So... 1 day of troubleshooting to get through this annoying problem...

Environment:

1. Active Directory 2003 (Native) Forest and Domain
2. 2x Domain Controllers, both GC, one site
3. n Windows Server 2003 Servers
4. Installation of GFI EventsManager to gather LOG information

Symptoms:

1. The GFI EventsManager reports errors connecting to DC's event logs (all)
2. The GFI EM downloads the logs from all member servers

After some further investigation:

1. Accessing DC's event log from any server using a Domain Admin-member returns an "Access Denied" error;
2. Accessint member servers' Event Log using same credentials works fine
3. Accessing DC's remote registry returns an Access Denied error.

After longer analysis and troubleshooting, cleanup of GPOs and permissions to make sure the Guest groups (and related) contains no reference to administrative user (none was found - btw) I found out this registry key:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Missing the built-in security principal "LOCAL SERVICE" with read-only permissions.

To fix the problem:

• Open regedit.exe
• Navigate to the key above
• Right click and choose "permissions"
• Lookup for "LOCAL SERVICE" (or equivalent in your locale) "Built-in security principal"
• Grant the "Read" permission
• Click ok, close the registry
• Restart the "Remote registry" service (no reboot required)

You should now be able to access the remote event log on the DC as well as the HKLM key opening the Remote registry.

Si parla tanto di Cloud, questo nuovo modo di fare cio' che si fa da una vita... outsourcing. Tante (belle) promesse di servizi e risparmio economico. Le stesse cose che promettevano le soluzioni in hosting e housing nell'era odierna. Le offerte sono tante, interessanti ma pongono dei quesiti. Da CTO, il mio pensiero e' rivolto - una volta tanto - non a descrivere il bello del Cloud visto dal basso, lato IT e lato provider di servizi, e non dall'alto - per l'utenza finale. Un po' come quando, salendo di quota in aereo tra le nuvole, si passa da quelle temporalesche e portatrici di pioggia a quelle bianche e ammalianti viste dall'alto, al sole bianche e candide.

Implementare un'infrastruttura di servizi orientati al Cloud e' una cosa - secondo me - da visionari. Esco dalla scuola di pensiero in cui i piccoli provider siano quelli che lavorano meglio, poiche' dedicano maggiore attenzione alla qualita' del servizio e non alla quantita'. E' facile confondersi ed e' ancora piu' facile perdere la fiducia del Cliente, basti vedere quello che e' successo in casa qualche tempo fa con Aruba o, piu' in grande, quando e' andato off-line il servizio di Amazon o, purtroppo, RIM (BlackBerry). Gli incidenti capitano, e capiteranno. Le macchine perpetue non esistono e, diciamocelo, se esistessero dovremmo cambiare lavoro.

Gestire un'infrastruttura di servizi in Cloud prevede una quantita' di punti di vista, tecnici ed organizzativi. Partendo dal basso, verso l'alto:

1. Alimentazione (impatto ambientale)
2. Networking
3. Infrastrutture server
4. Sistemi operativi
5. Applicazioni

Poi, in orizzontale su tutti, troviamo:

1. Manutenzione ordinaria e straordinaria
2. Sicurezza
3. Amministrazione dei sistemi ordinaria (patch, gestione credenziali, aggiornamenti, backup, ecc)
4. Amministrazione di sistema straordinaria

In tutti gli aspetti e' necessaria una visione d'insieme molto radicata nella progettazione dei sistemi. Qualsiasi movimento sulla scacchiera composta dai due elenchi di cui sopra si trascina appresso conseguenze importanti e che possono (pre)giudicare il successo di un fornitore di servizi. I CTO che affrontano l'idea, o sono chiesti di farlo, di iniziare un percorso di CSP (esistera'?) - o Cloud Service Provider - devono considerare aspetti che vanno molto al di fuori delle comuni competenze, e piu' i provider sono piccoli, piu' sono richieste ad essi capacita' adattive.

Quali partner scegliere per le proprie soluzioni? Come procedere in modo graduale per poter fornire livelli di servizio sempre migliori? Quali soluzioni tecnologiche rappresentano la soluzione piu' idonea per raggiungere i propri obiettivi di business?

Qui i CTO giocano una parte estremamente importante nel futuro di un CSP. Una loro errata decisione puo' avere impatti gravissimi sul successo od insuccesso di un fornitore. La lungimiranza di progettazione di un'infrastruttura destinata a fornire servizi ad una serie di entita' distinte (e che devono rimanere tali) e' molto piu' complessa ed articolata da gestire di una singola Azienda, o di una societa' che offre servizi di Location.

L'elemento - non cosi' scontato come si penserebbe - che diventa fondamentale per poter meglio avere idea di quali strade percorrere e' la conoscenza. La conoscenza tecnica che consente di adottare misure tecniche per raggiungere un obiettivo, ma anche la conoscenza del servizio offerto e dell'utenza che accede al Cloud. Un esempio pratico di questa idea potrebbe essere pensato come in questo breve esempio. Supponiamo che il Service Provider decida di erogare servizi di pubblicazione delle applicazioni attraverso una soluzione XenApp o XenDesktop. L'esempio e' riferito ad una analisi lato networking.

1. [tecnico] l'aumento dell'utenza richiede un aumento di banda
2. [marketing] gran parte dell'utenza utilizza dispositivi tablet e mobile mediante Vodafone (40% del totale)
3. [tecnico] decisione di upgrade della banda con l'aggiunta di un carrier in datacenter (Vodafone)
4. [servizio] aumento di banda sul datacenter
5. [servizio] riduzione dei single point of failure grazie all'introduzione di nuovi carrier
6. [servizio] miglioramento del servizio a tutta l'utenza mobile

Ecco che una soluzione di fatto gestita, o meglio pilotata dal Dipartimento Tecnico sfrutta (anziche' litigare) dipartimenti normalmente avversi (marketing) per ottenere vantaggi sempre maggiori all'interno della propria infrastruttura. Tali decisioni, naturalmente, si riflettono anche sull'intera infrastruttura di servizio.

[continua] Cloud... from behind the scenes (parte seconda)

So, you give someone a way to upload a file, you expect only some file types. How do you prevent a use uploading a file of different kind? Checking extension is not really the best way to do that. Expecting a PDF, you get someone uploading an .EXE file just changing its extension. This can be annoying and, worse, dangerous.

The way I am going to describe is not really a revolutionary way, IMHO, the main idea came working with Watchguard Binary content type extensions. Therefore I changed most of my classes to adapt the "check file type" functions from "just check file extension" to " well what's inside" way.

Let's assume I'm going to manage a Resume upload section, and I only pretend candidates to upload PDF files, not DOC, RTF or anything else. As mentioned above, checking just extension would be too easy to avoid, so here's the proof concept.

The PDF file format has its own binary signature and it's placed in the first bytes of the file itself. This code (for commodity I'm taking care of first 4 bytes in this proof) is equal to: 0x25504446. Once a file is uploaded what I care about is opening the uploaded file, reading the first bytes and comparing it to the binary data. My function would look like something like this:

        public function op_checkPdf() {
                $pdf_sig = '25504446';
                $tmp_name = $_FILES[ 'candidate_resume' ][ 'tmp_name' ];

                $h = fopen( $tmp_name, 'r' );
                $str = fread( $h, 4 );
                fclose( $h );

                $res = strcmp( bin2hex( $str ), $pdf_sig );
                if ( $res != 0 ) return false;

                return true;
        }

Once this function is ready, before treating the uploaded file I will check it with my op_checkPdf() function before even taking it off the tmp folder. Another good practice, whatever OS the webserver is running on, would be issuing an Antivirus Program to scan the file (perhaps I will think of it in some next post)... you really can't believe what people can upload using your forms.

Couple of months ago I had this argument with someone that said "IPS are a pain. Turn it off and the program will work, it's secure!"...

Keyword: secure

Now if the world was secure, why should I even bother buying a firewall? So, I am still running couple of Filezilla servers behind my firewall and, most importantly, behind an IPS.

Whenever I am not going to proof too much about IPS here, I just wanted to post a hint that made me lose couple of hours the first time I was arguing with FileZilla server. After some fighting (which at last was won with 5 minutes use of Wireshark) I found out a common set of commands to be added to the FTP Server Proxy policy in order to make it run in no-time. You can find the XML file (built on a 11.3.5 version) at my site.

Cheers and do NOT turn off your IPS because someone says the product is secure :-)

The biggest pain about DPI over HTTPS traffic is the end-user experience. Whenever a user tries to access a site using Internet Explorer they will get an error about invalid certificate. Here Internet Explorer and Group Policies comes handy to the Sysadmin.

This short howto wants to be an easy handbook for building a custom SSL certificate for the Organization, importing it into the Watchguard firewall and deploying the certificate using Group Policies to avoid users getting the error message and, instead, seeing a valid certificate in Internet Explorer.

To achieve this goal I've been using:

1. OpenSSL in a Linux Box
2. Watchguard Firebox Manager
3. Group Policy Management Console

Creating the SSL Certificate
The XTM box uses a built-in private key to re-sign SSL traffic to be sent to the clients. If not present, the device creates a new one at the following reboot, signed by the device itself. So, I'll create my own CA certificate with a Private Key (used to sign the traffic). Therefore I will run on the Linux Box:

[root@rhdev ~]# openssl genrsa -des3 -out myorg-ca.key 2048
Generating RSA private key, 2048 bit long modulus
..+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for myorg-ca.key:
Verifying - Enter pass phrase for myorg-ca.key:

Once the Private Key is ready (you should store your passkey somewhere safe) you can build the certificate itself.

[root@rhdev ~]# openssl req -new -x509 -days 3650 -key myorg-ca.key -out myca-cert.cer
Enter pass phrase for myorg-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IT
State or Province Name (full name) []:MI
Locality Name (eg, city) [Default City]:Milan
Organization Name (eg, company) [Default Company Ltd]:En3pYlabs
Organizational Unit Name (eg, section) []:Security Dept.
Common Name (eg, your name or your server's hostname) []:En3pY CA
Email Address []:

With versions 11.5.1 and 11.5.2 of the FSM I found out a little bug about certificate import process, the correct one (as in it is the one that works without issues) was:

1. Copy the content of the two files created above into a single text file on your windows box, select all and copy it into the clipboard
2. Open Firebox System Manager of your XTM
3. Click on View >> Certificates
4. Click on the "Import Certificate / CRL" button at the bottom of the window. A new dialog box appears.
5. Choose "Proxy Authority (for deep packet inspection)"
6. Click on the "Paste" button: it has to ask you for the Private Key passphrase (if it doesn't, make sure the private key is in your clipboard)
7. Click on the "Import Certificate" button

You should see your certificate in the list and marked as "Proxy Authority" certificate. Now I would suggest a reboot of the device, to make sure the certificate is correctly kept in the Certificate store on your Device. If it doesn't appear, just redo the above.

Now, if you create an HTTPS proxy policy you should be able to navigate on the Net but always with a certificate error. If you open the certificate properties it should be your CA signing the SSL traffic.

Deploying the certificate
Now it's time to deploy your certificate in Active Directory. Open any domain controller in your forest, domain, or site, or any server with an equivalent snap-in. On small organizations I tend to deploy the certificate using the Default Domain Policy, so you should open for editing this Group Policy. Navigate through Computer Settings, Windows Settings, Security Settings, Publick Key Policies and finally Trusted Root Certification Authorities.

Right click on the right pane and choose "Import" and navigate to get your "myca-cert.cer" file. You do not really need the Private Key in here. (You should also be sure the file has Windows end of line termination and not Unix). Once imported you should see your certificate (trusted) in your right pane.

The best thing at this point is rebooting the PC to be sure the Group Policy is correctly applied. Once done, in the Certificates Snap-In you should see your own CA within the Trusted Root CAs, and when navigating on the Net you should have no more certificates errors while opening SSL websites.

Got a PFX CA and can't import it?
You may have a certificate set created and compressed in one PFX file. Unlike some people I met name it "another Microsoft crap" the PFX file format is a well known standard. You can easily export your private key and certificate from it using OpenSSL. Say you have yourcertificate.pfx file, you will use the following:

• openssl pkcs12 -nokeys -in yourcertificate.pfx -out yourcacert.crt
• openssl pkcs12 -nocerts -in yourcertificate.pfx -out yourcakey.pem

The first command will export your certificate in DER format, while the second will build the private key file. Copy all into one text file and Paste it (with above mentioned procedure) in your Watchguard device to make it correctly work.

Disclaimer
Working with HTTPS DPI may lead to Privacy issues in your country. You should be aware about working with DPI and surf control of your users before enabling these functions. Follow best practices for Certificates Management to keep your information secure and confidential. This entry is a proof concept for a quick deployment of Certificates within a Watchguard protected environment and Active Directory. Other browsers than Internet Explorer will need to be manually allowed to transparently allow the certificate validation (or other scripts not mentioned here).

Well, this thought came across my mind not long ago after the whole SOPA, ACTA and alike mess raised around the Internet lately. It came up while I was watching some TV shows I picked up in time, actually one of my best (canceled) TV Sci-Fi series I could get, which was Firefly. And it was canceled. Like some other good shows around.

The Firefly story hit me quite a lot after seeing how much it moved after its cancellation. Once it was canceled, fans came out claiming for its resume, and the crew brought up a solution, the Serenity movie. What happened was impressive. Not as much impressive as the economics. The movie itself (Serenity) barely covered the production costs. Which leads to the thought of something. We (mostly) are killing our chance to have our choice in movies. Especially those "geeks" (sorry - no offense for the kind itself) so in love for series to hunt for them on-line and download it from the Net, avoiding paying the fees for seeing it live on TV. Which could make some sense if the fees are too high. Perhaps avoiding the production to be payed. Therefore our preferred shows get canceled. Thanks. To ourselves.

I agree some networks asks too high rates for their services, and this might be an issue to be discussed elsewhere. But avoiding getting original supports for music, videos or books will kill our chance to get those. Did you ever see how many people works behind a movie or a video game? Plenty. If you were one of those, would you like your job to be payed not? Try paying bills saying "i have hundreds of copies downloaded of my book... for free". Unless you're an author writing for charity and/or freedom of speech, well, you won't live long thanks to this. So like most of the people around the globe are now complaining about the "censorship" of the Internet and freedom of speech, I'm expecting to see a GNU/GPL licensed version of Star Wars or Star Trek. Even the (great!) Browncoats brought up a majestic job with their movements and came up with a fan-made movie, they asked fans around the world for tributes (as in cash) to cover their production costs.

So what's the natural consequence. Distributors brings up rates for media supports as less and less are sold. TV Series get canceled and filled with crap-commercials (well if you do live in Italy you can't imagine how frustrating local commercials can be!) and we run through the Net for... what? Are there alternatives? Not really.

Effects are devastating, and they can be observed nowadays. Google is killing knowledge, which is quite different from "reading". As a geek as I may consider myself, tech-people are getting dumber (yeah, no mercy about that). You have the freedom of speech, avoiding books because they are expensive, go look in wikipedia (people-contributed knowledge) or google for knowledge, and the get none. Mostly a copy/paste jobs of stuff taken from the Net and gathered in forums and wiki's that actually brings no knowledge, just some kind of solution. It's better to get and download a movie from the Net than spending 10 bucks for a brand new copy of it, having a crappy result of watching the movie with (happened in past, but it seems to be getting better) un-synchronized voice over image or squares of uncompressed video, perhaps without having chance to change language or getting some extra content. What about having a collection of movies, books or cd's on the shelf, rather than quite a load of folders on your hard drive (which anyways is doomed and will die sooner or later). I can't really approve that, not from my perspective.

Copyrights are a good thing. They need to exists, and should be enforced. Not the way the politicians sees it, that's no way to reach a goal, and anyways it wouldn't work. But it's not about freedom of information we're talking about. It's not a way to censorship the knowledge, but it's not even going to help the legitimate owners of copyrights. I am an enforcer of the main concept behind the laws above, not the way they are intended at the moment, and not the way they are considered now.

If I'm wrong, we're gonna have not much entertainment in few years, which would bring us into a future world filled with commercials like in some movies, washing our brains with mess... the only way the TV and cable networks will have to fund themselves. Anyways we will not tear down the economics of such big networks or corporations.

As of myself, I am a collector of movies, music, books and comics. I am patient, don't have to get the movie or the game as soon as it gets on the market, I can wait some time to have it for cheaper price. That's not a big deal. In meantime, it gets on TV and I can have a look at it in HD perhaps, without waiting for it to download, with the risk of getting a porn movie instead of the title I was looking for. And with the idea of supporting the production industry in my mind. As many people around, I need some entertainment, I am a big fan of Sci-Fi genre and will sustain it as much as I can, with my little contributions. If hundreds of people could do the same, it would make our minds easier and life brighter, IMHO, with not a big effort.

Perhaps my thoughts might be wrong or misspelled, but as of now, that's something I had in my mind for some time and liked the idea of dropping an entry in my blog about it. I never posted anything (unlike others) about the SOPA/ACTA/whatever else, thought this could be a good time.

So, if you share my thought, I'm glad I'm not the only one thinking this way.

Keep Flying (cit. Firefly - Capt. Malcolm Reynolds)

Well yeah... I do like coding. Really. It helps me with many itches.

Today I was going to deploy some major changes to our Technical Management Application (formely "Alice", as in "Alice In Wonderland" but that's another story). It's about 5 years of work so far on it. It runs on Windows, PHP and IIS (I know, some may like it not, though it's a Business need - of my own), and a MySQL database.

Since it is a major deployment, I decided to do some system upgrade as well. Consider the Windows OS is running Windows Update every week with no issue, we never had a downtime because of some incompatible update installed or security fix. Update runs on, server reboots on sunday night, on monday morning it's awaiting users for logon. Plain and simple.

Application framework is a bit more complex, as many changes tends to get through deployments, so changelog reviews is a must.

After months (sadly) I decided to do some serious updates. Therefore, I've started the process in a straight forward way:

1. Snapshot of the virtual machine, just in case
2. Application and database backup
3. MySQL Database schema ALTER and massive UPDATE statements (the DB is actually ~1Gb)
4. PHP Code upgrade via SVN
5. PHP Binary Tree upgrade
6. IIS Reconfiguration
7. VMware Snapshot commitment

And that would be it... about 2 hours all. The process is straightforward and really consolidated within our company, at every single step there's a rollback point to the previous steps. So, if I had problems with the PHP Binary tree I could recover it from backup, if the code was too buggy we could rollback via SVN, if the database schema was giving issues we could recover it from database and so on.

The whole thing went really shiny, there was no real deal with deprecated code in the PHP source (actually about 50.000 lines of code) and it is still pretty performing (I have set up a 5 seconds time limit over the page execution, so it has to be fast).

Knowing the code is really useful, changelogs are vital friends of your deployment strategy. Also coding and System Administration is really important when you need to do some major upgrades. What leaves me speechless often is hearing developers whining because SysAdmins upgrades platforms and their code stops working, or vice versa, SysAdmins stating the programs have security holes or causes "unpredictable" errors within the system. Pointing finger is really useless. Both sides need to work together.

And updating opens a couple of new thoughts.

First of all is heading to the Cloud. Usually the biggest deal is: users don't like changes. Well. They don't like changes as far as you (the SysAdmin) allow them to get too lazy. Or you don't allow'em to play with their gadgets, say their iPads. Anwyas, first things first (this might be a new reflection for next days).

What will happen in the Cloud. Would a Cloud Provider really allow Software Houses to deploy applications on potentially insecure infrastructures? I wouldn't. Seriously. If I can't upgrade an operating system because your application will "possibly" stop working, there must be something wrong with your idea of the real life. You need to know what you're typing in your RAD (if you're using one, perhaps if you are using Emacs as your editor, you perfectly know what'cha doin). So, is your application breached? Give us (the Cloud Providers) a way to help you sealing it.

"Please, could you allow all the traffic of this virtual server?"

Seriously, is this help? You really do not know what is the difference between incoming traffic and outgoing? What does your application run on? Which regitry keys do you need?

Let's face it. Software Development is getting insane. "Make the user administrator", "grant ALL PRIVILEGES on this folder to all", "open all the ports on the firewall" are just some of the requests usually coming to our Service Desk. This is really insane. I can understand lazyness of my own, scripting down something to be done automagically every day to avoid doing it myself. But if I am going to develop something, I tend to study most aspects of it. Solutions are easier than it seems, you just need to know it. Perhaps the main reason is that I've been "raised" in an era where "RTFM" was the most frequent answer I got to most "stupid" questions. And that is true.

Keep your mind in shape, never allow lazyness on important things to get over you. The world turns without your help, it evolves and won't stop waiting for you, nor a bot will stop looking for holes in your application because you're begging for mercy and running a platform 2 major releases old. Grow up. Evolve. Learn. Apply. Look for help and find a solution.

Have fun and enjoy coding!

While going on with my new blog post, wandering about the Net makes me think about how hard is our job and how we can NOT leave anything unplanned or unpredicted.

(I wonder if posting screenshot might issue SOPA actions...)

Happy new Year to all!!!!

I'm feeling very Zend today.

Installing open source applications is always odd when speaking of Authentication. I am an aggregator I know, but I really need to have a single point of control for authentication in my Organization.

This time it was Mantis' in my sight. As a bug tracking system, I need my colleagues to access and, once they are no more, to avoid them accessing the system. I have looked quickly in the Internet if there is a plugin for AD to work, but I didn't find any in a reasonable time fashion. But I found some useful hints.

At last, I had this result on version 1.2.4 (I know, I will have to update it as of today).

The steps to make Mantis authenticate correctly on Active Directory should be following.

Edit the config_inc.php file and add the following variables to it. Please be sure that your linux box (of course doesn't apply if you run Mantis on a Windows server) has configured the Active Directory DNS servers as nameserver in the /etc/resolv.conf file so the name resolution of Domain Controllers works correctly

$g_login_method = LDAP;

$g_ldap_server = 'ldap://contoso.com';   # Single Domain controller or domain scope

$g_ldap_port = 389;

$g_ldap_root_dn = 'dc=contoso,dc=com;

$g_ldap_domain_fqdn = 'contoso.com';

$g_allow_signup = OFF;

$g_lost_password_feature = OFF;

Once this was done, it's only necessary to edit the core/ldap_api.php. Locate the ldap_authenticate function in the file and comment out its body to keep it, just in case. The new function definition should be as follows:

if (is_blank($p_password))

    return false;



$t_ldap_host = config_get('ldap_server');

$t_ldap_domain_fqdn = config_get( 'ldap_domain_fqdn' );

$t_ds = ldap_connect($t_ldap_host, $t_ldap_port);

$t_uname = user_get_field($p_user_id, 'username');



$bind_username = sprintf( '%s@%s', $t_uname, $t_ldap_domain_fqdn );



$t_authenticated = false;



if ( @ldap_bind( $t_ds, $bind_username, $p_password) )

    $t_authenticated = true;



return $t_authenticated;

The only thing that now is an annoyance to me, is that for every sAMAccountName in my Active Directory I will need an entry in the Mantis Database. Probably I will patch another function now for automatic record entry in the database, but for now I have achieved my goal.

Perhaps this might be helpful for someone else.

Ok, so I had this hundreds of messages pending in my queue, for whatever reason. It is not a problem since Postfix cares about it pretty well, but I tend to keep it neater. So I decided to cleanup more frequently the MAILER-DAEMON messages stuck in queue than Postfix itself decides to expunge it.

After some searching I started writting a simple bash script to take care of it, and here it comes.

#/bin/sh

BIN_POSTQUEUE=/usr/sbin/postqueue
EMAIL_REPORT=postmaster@yourdomain.com
EMAIL_SUBJECT="Postfix Queue Management Report for $HOSTNAME"

TODAY=$(expr `date +%s` - 86400)
YESTERDAY=$(perl -e "require 'ctime.pl'; print &ctime($TODAY);")

GREPDATE=`date +%a\ %b\ %d --date="$YESTERDAY"`
LOGFILE=/tmp/queue-cleanup.log

# Build a report file to send to the Postmaster
echo "Queue status as of `date` on server $HOSTNAME" > $LOGFILE
echo >> $LOGFILE

C_MSGS_QUEUE=$( $BIN_POSTQUEUE -p | grep Requests | awk '{ system( "echo " $5 " - length " $2 " " $3 ) }' )
C_MSGS_STUCK=$( $BIN_POSTQUEUE -p | grep MAILER-DAEMON | wc -l )

echo "Queue status before execution: $C_MSGS_QUEUE" >> $LOGFILE
echo "MAILER-DAEMON messages in queue: $C_MSGS_STUCK" >> $LOGFILE

$BIN_POSTQUEUE -p | grep MAILER-DAEMON | grep "$GREPDATE" | awk '{ system( "/usr/sbin/postsuper -d " $1 ) }'

echo >> $LOGFILE

$BIN_POSTQUEUE -p >> $LOGFILE

cat $LOGFILE | mutt -s "$EMAIL_SUBJECT" $EMAIL_REPORT

The script could be neater and much more nice to see, yet at the moment it serves the scope and it works quickly, so my goal is achieved. At 23.45 every day, it checks out if there are any MAILER-DAEMON messages stuck in the queue the day before and purges it, leaving the deferred messages intact and the current day's as well.

This workaround (perhaps not really polite) cleaned up hundreds of messages messing up my queue and slowing down the regular queue management.

I am running this script on a Fedora installation as well as on a couple of CentOS servers, and I had only to install "mutt" package for the email report sending.