[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1
From: Laura Herrera <peque73 () gmail ! com>
Date: 2016-09-28 10:42:06
Message-ID: aad5f7e8-dd28-4638-bc52-78ab7b133a52 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Theresa,
Please could you explain how did you solve this?
Might be an epic fail for you, but it might help others :)
Thanks a lot
Laura
On Tuesday, 22 December 2015 10:53:55 UTC, theresa mic-snare wrote:
>
> *FACEPALM*
>
> problem solved.....this is too embarrassing :(((
> epic fail!
>
> Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare:
> >
> > hmm it looks as so ossec-maild has a problem with my ssmtp
> > ssmtp works fine, because it sent me an automated/generated email at 2:43
> > in the morning.
> > i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more
> > info to debug....
> >
> > what surprises me is that on netstat ssmtp isn't showing any open
> > connectings.
> > to me it looks like it's only opening a connection when it wants to send
> > an email, there's no permanent open connection.
> >
> > here's my ssmtp.conf
> > AuthUser=xxxxx@gmail.com
> > AuthPass=xxxxx
> > FromLineOverride=YES
> > mailhub=smtp.gmail.com:587
> > UseSTARTTLS=YES
> > TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
> > Debug=YES
> >
> > and my open connections:
> > netstat -tulpen
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address Foreign Address
> > State User Inode PID/Program name
> > tcp 0 0 0.0.0.0:3306 0.0.0.0:*
> > LISTEN 27 3725594 1313/mysqld
> > tcp 0 0 0.0.0.0:22 0.0.0.0:*
> > LISTEN 0 11227 1216/sshd
> > tcp 0 0 :::22 :::*
> > LISTEN 0 11232 1216/sshd
> > tcp 0 0 :::8080 :::*
> > LISTEN 0 11642 1550/httpd
> > tcp 0 0 :::80 :::*
> > LISTEN 0 11638 1550/httpd
> > udp 0 0 0.0.0.0:1514 0.0.0.0:*
> > 0 13181 1926/ossec-remoted
> > udp 0 0 78.41.116.116:123 0.0.0.0:*
> > 0 11350 1256/ntpd
> > udp 0 0 127.0.0.1:123 0.0.0.0:*
> > 0 11346 1256/ntpd
> > udp 0 0 0.0.0.0:123 0.0.0.0:*
> > 0 11339 1256/ntpd
> > udp 0 0 ::1:123 :::*
> > 0 11352 1256/ntpd
> > udp 0 0 fe80::5054:ff:fef6:4b74:123 :::*
> > 0 11351 1256/ntpd
> > udp 0 0 :::123 :::*
> > 0 11340 1256/ntpd
> >
> > I'm happy to do a TCPdump but at the moment I don't really know what to
> > filter for...
> > is ossec--maild listening on a specific port or default 25 port for smtp?
> >
> > thanks,
> > theresa
> >
> > Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
> > >
> > > On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare
> > > <rockpr...@gmail.com> wrote:
> > > > Hi everyone,
> > > >
> > > > today I've noticed a problem with the ossec-maild process.
> > > > The ossec.log keeps saying
> > > >
> > > > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp
> > > server)
> > > >
> > > > Of course I started troubleshooting the problem and tried to send
> > > several
> > > > test-emails from the ossec master.
> > > > I'm using ssmtp through my google-mail account by the way.
> > > > All test mails that I sent arrived immediately, so sending mails
> > > through my
> > > > MTA seems to work as usual.
> > > >
> > > > Then I checked the mail log /var/log/maillog-20151220
> > > > which to my surprise has the latest mail entry from yesterday 19:30
> > > > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221
> > > 2.0.0
> > > > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache
> > > > outbytes=1898
> > > >
> > > > changed the email address to b...@bla.org for demonstration
> > > purposes...
> > > >
> > > >
> > > > at least the two test emails that I just send should appear in this
> > > log,
> > > > right?
> > > >
> > > > I know that the root cause to this problem is NOT an ossec
> > > problem....but
> > > > maybe you have an idea what the problem might be?
> > > > I've checked the quota settings in my gmail account, (so far only 10%
> > > > used...)
> > > > I've also checked the disk space on my ossec master, still 21GB left
> > > on /
> > > > (where also /var is mounted)
> > > >
> > > > so I doubt it's a quota or diskspace problem.
> > > > i've also restarted (stopped and started) ossec, to see if any zombie
> > > > processes still allocated the filesystem, and it therefore showed that
> > > > plenty of diskspace was available.
> > > > but even after the restart of ossec it still shows that it has plenty
> > > of
> > > > diskspace available.
> > > >
> > > > any other ideas how I could troubleshoot this problem?
> > > >
> > >
> > > Make sure ssmtp is still listening on 127.0.0.1.
> > > Use tcpdump or something similar to sniff the traffic between
> > > ossec-maild and ssmtp.
> > > Turn on debugging on ssmtp?
> > >
> > > > thanks,
> > > > theresa
> > > >
> > > > --
> > > >
> > > > ---
> > > > You received this message because you are subscribed to the Google
> > > Groups
> > > > "ossec-list" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send
> > > an
> > > > email to ossec-list+...@googlegroups.com.
> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> >
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Hi Theresa,<div><br></div><div>Please could you explain how did you \
solve this?</div><div>Might be an epic fail for you, but it might help others \
:)</div><div><br></div><div>Thanks a lot</div><div>Laura</div><div><br>On Tuesday, 22 \
December 2015 10:53:55 UTC, theresa mic-snare wrote:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;"><div dir="ltr">*FACEPALM*<br><br>problem solved.....this is too embarrassing \
:(((<br>epic fail!<br><br>Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb \
theresa mic-snare:<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">hmm it looks as so ossec-maild has a problem with my ssmtp<br>ssmtp works \
fine, because it sent me an automated/generated email at 2:43 in the \
morning.<br>i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show \
any more info to debug....<br><br>what surprises me is that on netstat ssmtp \
isn't showing any open connectings.<br>to me it looks like it's only opening \
a connection when it wants to send an email, there's no permanent open \
connection.<br><br>here's my ssmtp.conf<br><div \
style="background-color:rgb(250,250,250);border-color:rgb(187,187,187);border-style:solid;border-width:1px;word-wrap:break-word"><code><div><span \
style="color:#606">AuthUser</span><span style="color:#660">=</span><span \
style="color:#000">xxxxx@gmail</span><span style="color:#660">.</span><span \
style="color:#000">com<br></span><span style="color:#606">AuthPass</span><span \
style="color:#660">=</span><span style="color:#000">xxxxx<br></span><span \
style="color:#606">FromLineOverride</span><span style="color:#660">=</span><span \
style="color:#000">YES<br>mailhub</span><span style="color:#660">=</span><span \
style="color:#000">smtp</span><span style="color:#660">.</span><span \
style="color:#000">gmail</span><span style="color:#660">.</span><span \
style="color:#000">com</span><span style="color:#660">:</span><span \
style="color:#066">587</span><span style="color:#000"><br></span><span \
style="color:#606">UseSTARTTLS</span><span style="color:#660">=</span><span \
style="color:#000">YES<br>TLS_CA_File</span><span style="color:#660">=</span><span \
style="color:#080">/etc/</span><span style="color:#000">pki</span><span \
style="color:#660">/</span><span style="color:#000">tls</span><span \
style="color:#660">/</span><span style="color:#000">certs</span><span \
style="color:#660"><wbr>/</span><span style="color:#000">ca</span><span \
style="color:#660">-</span><span style="color:#000">bundle</span><span \
style="color:#660">.</span><span style="color:#000">crt<br></span><span \
style="color:#606">Debug</span><span style="color:#660">=</span><span \
style="color:#000">YES<br></span></div></code></div><br>and my open \
connections:<br><div \
style="background-color:rgb(250,250,250);border-color:rgb(187,187,187);border-style:solid;border-width:1px;word-wrap:break-word"><code><div><span \
style="color:#000">netstat </span><span style="color:#660">-</span><span \
style="color:#000">tulpen<br></span><span style="color:#606">Active</span><span \
style="color:#000"> </span><span style="color:#606">Internet</span><span \
style="color:#000"> connections </span><span style="color:#660">(</span><span \
style="color:#000">only servers</span><span style="color:#660">)</span><span \
style="color:#000"><br></span><span style="color:#606">Proto</span><span \
style="color:#000"> </span><span style="color:#606">Recv</span><span \
style="color:#660">-</span><span style="color:#000">Q </span><span \
style="color:#606">Send</span><span style="color:#660">-</span><span \
style="color:#000">Q </span><span style="color:#606">Local</span><span \
style="color:#000"> </span><span style="color:#606">Address</span><span \
style="color:#000"> </span><span \
style="color:#606">Foreign</span><span style="color:#000"> </span><span \
style="color:#606">Address</span><span style="color:#000"> \
</span><span style="color:#606">State</span><span style="color:#000"> \
</span><span style="color:#606">User</span><span style="color:#000"> \
</span><span style="color:#606">Inode</span><span style="color:#000"> \
PID</span><span style="color:#660">/</span><span \
style="color:#606">Program</span><span style="color:#000"> name <br>tcp \
</span><span style="color:#066">0</span><span style="color:#000"> \
</span><span style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:</span><span \
style="color:#066">3306</span><span style="color:#000"> \
</span><span style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:*</span><span \
style="color:#000"> LISTEN </span><span \
style="color:#066">27</span><span style="color:#000"> </span><span \
style="color:#066">3725594</span><span style="color:#000"> </span><span \
style="color:#066">1313</span><span style="color:#660">/</span><span \
style="color:#000">mysqld <br>tcp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:</span><span \
style="color:#066">22</span><span style="color:#000"> \
</span><span style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:*</span><span \
style="color:#000"> LISTEN </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">11227</span><span style="color:#000"> </span><span \
style="color:#066">1216</span><span style="color:#660">/</span><span \
style="color:#000">sshd <br>tcp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#660">:::</span><span style="color:#066">22</span><span \
style="color:#000"> </span><span \
style="color:#660">:::*</span><span style="color:#000"> \
LISTEN </span><span style="color:#066">0</span><span style="color:#000"> \
</span><span style="color:#066">11232</span><span style="color:#000"> \
</span><span style="color:#066">1216</span><span style="color:#660">/</span><span \
style="color:#000">sshd <br>tcp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#660">:::</span><span style="color:#066">8080</span><span \
style="color:#000"> </span><span \
style="color:#660">:::*</span><span style="color:#000"> \
LISTEN </span><span style="color:#066">0</span><span style="color:#000"> \
</span><span style="color:#066">11642</span><span style="color:#000"> \
</span><span style="color:#066">1550</span><span style="color:#660">/</span><span \
style="color:#000">httpd <br>tcp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#660">:::</span><span style="color:#066">80</span><span \
style="color:#000"> </span><span \
style="color:#660">:::*</span><span style="color:#000"> \
LISTEN </span><span style="color:#066">0</span><span style="color:#000"> \
</span><span style="color:#066">11638</span><span style="color:#000"> \
</span><span style="color:#066">1550</span><span style="color:#660">/</span><span \
style="color:#000">httpd <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:</span><span \
style="color:#066">1514</span><span style="color:#000"> \
</span><span style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:*</span><span \
style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">13181</span><span style="color:#000"> </span><span \
style="color:#066">1926</span><span style="color:#660">/</span><span \
style="color:#000">ossec</span><span style="color:#660">-</span><span \
style="color:#000">remoted <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">78.41</span><span style="color:#660">.</span><span \
style="color:#066">116.116</span><span style="color:#660">:</span><span \
style="color:#066">123</span><span style="color:#000"> </span><span \
style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:*</span><span \
style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">11350</span><span style="color:#000"> </span><span \
style="color:#066">1256</span><span style="color:#660">/</span><span \
style="color:#000">ntpd <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">127.0</span><span style="color:#660">.</span><span \
style="color:#066">0.1</span><span style="color:#660">:</span><span \
style="color:#066">123</span><span style="color:#000"> \
</span><span style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:*</span><span \
style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">11346</span><span style="color:#000"> </span><span \
style="color:#066">1256</span><span style="color:#660">/</span><span \
style="color:#000">ntpd <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:</span><span \
style="color:#066">123</span><span style="color:#000"> \
</span><span style="color:#066">0.0</span><span style="color:#660">.</span><span \
style="color:#066">0.0</span><span style="color:#660">:*</span><span \
style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">11339</span><span style="color:#000"> </span><span \
style="color:#066">1256</span><span style="color:#660">/</span><span \
style="color:#000">ntpd <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#660">::</span><span style="color:#066">1</span><span \
style="color:#660">:</span><span style="color:#066">123</span><span \
style="color:#000"> </span><span \
style="color:#660">:::*</span><span style="color:#000"> \
</span><span style="color:#066">0</span><span style="color:#000"> \
</span><span style="color:#066">11352</span><span style="color:#000"> \
</span><span style="color:#066">1256</span><span style="color:#660">/</span><span \
style="color:#000">ntpd <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> fe80</span><span \
style="color:#660">::</span><span style="color:#066">5054</span><span \
style="color:#660">:</span><span style="color:#000">ff</span><span \
style="color:#660">:</span><span style="color:#000">fef6</span><span \
style="color:#660">:</span><span style="color:#066">4b74</span><span \
style="color:#660">:</span><span style="color:#066">123</span><span \
style="color:#000"> </span><span style="color:#660">:::*</span><span \
style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">11351</span><span style="color:#000"> </span><span \
style="color:#066">1256</span><span style="color:#660">/</span><span \
style="color:#000">ntpd <br>udp </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#066">0</span><span style="color:#000"> </span><span \
style="color:#660">:::</span><span style="color:#066">123</span><span \
style="color:#000"> </span><span \
style="color:#660">:::*</span><span style="color:#000"> \
</span><span style="color:#066">0</span><span style="color:#000"> \
</span><span style="color:#066">11340</span><span style="color:#000"> \
</span><span style="color:#066">1256</span><span style="color:#660">/</span><span \
style="color:#000">ntpd </span></div></code></div><br>I'm happy to do a \
TCPdump but at the moment I don't really know what to filter for...<br>is \
ossec--maild listening on a specific port or default 25 port for \
smtp?<br><br>thanks,<br>theresa<br><br>Am Montag, 21. Dezember 2015 14:00:56 UTC+1 \
schrieb dan (ddpbsd):<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">On \
Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare <br><<a \
rel="nofollow">rockpr...@gmail.com</a>> wrote: <br>> Hi everyone,
<br>>
<br>> today I've noticed a problem with the ossec-maild process.
<br>> The ossec.log keeps saying
<br>>
<br>> ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
<br>>
<br>> Of course I started troubleshooting the problem and tried to send several
<br>> test-emails from the ossec master.
<br>> I'm using ssmtp through my google-mail account by the way.
<br>> All test mails that I sent arrived immediately, so sending mails through my
<br>> MTA seems to work as usual.
<br>>
<br>> Then I checked the mail log /var/log/maillog-20151220
<br>> which to my surprise has the latest mail entry from yesterday 19:30
<br>> Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for <a \
rel="nofollow">b...@bla.org</a> (221 2.0.0 <br>> closing connection \
u126sm11888435wme.3 - gsmtp) uid=48 username=apache <br>> outbytes=1898
<br>>
<br>> changed the email address to <a rel="nofollow">b...@bla.org</a> for \
demonstration purposes... <br>>
<br>>
<br>> at least the two test emails that I just send should appear in this log,
<br>> right?
<br>>
<br>> I know that the root cause to this problem is NOT an ossec problem....but
<br>> maybe you have an idea what the problem might be?
<br>> I've checked the quota settings in my gmail account, (so far only 10%
<br>> used...)
<br>> I've also checked the disk space on my ossec master, still 21GB left on \
/ <br>> (where also /var is mounted)
<br>>
<br>> so I doubt it's a quota or diskspace problem.
<br>> i've also restarted (stopped and started) ossec, to see if any zombie
<br>> processes still allocated the filesystem, and it therefore showed that
<br>> plenty of diskspace was available.
<br>> but even after the restart of ossec it still shows that it has plenty of
<br>> diskspace available.
<br>>
<br>> any other ideas how I could troubleshoot this problem?
<br>>
<br>
<br>Make sure ssmtp is still listening on 127.0.0.1.
<br>Use tcpdump or something similar to sniff the traffic between
<br>ossec-maild and ssmtp.
<br>Turn on debugging on ssmtp?
<br>
<br>> thanks,
<br>> theresa
<br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a rel="nofollow">ossec-list+...@googlegroups.<wbr>com</a>.
<br>> For more options, visit <a href="https://groups.google.com/d/optout" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. \
<br></blockquote></div></blockquote></div></blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic