NSX Network Detection and Response - Email Troubleshooting: Handling undelivered messages on a Sensor appliance
search cancel

NSX Network Detection and Response - Email Troubleshooting: Handling undelivered messages on a Sensor appliance


Article ID: 323931


Updated On:




The purpose of this article is to provide a manual process to re-inject undelivered messages into the sensors mail pipeline to send to the next hop. 

Storage of undelivered messages

Undelivered messages will be stored in /var/lib/llmail/undelivered-messages/  up to 2GB or 15 days (by default). These settings can be configured in /etc/appliance-config/override.yaml, if the default behavior needs to be changed.


If disk space becomes limited, the system will start to delete the oldest email until enough space is
available, and then will store the new email.

Emails that were not successfully delivered to the next-hop server will be temporarily stored in a mail directory on each sensor's mailbox in /var/lib/llmail/undelivered-messages/.


The llmail_storage_manager command on the sensor appliance can be used to re-inject such emails in Sensor's mail pipeline. For example, to feed all emails in undelivered-messages back to the mail service for analysis, run the following on the sensors console:

cd /var/lib/llmail/undelivered-messages/new/

for k in *; do

llmail_storage_manager send --host --port 25 \

/var/lib/llmail/undelivered-messages/ $k

sleep 0.2



Additionally, you can adjust the --host and --port values to send these messages to the next hop or any other mail server.

Additional Information


  • The messages are NOT removed after they've been sent, so they need to be manually removed from the system after delivery is confirmed
  • if such emails failed delivered because they were rejected by the next hop, it is likely that the next-hop will reject them again and they will end up back in this folder. Make sure you understand why they have not been delivered in the first place. If you want to forward such emails directly to the next hop instead of re-injecting them in the mail pipeline, you can adjust the --host and --port arguments in the example above.
  • for sensor appliances on versions older than version 718, change port 25 to 1025

Note: This article is applicable to the standalone NSX Network Detection and Response product (formerly Lastline) and is not intended to be applied to the NSX NDR feature of NSX-T.