sendmail rejecting connections

WorldBuilder · 01-09-2006, 05:09 PM

Guys,

Today I noticed that I had no new mail which is extremely odd. I went in to /var/spool/mail and sure enough, I had none, and none of the other users did either.

I ran ps -ef | grep sendmail to have a look and noticed that sendmail was "rejecting connections". I restarted the server with service sendmail restart but it is still rejecting.

I got this mail server running years ago, sort of understand it, but am no guru.

Help, please?

Thanks!

Chris

gilead · 01-09-2006, 05:25 PM

Can you have a look in /var/log/maillog and post any error messages here please? Also, what happens when you're logged into the box and type `telnet localhost 25` at a command prompt? Does it let you connect? If it did, try typing `ehlo localhost` - do you get something like the following:

Code:

250-[snip] Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

If you can connect locally, the next step is to look for config changes that may be stopping remote connections.

WorldBuilder · 01-09-2006, 05:42 PM

connection refused trying to connect to 127.0.0.1.

And in maillog, I see (dating back to yesterday)

rejecting connections on daemon MTA: load average 87 - 99 (there are LOTS of these messages, basically repeating itself with load averages between 87 & 99).

WorldBuilder · 01-09-2006, 06:27 PM

I've done a bit of Googling and am now looking through my Sendmail O'Reily book. But this is all very new to me. It seems that the load is too high and because of that, Sendmail shut itself down.

Is this correct?

And how do I lighten the load?

Oh, and what caused the load to go so damn high? This is a small mail server running mail for 5 members of my family. We send/recieve VERY little mail.

Chris

WorldBuilder · 01-09-2006, 07:18 PM

Ok, I've continued to look all over and am basically getting more confused. It's definitely a load problem of some kind, but how to determine what is causing this remains a mystery. In addition, I'm at a loss to fix it. Any ideas, please? I think it's important to say that this server is also running apache, samba, and all the usual networking cucca...

gilead · 01-09-2006, 07:37 PM

You are correct - sendmail will reject connections when the server is under heavy load. Have you tried running `top`? It's real time, not historical so it needs to run when the server is actually rejecting mail.

The alternative is to check the mail log, get date/times when the rejections happened and try to match that date/time against logs for other likely candidates (cron jobs, ftp, web server, etc.). There's no guarantee that what was happening will appear in the logs, so top may be the best bet.

WorldBuilder · 01-09-2006, 08:30 PM

top? Unknown to me. Please elaborate. Thanks for the help!

[edit]NM, Googled it. Wow, this is cool. I just realized that mysqld is running 99.9% of my CPU! What could cause this? I've also noticed, through phpMyAdmin, that there are some weird entries into tables on my databases as of late. Have I been hacked? How do I check?

Killing MySQL now...[/edit]

WorldBuilder · 01-09-2006, 08:38 PM

Holy crap! There are 88 instances of mysqld running right now!!

They all say /usr/libexec/mysqld --basedir=/u

Why are there 88 instances of this running? How did this happen and how do I kill all these processes?

Sorry, but I'm now assuming I've been hacked... Gotta fix, please help.

Chris

gilead · 01-09-2006, 08:50 PM

I'm assuming PHP is the only language talking to mysqld from your web pages... Unfortunately, I don't know much about PHP. The PHP security page is probably a good place to visit.

If you're running 3rd party code (a web site that uses PHP code you didn't write for example), I'd check their home pages for known vulnerabilities.

Sorry it's not more specific...

gilead · 01-09-2006, 08:51 PM

What's the output of:

Code:

ls -AlR /u | more

gilead · 01-09-2006, 08:54 PM

It might be a good time to run

Code:

killall -s 9 mysqld

WorldBuilder · 01-09-2006, 09:15 PM

mysql has been killed. Good lord, my server is dual proc and it was cranking on them both...

I am moderately knowledgeable about php and MySQL, but no expert. System running fine now (with MySQL off), but I will ask some MySQL experts why it is doing this now? Anyone here, perhaps? Has been running fine until yesterday apparently. Now, as soon as I login, it starts cranking out 99.9% cpu. Weird...

Thank you very much for all your help. You steered me in the right direction.

BTW, ls -AlR /u | more gives me:

Quote:

No such file or directory

Is there a specific directory you wanted me to run that from?

Thanks!

Chris

PS. I DO have a "u" directory in /usr/share/terminfo and when I ran ls -AIR on that I got the following:

Quote:

ultima2
ultimaII
uniterm
uniterm49
unixpc
unknown
uts30

What is all this? Seems odd to me... Ultima?!

WorldBuilder · 01-09-2006, 09:54 PM

Sendmail is accepting connections again, but something weird is happening.

In ps -ef, I see "server publicsmtp1.com"

What the hell is that?

gilead · 01-09-2006, 10:33 PM

It looks like the process output was truncated at the 'u' instead of showing the full path to the mysqld base directory (that's just what top does when it doesn't have a lot of space.

/usr/libexec/mysqld --basedir=/u

I wouldn't be worried about the stuff in /usr/share/terminfo/u, I have the same sort of stuff there.

For your last post though...

publicsmtp1.com doesn't resolve to anything when I look up the domain. Can you post the whole ps -ef output? I'd like to look up the PPID (parent process id) and user for that line and see which process (and who) owns it. Also, try running:

Code: