hmm it looks as so ossec-maild has a problem with my ssmtp
ssmtp works fine, because it sent me an automated/generated email at 2:43
in the morning.
i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more
info to debug....
what surprises me is that on netstat ssmtp isn't showing any open
connectings.
to me it looks like it's only opening a connection when it wants to send an
email, there's no permanent open connection.
here's my ssmtp.conf
AuthUser=xx...@gmail.com
AuthPass=xxxxx
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
Debug=YES
and my open connections:
netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State User Inode PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:*
LISTEN 27 3725594 1313/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 0 11227 1216/sshd
tcp 0 0 :::22 :::*
LISTEN 0 11232 1216/sshd
tcp 0 0 :::8080 :::*
LISTEN 0 11642 1550/httpd
tcp 0 0 :::80 :::*
LISTEN 0 11638 1550/httpd
udp 0 0 0.0.0.0:1514 0.0.0.0:*
0 13181 1926/ossec-remoted
udp 0 0 78.41.116.116:123 0.0.0.0:*
0 11350 1256/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:*
0 11346 1256/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:*
0 11339 1256/ntpd
udp 0 0 ::1:123 :::*
0 11352 1256/ntpd
udp 0 0 fe80::5054:ff:fef6:4b74:123 :::*
0 11351 1256/ntpd
udp 0 0 :::123 :::*
0 11340 1256/ntpd
I'm happy to do a TCPdump but at the moment I don't really know what to
filter for...
is ossec--maild listening on a specific port or default 25 port for smtp?
thanks,
theresa
Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>
> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare
> <rockpr...@gmail.com <javascript:>> wrote:
> > Hi everyone,
> >
> > today I've noticed a problem with the ossec-maild process.
> > The ossec.log keeps saying
> >
> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
> >
> > Of course I started troubleshooting the problem and tried to send
> several
> > test-emails from the ossec master.
> > I'm using ssmtp through my google-mail account by the way.
> > All test mails that I sent arrived immediately, so sending mails through
> my
> > MTA seems to work as usual.
> >
> > Then I checked the mail log /var/log/maillog-20151220
> > which to my surprise has the latest mail entry from yesterday 19:30
> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org
> <javascript:> (221 2.0.0
> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache
> > outbytes=1898
> >
> > changed the email address to b...@bla.org <javascript:> for
> demonstration purposes...
> >
> >
> > at least the two test emails that I just send should appear in this log,
> > right?
> >
> > I know that the root cause to this problem is NOT an ossec
> problem....but
> > maybe you have an idea what the problem might be?
> > I've checked the quota settings in my gmail account, (so far only 10%
> > used...)
> > I've also checked the disk space on my ossec master, still 21GB left on
> /
> > (where also /var is mounted)
> >
> > so I doubt it's a quota or diskspace problem.
> > i've also restarted (stopped and started) ossec, to see if any zombie
> > processes still allocated the filesystem, and it therefore showed that
> > plenty of diskspace was available.
> > but even after the restart of ossec it still shows that it has plenty of
> > diskspace available.
> >
> > any other ideas how I could troubleshoot this problem?
> >
>
> Make sure ssmtp is still listening on 127.0.0.1.
> Use tcpdump or something similar to sniff the traffic between
> ossec-maild and ssmtp.
> Turn on debugging on ssmtp?
>
> > thanks,
> > theresa
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
