Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just got a new job, and I'm going through their servers, getting a feel for things.
I noticed that on the syslog server, in the file /var/log/maillog every 10 minutes (to the second) the following error shows up.
Code:
Jul 28 10:49:35 rwsyslog sendmail[21659]: s6SFnZ1I021659: localhost.localdomain [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jul 28 10:59:35 rwsyslog sendmail[21696]: s6SFxZWA021696: localhost.localdomain [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Any clue on how I can find out what process is trying to use sendmail every 10 minutes?
I have tried using tcpdump to pull a packet capture, but it didn't really show me anything useful.
Any help would be greatly appreciated
Thanks!
Taylor
Last edited by RW-Taylor; 07-28-2014 at 11:13 AM.
Reason: clarification on tcpdump
and I'm going through their servers, getting a feel for things.
Good, good...
Quote:
Originally Posted by RW-Taylor
Any clue on how I can find out what process is trying to use sendmail every 10 minutes?
Every ten minutes? I'd try cron jobs (/etc/cron.*/, /etc/crontab, /var/spool/cron/) first...
Quote:
Originally Posted by RW-Taylor
I have tried using tcpdump to pull a packet capture, but it didn't really show me anything useful.
Packet capture on its own won't as it doesn't have a concept of process Ids and such but together with audit rules and log correlation you prolly could.
In essence you would want a rule something like this:
Code:
-A INPUT -i lo -d 127.0.0.0/255.255.0.0 --ctstate NEW -m tcp --dport 25 -m owner -j LOG --log-prefix "SMTP_lo_in " --log-uid
but when I tried to add it I ended up with something like this:
Code:
awk -F':' '{print $1}' /etc/passwd | egrep -vie "(shutdown)" | while read _OWNER; do iptables -A OUTPUT -o lo -m conntrack \
--ctstate NEW -m owner --uid-owner ${_OWNER} -j LOG --log-prefix "${_OWNER_}SMTP_lo_in " --log-uid; done
That's a bit overkill but then again you wouldn't want to have this running for more than say two hours anyway before checking /var/log/messages, right?
If i'm not mistaken, this shows us the user that is running the process has UID 0 (which is root), and the PID of the process was 26299 (??? I'm not sure the ID is the PID)
at 8:49:39, the /var/log/messages file had this logged to it
You now know it's a root-owned process. Two approaches I can think of now: 0) have a go at this (the logging socket calls part) or 1) stop the sendmail service (on the loopback interface) and see if something errors out (or not, its just a hunch).
unSpawn - I tried option 1 first, and unfortunately stopping sendmail (by running service sendmail stop) didn't generate any errors when the sendmails would have ran. I let it sit for about 20 minutes and then checked the logs.
I then started the sendmail service, and tried option 0. I skipped straight ahead to the socket calls logging part of the page you linked. I ran the following command (I changed the architecture to b64 because we are running 64bit)
Maybe you can use lsof -i to identify the process which is initiating a connection on the SMTP port. You can use various outputs or grep for the important data:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.