LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Mail from root@localhost.localdomain thru relay=localhost.localdomain[216.24.138.1] (http://www.linuxquestions.org/questions/linux-server-73/mail-from-root%40localhost-localdomain-thru-relay%3Dlocalhost-localdomain%5B216-24-138-1%5D-701219/)

rshartog 01-31-2009 06:53 AM

Mail from root@localhost.localdomain thru relay=localhost.localdomain[216.24.138.1]
 
Hi,

I am having a hard time understanding these lines in my maillog file and I'm hoping someone can help me.

Jan 31 07:37:49 srv1 postfix/qmgr[30599]: 783BFDA125: from=<root@localhost.localdomain>, size=10851, nrcpt=1 (queue active)

Jan 31 07:37:49 srv1 postfix/smtp[442]: 783BFDA125: to=<root@localhost.localdomain>, relay=localhost.localdomain[216.24.138.135]:25, delay=12932, delays=12932/0.03/0.15/0, dsn=4.4.2, status=deferred (lost connection with localhost.localdomain[216.24.138.135] while receiving the initial server greeting)

At first glance, a root process on my system is trying to email root on my system, but relaying the email through 216.24.138.135.

These lines appears about every 20 minutes in my log file.
Here are my questions...

1) Is this mail originating on my system, or is this a spammer trying to send mail from my system and claiming to be "root@localhost.localdomain" at the SMTP interface?

2) If it is from my system, how do I determine which process is sending email as root (and why)?

3) What does the "localhost.localdomain[216.24.138.135]" mean? Is root a process on my system trying to email root on 216.24.138.135? Why would this occur?

I'm new to Linux as an administrator, and I setup my mail server about a week ago using HOWTO documents I found on line.

My setup is...
Fedora10, Postfix, Dovecot, Squirrelmail, ClamAV, Amavisd-new, Spamassassin

If you need more info, please let me know and I'll post it.

Thanks,
--Scott

auximini 02-01-2009 03:13 AM

Hi Scott,

That's rather strange.

The first thing I would look at is if you have any cron jobs running. As root, you can run

Code:

crontab -l
To list the cron table.

You can also check under /var/spool/cron (might be slightly different across different distributions) to see the cron information for all users.

Next, check your DNS settings. Do you have any odd entries in /etc/hosts ? Does /etc/resolve.conf look correct?

Hope that helps.

rshartog 02-02-2009 10:35 PM

I think this problem is solved.

Thanks for the suggestions Joe. I didn't have any cron jobs, but the problem was in my /etc/hosts file.

Here are the details in case it helps someone looking at the same problem...

The problem was that the LogWatch application was periodically sending an email message to "root "(without any @domain) and my /etc/hosts files was incorrect. This was causing my server to send the LogWatch report out over the internet as an email to "root@localhost.localdomain". My ISP relay (the mysterious 216.24.138.135 IP address) does not like receiving messages to "root@localhost.localdomain" so it deferred the email.

These LogWatch emails were piling up in my "deferred" queue and postfix (SMTP server) would retry them occasionally -- and they would be deferred again. I could not see the IP 216.24.138.135 in my /var/log/message file because I do not log IP packets with state=established/related. The response from 216.24.138.135 was always state=established because my machine originated the transaction.

Here are some suggestions for others looking at a similar problem...

1) Check the mail queues. I use postfix for my SMTP server and the command "qshape deferred" will show you the number of email in the deferred queue (or any other queue).

2) I used "vim" to examine the emails that were in the deferred queue. The deferred email files were in the directories under "/var/spool/postfix/deferred". That's how I discovered that they were LogWatch reports. There is probably a better way to examine the contents of these emails in the deferred queue, but I don't know what it is.

3) When I examined the LogWatch config file, I saw that it was sending to "root", so I manually sent a report using the command "logwatch --mailto root" and I could see the error occur in the logs. If I typed "logwatch --mailto root@mydomain.com", then the error did not occur.

4) I poked around on the net under /etc/hosts and discovered that my file was incorrect. More specifically, I had my host machine names on the 127.0.0.1 line instead of on a subsquent line with the correct LAN IP addres.

5) I used the command "postsuper -d ALL deferred" to delete all the emailed in the deferred queue.

I still have a question...

How does LogWatch periodically send reports? I could not find a cron job for it and it doesn't appear to be a service. (I had not even heard of the LogWatch application until I discovered it in the deferred email.)

--Scott


All times are GMT -5. The time now is 11:56 AM.