After Plesk upgrade, check_mailq returns fatal: User nagios(110) is not allowed to view the mail queue

Written by - 0 comments

Published on - Listed in Monitoring Linux


After a recent Plesk upgrade on a customer server, one minor issue was seen in monitoring after the upgrade: The monitoring of the server's mail queue did not work anymore.

nagios@server ~ $ /usr/lib/nagios/plugins/check_mailq -w 200 -c 300 -M postfix
postqueue: fatal: User nagios(110) is not allowed to view the mail queue
CRITICAL: Error code 69 returned from /usr/bin/mailq

This could easily be verified by using the "nagios" user (under which NRPE runs) and trying to run the command by hand:

nagios@server ~ $ mailq
postqueue: fatal: User nagios(110) is not allowed to view the mail queue

mailq (in this case on a Plesk server) runs through a couple of symlinks:

root@server ~ # ll /usr/bin/mailq
lrwxrwxrwx 1 root root 16 Apr 29  2017 /usr/bin/mailq -> ../sbin/sendmail

root@server ~ # ll /usr/sbin/sendmail
lrwxrwxrwx 1 root root 43 Apr 16 20:25 /usr/sbin/sendmail -> /usr/lib/plesk-9.0/postfix-sendmail-wrapper

root@server ~ # ll /usr/lib/plesk-9.0/postfix-sendmail-wrapper
-r-sr-xr-x 1 root root 90648 Jul 16  2019 /usr/lib/plesk-9.0/postfix-sendmail-wrapper

The permissions on the symlinks and the final postfix-sendmail-wrapper seem correct - however they are not related to the postqueue error message.

First, it was suspected that nagios needs to be a member of some of the postfix groups to be able to see the mail queue. But as already mentioned, the permissions on the executables seemed to be correct and before the Plesk upgrade there was no need to adjust the nagios user. Postfix itself was not upgraded (as it's a system package, not an installation from Plesk). So what did change?

After reading an interesting question on serverfault, finally the important hint was found: Plesk upgraded Postfix's main.cf and added the following lines:

root@server ~ # diff /etc/postfix/main.cf /etc/postfix/main.cf.bkp88,91d87
< recipient_canonical_maps = tcp:127.0.0.1:12346
< recipient_canonical_classes = envelope_recipient,header_recipient
< authorized_flush_users =
< authorized_mailq_users =

In this case, authorized_mailq_users is set with an empty value. According to Postfix's documentation this means that only root and postfix itself is able to read the mail queue. All other users are not allowed (hence the error message from postqueue 'is not allowed').

By adding "nagios" to this list, the nagios user is granted to view the mail queue.

root@server ~ # grep authorized_mailq /etc/postfix/main.cf
authorized_mailq_users = nagios

root@server ~ # systemctl reload postfix

Verification:

root@server ~ # su - nagios
nagios@server ~ $ mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
1CF51EC00F1     1087 Tue Apr 14 20:57:04  web95@web95.example.com
[...]

And yes, monitoring of the mail queue back in place!

Looking for support in Confixx to Plesk migration or Plesk upgrade? Contact us at infiniroot.com.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder