..

My case: I spotted a deferred mail coming from localhost with "mailer-daemon" going to a spammy looking/unusual receipient.
Headers of the mail all point to localhost/127.0.0.1 and no real signs of external access.

Content then gave it away: This was an auto-reply that had been set up. Spammer sent us a mail. Auto reply tried to reply.
So from a security perspective, all is still good.
Post Reply