Re: [exim] How do you delete a large frozen queue?

Góra strony
Delete this message
Reply to this message
Autor: Steve Albin
Data:  
Dla: Jan Ingvoldstad, Odhiambo Washington, Exim-users@exim.org
Temat: Re: [exim] How do you delete a large frozen queue?

First, I would like to thank Odhiambo and Jan for their responses. They were helpful.

Second, in case someone else searches for an answer to this problem,
I would like to carefully describe the steps for its solution.

Here is how the problem was overcome:

The normal, straighforward way to delete a bunch of queued emails would be one of these forms.

To delete all frozen emails:
exipick -iz | xargs exim -Mrm

To delete all emails in the queue from a specific user:
exipick -i '\$sender_address eq username@???' | xargs exim -Mrm

Since my server only has the older "exiqgrep" command,
the straightforward command for me would have been:

exiqgrep -i -f username@??? | xargs exim -Mrm

In all of the above cases, the "-i" argument causes exipick/exiqgrep
to build a list of the relevant message ids

They would be sent through a unix pipe to the exim delete command "exim -Mrm"
with xargs managing small groups of ids at a time.

Once I had the proper command form the first error encountered
was that there were too many message ids so that the linux system
could not build a pipe

The way to get around that problem was to write the list of relevant
ids into a file. Of course if you are in the process of examining
the exim spool folder you might try to write to a file on the same
disk partition as the spool folder and hit the error message that
the disk is full and you cannot write to it.

So you must find a disk partition with space.

I successfully executed the command

exiqgrep -i -f username@??? > /root/eximids

Now that you have a file with a list of ids to be deleted, the
straightforward command to do that would be

xargs exim -Mrm < /root/eximids

But before doing that if you build a smaller list to test that command

tail -20l /root/eximids > /root/eximids-sample

and then try the deletion

xargs exim -Mrm < /root/eximids-sample

you will see the process and the next error messages indicating that
the attempt by exim to write the log entry failed because the disk
is full. exim cannot execute the delete command without disk space
to log the activity.

So you cannot proceed until you find some files (directories) on that
disk partition that could be moved to another disk partition.
Remember that once there is space available on the disk partition,
the frozen exim process will begin to send the queued emails again.

So you must be prepared to quickly give the delete command

xargs exim -Mrm < /root/eximids

as soon as disk space is available on the partition holding the exim spool
(/var/spool/exim)

It would have been nice to prevent exim from beginning to send those
frozen emails, because they were all spam, but I don't know how to do that.

The good news is that sending emails is a much slower process than deleting
them because it requires internet travel and waiting for confirmation that
an email was received. So I don't think too many spam emails actually were
sent before they were deleted.

A final thought ... it was very beneficial that the disk partition holding
the exim spool was not too large (in my case about 8 GB with 5 available
for a growing queue). The hacker who hacked one of my users' accounts
spooled more than 350,000 spam emails for sending. If the exim spool was
on a larger disk partition, many many more spam emails would have been sent
before the full disk caused exim to stop working.

+++++++++++++++++ ORIGINAL MESSAGE REQUESTING HELP +++++++++++

Hello.

I tried searching the docs and the mailing list, unsuccessfully.

One of the accounts on a linux server I run was hacked, and the hacker has
sent many and now queued several hundred thousand spam emails.

The disk holding exim … /var/spool/exim … is 100 percent full.

The exim and exiqgrep commands still function, but there are so many messages
that any attempt to form a pipe exits in error.

Since I don’t seem able to delete all messages from that sender, I am ready to
delete all messages in the queue (or queues if that is the case; I am new to this).

I can delete and re-create the directories /var/spool/exim/input and
/var/spool/exim/msglog
but I don’t know if there is anything needed inside those directories.

Any suggestions by someone knowledgeable?

Thank you.

Steve Albin