LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-09-2006, 05:09 PM   #1
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Rep: Reputation: 30
sendmail rejecting connections


Guys,

Today I noticed that I had no new mail which is extremely odd. I went in to /var/spool/mail and sure enough, I had none, and none of the other users did either.

I ran ps -ef | grep sendmail to have a look and noticed that sendmail was "rejecting connections". I restarted the server with service sendmail restart but it is still rejecting.

I got this mail server running years ago, sort of understand it, but am no guru.

Help, please?

Thanks!

Chris
 
Old 01-09-2006, 05:25 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
Can you have a look in /var/log/maillog and post any error messages here please? Also, what happens when you're logged into the box and type `telnet localhost 25` at a command prompt? Does it let you connect? If it did, try typing `ehlo localhost` - do you get something like the following:

Code:
250-[snip] Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
If you can connect locally, the next step is to look for config changes that may be stopping remote connections.
 
Old 01-09-2006, 05:42 PM   #3
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
connection refused trying to connect to 127.0.0.1.

And in maillog, I see (dating back to yesterday)

rejecting connections on daemon MTA: load average 87 - 99 (there are LOTS of these messages, basically repeating itself with load averages between 87 & 99).
 
Old 01-09-2006, 06:27 PM   #4
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
I've done a bit of Googling and am now looking through my Sendmail O'Reily book. But this is all very new to me. It seems that the load is too high and because of that, Sendmail shut itself down.

Is this correct?

And how do I lighten the load?

Oh, and what caused the load to go so damn high? This is a small mail server running mail for 5 members of my family. We send/recieve VERY little mail.

Chris
 
Old 01-09-2006, 07:18 PM   #5
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
Ok, I've continued to look all over and am basically getting more confused. It's definitely a load problem of some kind, but how to determine what is causing this remains a mystery. In addition, I'm at a loss to fix it. Any ideas, please? I think it's important to say that this server is also running apache, samba, and all the usual networking cucca...
 
Old 01-09-2006, 07:37 PM   #6
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
You are correct - sendmail will reject connections when the server is under heavy load. Have you tried running `top`? It's real time, not historical so it needs to run when the server is actually rejecting mail.

The alternative is to check the mail log, get date/times when the rejections happened and try to match that date/time against logs for other likely candidates (cron jobs, ftp, web server, etc.). There's no guarantee that what was happening will appear in the logs, so top may be the best bet.
 
Old 01-09-2006, 08:30 PM   #7
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
top? Unknown to me. Please elaborate. Thanks for the help!

[edit]NM, Googled it. Wow, this is cool. I just realized that mysqld is running 99.9% of my CPU! What could cause this? I've also noticed, through phpMyAdmin, that there are some weird entries into tables on my databases as of late. Have I been hacked? How do I check?

Killing MySQL now...[/edit]

Last edited by WorldBuilder; 01-09-2006 at 08:36 PM.
 
Old 01-09-2006, 08:38 PM   #8
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
Holy crap! There are 88 instances of mysqld running right now!!

They all say /usr/libexec/mysqld --basedir=/u

Why are there 88 instances of this running? How did this happen and how do I kill all these processes?

Sorry, but I'm now assuming I've been hacked... Gotta fix, please help.

Chris
 
Old 01-09-2006, 08:50 PM   #9
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
I'm assuming PHP is the only language talking to mysqld from your web pages... Unfortunately, I don't know much about PHP. The PHP security page is probably a good place to visit.

If you're running 3rd party code (a web site that uses PHP code you didn't write for example), I'd check their home pages for known vulnerabilities.

Sorry it's not more specific...
 
Old 01-09-2006, 08:51 PM   #10
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
What's the output of:

Code:
ls -AlR /u | more
 
Old 01-09-2006, 08:54 PM   #11
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
It might be a good time to run

Code:
killall -s 9 mysqld
 
Old 01-09-2006, 09:15 PM   #12
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
mysql has been killed. Good lord, my server is dual proc and it was cranking on them both...

I am moderately knowledgeable about php and MySQL, but no expert. System running fine now (with MySQL off), but I will ask some MySQL experts why it is doing this now? Anyone here, perhaps? Has been running fine until yesterday apparently. Now, as soon as I login, it starts cranking out 99.9% cpu. Weird...

Thank you very much for all your help. You steered me in the right direction.

BTW, ls -AlR /u | more gives me:
Quote:
No such file or directory
Is there a specific directory you wanted me to run that from?

Thanks!

Chris

PS. I DO have a "u" directory in /usr/share/terminfo and when I ran ls -AIR on that I got the following:

Quote:
ultima2
ultimaII
uniterm
uniterm49
unixpc
unknown
uts30
What is all this? Seems odd to me... Ultima?!

Last edited by WorldBuilder; 01-09-2006 at 09:19 PM.
 
Old 01-09-2006, 09:54 PM   #13
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
Sendmail is accepting connections again, but something weird is happening.

In ps -ef, I see "server publicsmtp1.com"

What the hell is that?
 
Old 01-09-2006, 10:33 PM   #14
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
It looks like the process output was truncated at the 'u' instead of showing the full path to the mysqld base directory (that's just what top does when it doesn't have a lot of space.

/usr/libexec/mysqld --basedir=/u

I wouldn't be worried about the stuff in /usr/share/terminfo/u, I have the same sort of stuff there.

For your last post though...

publicsmtp1.com doesn't resolve to anything when I look up the domain. Can you post the whole ps -ef output? I'd like to look up the PPID (parent process id) and user for that line and see which process (and who) owns it. Also, try running:

Code:
grep 'publicsmtp1' /var/log/maillog*
or even

Code:
grep 'publicsmtp1' /var/log/*
It may be something simple like one of your webapps is sending some email - it will show up in /var/log/maillog if that's the case.
 
Old 01-10-2006, 06:17 AM   #15
WorldBuilder
Member
 
Registered: Mar 2003
Location: Massachusetts, USA
Distribution: RH 8, Solaris, Windoze eXPunged
Posts: 520

Original Poster
Rep: Reputation: 30
I will do this as soon as I get to work (about an hour). Can do through SSH, Thanks, you are amazingly helpful.

Chris
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail is rejecting some mail member57 Linux - Networking 2 04-20-2004 11:18 AM
Maillog: sendmail rejecting connections on daemon IPv4: load average: 22 J_Szucs Linux - Security 2 01-28-2004 07:17 AM
Sendmail rejecting IPs dskny Linux - Software 0 08-21-2003 10:11 AM
shorewall dropping/rejecting wanted connections (squid/webmin) win32sux Linux - Networking 2 08-01-2003 02:57 PM
Rejecting Mail using Spamassassin and Sendmail granatica Linux - Software 1 07-09-2003 07:18 AM


All times are GMT -5. The time now is 07:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration