hmm it looks as so ossec-maild has a problem with my ssmtp ssmtp works fine, because it sent me an automated/generated email at 2:43 in the morning. i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more info to debug....
what surprises me is that on netstat ssmtp isn't showing any open connectings. to me it looks like it's only opening a connection when it wants to send an email, there's no permanent open connection. here's my ssmtp.conf AuthUser=xx...@gmail.com AuthPass=xxxxx FromLineOverride=YES mailhub=smtp.gmail.com:587 UseSTARTTLS=YES TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt Debug=YES and my open connections: netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 27 3725594 1313/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 11227 1216/sshd tcp 0 0 :::22 :::* LISTEN 0 11232 1216/sshd tcp 0 0 :::8080 :::* LISTEN 0 11642 1550/httpd tcp 0 0 :::80 :::* LISTEN 0 11638 1550/httpd udp 0 0 0.0.0.0:1514 0.0.0.0:* 0 13181 1926/ossec-remoted udp 0 0 78.41.116.116:123 0.0.0.0:* 0 11350 1256/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 0 11346 1256/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 0 11339 1256/ntpd udp 0 0 ::1:123 :::* 0 11352 1256/ntpd udp 0 0 fe80::5054:ff:fef6:4b74:123 :::* 0 11351 1256/ntpd udp 0 0 :::123 :::* 0 11340 1256/ntpd I'm happy to do a TCPdump but at the moment I don't really know what to filter for... is ossec--maild listening on a specific port or default 25 port for smtp? thanks, theresa Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd): > > On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare > <rockpr...@gmail.com <javascript:>> wrote: > > Hi everyone, > > > > today I've noticed a problem with the ossec-maild process. > > The ossec.log keeps saying > > > > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server) > > > > Of course I started troubleshooting the problem and tried to send > several > > test-emails from the ossec master. > > I'm using ssmtp through my google-mail account by the way. > > All test mails that I sent arrived immediately, so sending mails through > my > > MTA seems to work as usual. > > > > Then I checked the mail log /var/log/maillog-20151220 > > which to my surprise has the latest mail entry from yesterday 19:30 > > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org > <javascript:> (221 2.0.0 > > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache > > outbytes=1898 > > > > changed the email address to b...@bla.org <javascript:> for > demonstration purposes... > > > > > > at least the two test emails that I just send should appear in this log, > > right? > > > > I know that the root cause to this problem is NOT an ossec > problem....but > > maybe you have an idea what the problem might be? > > I've checked the quota settings in my gmail account, (so far only 10% > > used...) > > I've also checked the disk space on my ossec master, still 21GB left on > / > > (where also /var is mounted) > > > > so I doubt it's a quota or diskspace problem. > > i've also restarted (stopped and started) ossec, to see if any zombie > > processes still allocated the filesystem, and it therefore showed that > > plenty of diskspace was available. > > but even after the restart of ossec it still shows that it has plenty of > > diskspace available. > > > > any other ideas how I could troubleshoot this problem? > > > > Make sure ssmtp is still listening on 127.0.0.1. > Use tcpdump or something similar to sniff the traffic between > ossec-maild and ssmtp. > Turn on debugging on ssmtp? > > > thanks, > > theresa > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.