Loading ...
Sorry, an error occurred while loading the content.

289294Re: /var/log/mail.info

Expand Messages
  • /dev/rob0
    Nov 5, 2012
    • 0 Attachment
      On Mon, Nov 05, 2012 at 05:18:23PM -0500, thorsopia@... wrote:
      > Jeroen:
      > > You may want to invest some time in learning the basics of email
      > > and system administration; this list is not the place for that.
      >
      > I'm willing to learn. I assume that the best way to learn is to
      > configure my own mail server. Am I wrong?

      Learning by doing, and by reference to documentation, is the best
      method indeed. Be advised that mail admin has prerequisites, and if
      you're weak in those, the documentation might not make sense in
      places. Among the prerequisites: familiarity with general Unix;
      familiarity with your particular flavor thereof; basic understanding
      of IP networking and troubleshooting; basic knowledge of SMTP and
      email protocols (which parts do what, and why, and how); basic to
      medium understanding of DNS, particularly in regard to how Internet
      mail routing is controlled.

      As P@rick rightly pointed out, we will help here with prerequisites.
      But Jeroen's right too: you should not expect this mailing list to
      take the place of all those things.

      > >> Should I follow this [1] advice:
      >
      > > No. What do you think is the problem ?
      >
      > I thought that my server was compromised.

      One of the first things I decided when I started learning system
      administration was:

      *** DON'T PANIC!!! ***

      When you see something you don't understand, let that be your first
      thought: "I don't understand this." If you think "my server was
      compromised" every time you see something you don;t understand, you
      won't do well, and you might drive yourself crazy in the process of
      failure.

      > I also thought that it can be used to organize a DDoS attack on
      > my server. That's why I decided to configure fail2ban.
      >
      > Could you disprove (or comment on) the above?

      Other posters tried to explain those logs you did not understand.
      Please refer back to those posts.

      1. Sometimes mail clients will connect and decide that they are
      unable to complete their transaction as planned. There is no means
      within the SMTP protocol and extensions for a client to tell the
      server its reasoning. If you control the client, refer to client
      logs.

      2. If a connecting client lacks FCrDNS, Postfix will log it as
      "unknown".

      3. pickup(8):
      "
      NAME
      pickup - Postfix local mail pickup

      SYNOPSIS
      pickup [generic Postfix daemon options]

      DESCRIPTION
      The pickup(8) daemon waits for hints that new mail has
      been dropped into the maildrop directory, and feeds it
      into the cleanup(8) daemon.
      ..."

      In real terms, logging from pickup(8) means that someone (a shell
      user) or some process running on your system used sendmail(1) to send
      mail. It's not unusual for operating systems to ship with default
      cron jobs (see crontab(1) and your OS/distro documentation) which try
      to send mail.

      There is absolutely no evidence in this thread that you have had a
      compromise. Again:

      *** DON'T PANIC!!! ***

      Something else I should point out: you used "/var/log/mail.info" as
      the subject of this thread. Typically that file is an incomplete
      representation of syslog(3) "mail" facility logs; these would only be
      logs of the "info" priority level.

      You should look for and rely upon whatever file you have which
      receives "mail.*" logs (all syslog priorities of the "mail"
      facility.)
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 7 messages in this topic