After a recent Plesk upgrade on a customer server, one minor issue was seen in monitoring after the upgrade: The monitoring of the server's mail queue did not work anymore.
nagios@server ~ $ /usr/lib/nagios/plugins/check_mailq -w 200 -c 300 -M postfix
postqueue: fatal: User nagios(110) is not allowed to view the mail queue
CRITICAL: Error code 69 returned from /usr/bin/mailq
This could easily be verified by using the "nagios" user (under which NRPE runs) and trying to run the command by hand:
nagios@server ~ $ mailq
postqueue: fatal: User nagios(110) is not allowed to view the mail queue
mailq (in this case on a Plesk server) runs through a couple of symlinks:
root@server ~ # ll /usr/bin/mailq
lrwxrwxrwx 1 root root 16 Apr 29 2017 /usr/bin/mailq -> ../sbin/sendmail
root@server ~ # ll /usr/sbin/sendmail
lrwxrwxrwx 1 root root 43 Apr 16 20:25 /usr/sbin/sendmail -> /usr/lib/plesk-9.0/postfix-sendmail-wrapper
root@server ~ # ll /usr/lib/plesk-9.0/postfix-sendmail-wrapper
-r-sr-xr-x 1 root root 90648 Jul 16 2019 /usr/lib/plesk-9.0/postfix-sendmail-wrapper
The permissions on the symlinks and the final postfix-sendmail-wrapper seem correct - however they are not related to the postqueue error message.
First, it was suspected that nagios needs to be a member of some of the postfix groups to be able to see the mail queue. But as already mentioned, the permissions on the executables seemed to be correct and before the Plesk upgrade there was no need to adjust the nagios user. Postfix itself was not upgraded (as it's a system package, not an installation from Plesk). So what did change?
After reading an interesting question on serverfault, finally the important hint was found: Plesk upgraded Postfix's main.cf and added the following lines:
root@server ~ # diff /etc/postfix/main.cf /etc/postfix/main.cf.bkp88,91d87
< recipient_canonical_maps = tcp:127.0.0.1:12346
< recipient_canonical_classes = envelope_recipient,header_recipient
< authorized_flush_users =
< authorized_mailq_users =
In this case, authorized_mailq_users is set with an empty value. According to Postfix's documentation this means that only root and postfix itself is able to read the mail queue. All other users are not allowed (hence the error message from postqueue 'is not allowed').
By adding "nagios" to this list, the nagios user is granted to view the mail queue.
root@server ~ # grep authorized_mailq /etc/postfix/main.cf
authorized_mailq_users = nagios
root@server ~ # systemctl reload postfix
Verification:
root@server ~ # su - nagios
nagios@server ~ $ mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
1CF51EC00F1 1087 Tue Apr 14 20:57:04 web95@web95.example.com
[...]
And yes, monitoring of the mail queue back in place!
Looking for support in Confixx to Plesk migration or Plesk upgrade? Contact us at infiniroot.com.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder