*FACEPALM* problem solved.....this is too embarrassing :((( epic fail!
Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare: > > hmm it looks as so ossec-maild has a problem with my ssmtp > ssmtp works fine, because it sent me an automated/generated email at 2:43 > in the morning. > i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more > info to debug.... > > what surprises me is that on netstat ssmtp isn't showing any open > connectings. > to me it looks like it's only opening a connection when it wants to send > an email, there's no permanent open connection. > > here's my ssmtp.conf > AuthUser=xx...@gmail.com > AuthPass=xxxxx > FromLineOverride=YES > mailhub=smtp.gmail.com:587 > UseSTARTTLS=YES > TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt > Debug=YES > > and my open connections: > netstat -tulpen > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State User Inode PID/Program name > tcp 0 0 0.0.0.0:3306 0.0.0.0:* > LISTEN 27 3725594 1313/mysqld > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN 0 11227 1216/sshd > tcp 0 0 :::22 :::* > LISTEN 0 11232 1216/sshd > tcp 0 0 :::8080 :::* > LISTEN 0 11642 1550/httpd > tcp 0 0 :::80 :::* > LISTEN 0 11638 1550/httpd > udp 0 0 0.0.0.0:1514 0.0.0.0:* > 0 13181 1926/ossec-remoted > udp 0 0 78.41.116.116:123 0.0.0.0:* > 0 11350 1256/ntpd > udp 0 0 127.0.0.1:123 0.0.0.0:* > 0 11346 1256/ntpd > udp 0 0 0.0.0.0:123 0.0.0.0:* > 0 11339 1256/ntpd > udp 0 0 ::1:123 :::* > 0 11352 1256/ntpd > udp 0 0 fe80::5054:ff:fef6:4b74:123 :::* > 0 11351 1256/ntpd > udp 0 0 :::123 :::* > 0 11340 1256/ntpd > > I'm happy to do a TCPdump but at the moment I don't really know what to > filter for... > is ossec--maild listening on a specific port or default 25 port for smtp? > > thanks, > theresa > > Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd): >> >> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare >> <rockpr...@gmail.com> wrote: >> > Hi everyone, >> > >> > today I've noticed a problem with the ossec-maild process. >> > The ossec.log keeps saying >> > >> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp >> server) >> > >> > Of course I started troubleshooting the problem and tried to send >> several >> > test-emails from the ossec master. >> > I'm using ssmtp through my google-mail account by the way. >> > All test mails that I sent arrived immediately, so sending mails >> through my >> > MTA seems to work as usual. >> > >> > Then I checked the mail log /var/log/maillog-20151220 >> > which to my surprise has the latest mail entry from yesterday 19:30 >> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 >> 2.0.0 >> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache >> > outbytes=1898 >> > >> > changed the email address to b...@bla.org for demonstration >> purposes... >> > >> > >> > at least the two test emails that I just send should appear in this >> log, >> > right? >> > >> > I know that the root cause to this problem is NOT an ossec >> problem....but >> > maybe you have an idea what the problem might be? >> > I've checked the quota settings in my gmail account, (so far only 10% >> > used...) >> > I've also checked the disk space on my ossec master, still 21GB left on >> / >> > (where also /var is mounted) >> > >> > so I doubt it's a quota or diskspace problem. >> > i've also restarted (stopped and started) ossec, to see if any zombie >> > processes still allocated the filesystem, and it therefore showed that >> > plenty of diskspace was available. >> > but even after the restart of ossec it still shows that it has plenty >> of >> > diskspace available. >> > >> > any other ideas how I could troubleshoot this problem? >> > >> >> Make sure ssmtp is still listening on 127.0.0.1. >> Use tcpdump or something similar to sniff the traffic between >> ossec-maild and ssmtp. >> Turn on debugging on ssmtp? >> >> > thanks, >> > theresa >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.