After Plesk upgrade, check_mailq returns fatal: User nagios(110) is not allowed to view the mail queue

Written by - 0 comments

Published on April 18th 2020 - Listed in Monitoring Linux


After a recent Plesk upgrade on a customer server, one minor issue was seen in monitoring after the upgrade: The monitoring of the server's mail queue did not work anymore.

nagios@server ~ $ /usr/lib/nagios/plugins/check_mailq -w 200 -c 300 -M postfix
postqueue: fatal: User nagios(110) is not allowed to view the mail queue
CRITICAL: Error code 69 returned from /usr/bin/mailq

This could easily be verified by using the "nagios" user (under which NRPE runs) and trying to run the command by hand:

nagios@server ~ $ mailq
postqueue: fatal: User nagios(110) is not allowed to view the mail queue

mailq (in this case on a Plesk server) runs through a couple of symlinks:

root@server ~ # ll /usr/bin/mailq
lrwxrwxrwx 1 root root 16 Apr 29  2017 /usr/bin/mailq -> ../sbin/sendmail

root@server ~ # ll /usr/sbin/sendmail
lrwxrwxrwx 1 root root 43 Apr 16 20:25 /usr/sbin/sendmail -> /usr/lib/plesk-9.0/postfix-sendmail-wrapper

root@server ~ # ll /usr/lib/plesk-9.0/postfix-sendmail-wrapper
-r-sr-xr-x 1 root root 90648 Jul 16  2019 /usr/lib/plesk-9.0/postfix-sendmail-wrapper

The permissions on the symlinks and the final postfix-sendmail-wrapper seem correct - however they are not related to the postqueue error message.

First, it was suspected that nagios needs to be a member of some of the postfix groups to be able to see the mail queue. But as already mentioned, the permissions on the executables seemed to be correct and before the Plesk upgrade there was no need to adjust the nagios user. Postfix itself was not upgraded (as it's a system package, not an installation from Plesk). So what did change?

After reading an interesting question on serverfault, finally the important hint was found: Plesk upgraded Postfix's main.cf and added the following lines:

root@server ~ # diff /etc/postfix/main.cf /etc/postfix/main.cf.bkp88,91d87
< recipient_canonical_maps = tcp:127.0.0.1:12346
< recipient_canonical_classes = envelope_recipient,header_recipient
< authorized_flush_users =
< authorized_mailq_users =

In this case, authorized_mailq_users is set with an empty value. According to Postfix's documentation this means that only root and postfix itself is able to read the mail queue. All other users are not allowed (hence the error message from postqueue 'is not allowed').

By adding "nagios" to this list, the nagios user is granted to view the mail queue.

root@server ~ # grep authorized_mailq /etc/postfix/main.cf
authorized_mailq_users = nagios

root@server ~ # systemctl reload postfix

Verification:

root@server ~ # su - nagios
nagios@server ~ $ mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
1CF51EC00F1     1087 Tue Apr 14 20:57:04  web95@web95.example.com
[...]

And yes, monitoring of the mail queue back in place!

Looking for support in Confixx to Plesk migration or Plesk upgrade? Contact us at infiniroot.com.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.