Hi Theresa, Please could you explain how did you solve this? Might be an epic fail for you, but it might help others :)
Thanks a lot Laura On Tuesday, 22 December 2015 10:53:55 UTC, theresa mic-snare wrote: > > *FACEPALM* > > problem solved.....this is too embarrassing :((( > epic fail! > > Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare: >> >> hmm it looks as so ossec-maild has a problem with my ssmtp >> ssmtp works fine, because it sent me an automated/generated email at 2:43 >> in the morning. >> i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more >> info to debug.... >> >> what surprises me is that on netstat ssmtp isn't showing any open >> connectings. >> to me it looks like it's only opening a connection when it wants to send >> an email, there's no permanent open connection. >> >> here's my ssmtp.conf >> AuthUser=xx...@gmail.com >> AuthPass=xxxxx >> FromLineOverride=YES >> mailhub=smtp.gmail.com:587 >> UseSTARTTLS=YES >> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt >> Debug=YES >> >> and my open connections: >> netstat -tulpen >> Active Internet connections (only servers) >> Proto Recv-Q Send-Q Local Address Foreign Address >> State User Inode PID/Program name >> tcp 0 0 0.0.0.0:3306 0.0.0.0:* >> LISTEN 27 3725594 1313/mysqld >> tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN 0 11227 1216/sshd >> tcp 0 0 :::22 :::* >> LISTEN 0 11232 1216/sshd >> tcp 0 0 :::8080 :::* >> LISTEN 0 11642 1550/httpd >> tcp 0 0 :::80 :::* >> LISTEN 0 11638 1550/httpd >> udp 0 0 0.0.0.0:1514 0.0.0.0:* >> 0 13181 1926/ossec-remoted >> udp 0 0 78.41.116.116:123 0.0.0.0:* >> 0 11350 1256/ntpd >> udp 0 0 127.0.0.1:123 0.0.0.0:* >> 0 11346 1256/ntpd >> udp 0 0 0.0.0.0:123 0.0.0.0:* >> 0 11339 1256/ntpd >> udp 0 0 ::1:123 :::* >> 0 11352 1256/ntpd >> udp 0 0 fe80::5054:ff:fef6:4b74:123 :::* >> 0 11351 1256/ntpd >> udp 0 0 :::123 :::* >> 0 11340 1256/ntpd >> >> I'm happy to do a TCPdump but at the moment I don't really know what to >> filter for... >> is ossec--maild listening on a specific port or default 25 port for smtp? >> >> thanks, >> theresa >> >> Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd): >>> >>> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare >>> <rockpr...@gmail.com> wrote: >>> > Hi everyone, >>> > >>> > today I've noticed a problem with the ossec-maild process. >>> > The ossec.log keeps saying >>> > >>> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp >>> server) >>> > >>> > Of course I started troubleshooting the problem and tried to send >>> several >>> > test-emails from the ossec master. >>> > I'm using ssmtp through my google-mail account by the way. >>> > All test mails that I sent arrived immediately, so sending mails >>> through my >>> > MTA seems to work as usual. >>> > >>> > Then I checked the mail log /var/log/maillog-20151220 >>> > which to my surprise has the latest mail entry from yesterday 19:30 >>> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 >>> 2.0.0 >>> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache >>> > outbytes=1898 >>> > >>> > changed the email address to b...@bla.org for demonstration >>> purposes... >>> > >>> > >>> > at least the two test emails that I just send should appear in this >>> log, >>> > right? >>> > >>> > I know that the root cause to this problem is NOT an ossec >>> problem....but >>> > maybe you have an idea what the problem might be? >>> > I've checked the quota settings in my gmail account, (so far only 10% >>> > used...) >>> > I've also checked the disk space on my ossec master, still 21GB left >>> on / >>> > (where also /var is mounted) >>> > >>> > so I doubt it's a quota or diskspace problem. >>> > i've also restarted (stopped and started) ossec, to see if any zombie >>> > processes still allocated the filesystem, and it therefore showed that >>> > plenty of diskspace was available. >>> > but even after the restart of ossec it still shows that it has plenty >>> of >>> > diskspace available. >>> > >>> > any other ideas how I could troubleshoot this problem? >>> > >>> >>> Make sure ssmtp is still listening on 127.0.0.1. >>> Use tcpdump or something similar to sniff the traffic between >>> ossec-maild and ssmtp. >>> Turn on debugging on ssmtp? >>> >>> > thanks, >>> > theresa >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
