Storage of undelivered messages

Undelivered messages will be stored in /var/lib/llmail/undelivered-messages/  up to 2GB or 15 days (by default). These settings can be configured in /etc/appliance-config/override.yaml, if the default behavior needs to be changed.

llmail::undelivered_maildir_max_days_old
llmail::undelivered_maildir_max_bytes

If disk space becomes limited, the system will start to delete the oldest email until enough space is
available, and then will store the new email.

The llmail_storage_manager command on the sensor appliance can be used to re-inject such emails in Sensor's mail pipeline. For example, to feed all emails in undelivered-messages back to the mail service for analysis, run the following on the sensors console:
 

cd /var/lib/llmail/undelivered-messages/new/

for k in *; do

llmail_storage_manager send --host 127.0.0.1 --port 25 \

/var/lib/llmail/undelivered-messages/ $k

sleep 0.2

done

Additionally, you can adjust the --host and --port values to send these messages to the next hop or any other mail server.

Notes:

• The messages are NOT removed after they've been sent, so they need to be manually removed from the system after delivery is confirmed
• if such emails failed delivered because they were rejected by the next hop, it is likely that the next-hop will reject them again and they will end up back in this folder. Make sure you understand why they have not been delivered in the first place. If you want to forward such emails directly to the next hop instead of re-injecting them in the mail pipeline, you can adjust the --host and --port arguments in the example above.
• for sensor appliances on versions older than version 718, change port 25 to 1025