Loading...

VONDS ©

Lab 141: Postfix Queue & Time/Journal Workflow

Back to Lab Index

Forward root mail by updating /etc/aliases and rebuilding the aliases database, then verify Postfix state and inspect the queue by ID. Capture time and journald signals you would include in incident evidence.

postfix mail journald

Scenario

Ops wants all root mail forwarded to two addresses. There is also a queued message that needs inspection to confirm what is being sent and why it is stuck.

Operator context

Root mail often contains cron output, service alerts, and local security notices. If it is not forwarded correctly, incidents get missed. Queue inspection is a core workflow for diagnosing outbound mail failures.

Objective

  • Edit /etc/aliases to forward root to two recipients.
  • Rebuild the aliases database with newaliases.
  • Confirm Postfix is active.
  • Inspect the queue with mailq (or postqueue -p).
  • View a queued message with postcat -q.
  • Confirm time zone state using timedatectl.
  • Confirm the chrony config path exists.
  • Pull kernel messages from journald with journalctl -k.
  • Verify the alias line exists after edits.

Concepts

  • Local alias rewriting with /etc/aliases and the compiled database used by Postfix.
  • Service state triage with systemctl is-active before queue work.
  • Queue inspection and message IDs using mailq / postqueue -p .
  • Safe message inspection with postcat -q (read-only view of queued content).
  • Time and timezone evidence collection using timedatectl and configuration path confirmation.
  • Kernel and service context via journalctl -k output.

Walkthrough

Step 1 : Update the aliases file.
Command 
sudo vim /etc/aliases

Add or update the root alias so messages are forwarded to both recipients. 

root: admin@example.com, webmaster@example.com
Note

Editing the file alone does not apply the change. Postfix uses the compiled aliases database.

Step 2 : Rebuild the aliases database.
Command 
sudo newaliases

This compiles /etc/aliases into the database file Postfix actually reads. 

/etc/aliases: 86 aliases, longest 52 bytes, 948 bytes total
Step 3 : Confirm Postfix is active.
Command 
systemctl is-active postfix

You want a clean active signal before spending time on queue analysis. 

active
Step 4 : Inspect the mail queue and capture the queue ID.
Command 
mailq

Identify stuck messages, note the queue ID, and capture sender and recipient fields for evidence. 

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
A1B2C3D4E5*     1468 Sun Jan 25 07:10:41  root@lab141
                                         admin@example.com
-- 2 Kbytes in 1 Request.
Optional

If you prefer the native Postfix view, use postqueue -p . The queue ID is what matters for the next step.

Step 5 : View the queued message contents by ID.
Command 
sudo postcat -q A1B2C3D4E5

postcat -q lets you inspect what is in the queue without attempting delivery. This is useful for confirming headers, recipients, and subject line during triage. 

*** ENVELOPE RECORDS active ***
message_size:           1468
message_arrival_time:   Sun Jan 25 07:10:41 2026
sender:                 root@lab141
recipient:              admin@example.com
*** MESSAGE CONTENTS active ***
Subject: RHCSA-LAB141 queued test

This is a queued test message.
Step 6 : Confirm current time and time zone state.
Command 
timedatectl

Capture the time zone and sync state as incident context, especially when mail timestamps and logs must correlate with external systems. 

Time zone: America/New_York (EST, -0500)
System clock synchronized: yes
NTP service: active
Step 7 : Confirm the chrony configuration file path.
Command 
ls -l /etc/chrony.conf

Confirming the active config path is a standard evidence step before making changes or escalating to time sync issues. 

-rw-r--r--. 1 root root 1247 Jan 25 06:58 /etc/chrony.conf
Step 8 : Pull kernel messages from the journal.
Command 
journalctl -k -n 5

Kernel messages can provide context such as link state, driver resets, and audit signals that explain service behavior. 

Jan 25 06:58:31 lab141 kernel: e1000e 0000:00:03.0 eth0: Link is Up 1000 Mbps Full Duplex
Jan 25 07:12:03 lab141 kernel: audit: type=1100 audit(...): pid=1 uid=0 ... unit=postfix ...
Step 9 : Verify the root alias line exists after edits.
Command 
grep '^root:' /etc/aliases

This is a quick confirmation that the correct alias line is present. 

root: admin@example.com, webmaster@example.com

Common breakpoints

Alias change does not take effect

You edited /etc/aliases but did not run newaliases . Rebuild the database and verify again.

mailq shows “Mail queue is empty”

That is not an error. It means there is nothing queued on this host at the moment.

postcat fails: “No such file or directory”

The queue ID may be wrong, or the message was delivered or removed. Re-run mailq and copy the exact ID.

Time looks correct but incidents still show drift

Check the NTP sync state and confirm sources using chrony tooling if you need deeper evidence.

Cleanup checklist

Leave the system in a safe state. If you modified aliases for lab testing, revert the line and rebuild the aliases database.

Commands 
sudo vim /etc/aliases
sudo newaliases
systemctl is-active postfix || systemctl status postfix --no-pager

Reference

  • /etc/aliases : Local alias map used for address rewriting.
  • newaliases : Rebuilds the aliases database used by Postfix.
  • systemctl is-active postfix : Returns a one-word service state for Postfix.
  • mailq : Displays the Postfix mail queue.
  • postqueue -p : Displays the Postfix mail queue (alternative view).
  • postcat -q <queueid> : Displays a queued message by ID without attempting delivery.
    • -q : Read a queue file by ID.
  • timedatectl : Shows time, timezone, and NTP synchronization state.
  • ls -l /etc/chrony.conf : Confirms the chrony configuration file path exists.
    • /etc/chrony.conf : Default chrony configuration file path.
  • journalctl -k -n <n> : Shows the last n kernel messages from the system journal.
    • -k : Limits output to kernel messages.
    • -n <n> : Limits output to the last n entries.
  • grep '^root:' /etc/aliases : Confirms the root alias line exists.
    • ^ : Anchors the match to the start of the line.