These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for How can I check if someone is using Postfix on my server? on the new forum.
My upstream provider sent me a spam that apparently came from one of our servers. It is only used for mail and has no CMS or other applications on it, and everything is up-to-date for versions, yet when I check the processes running on this server, there are nearly 130 while the next server, with the same load and identical configuration and updates, has less than 70. The disk usage on the server is four times normal as well.
Here is what I see:
13897 root 17:17 /usr/lib/postfix/master
5366 postfix 20:10 smtpd -n smtp -t inet -u -c -o stress= -o smtpd_sasl_auth_enable=yes
5368 postfix 20:10 anvil -l -t unix -u -c
5369 postfix 20:10 trivial-rewrite -n rewrite -t unix -u -c
5382 postfix 20:10 smtp -t unix -u -c
5384 postfix 20:10 smtp -t unix -u -c
5386 postfix 20:10 error -n retry -t unix -u -c
5387 postfix 20:10 smtp -t unix -u -c
5388 postfix 20:10 error -n retry -t unix -u -c
5390 postfix 20:10 smtp -t unix -u -c
5391 postfix 20:10 smtp -t unix -u -c
5392 postfix 20:10 smtp -t unix -u -c
5393 postfix 20:10 smtp -t unix -u -c
5394 postfix 20:10 error -n retry -t unix -u -c
5395 postfix 20:10 smtp -t unix -u -c
5396 postfix 20:10 smtp -t unix -u -c
5397 postfix 20:10 smtp -t unix -u -c
5400 postfix 20:10 error -n retry -t unix -u -c
5401 postfix 20:10 smtp -t unix -u -c
5402 postfix 20:10 smtp -t unix -u -c
5403 postfix 20:10 smtp -t unix -u -c
5404 postfix 20:10 smtp -t unix -u -c
5405 postfix 20:10 smtp -t unix -u -c
5406 postfix 20:10 smtp -t unix -u -c
5408 postfix 20:10 smtp -t unix -u -c
5409 postfix 20:10 error -n retry -t unix -u -c
5410 postfix 20:10 smtp -t unix -u -c
5411 postfix 20:10 error -n retry -t unix -u -c
5412 postfix 20:10 smtp -t unix -u -c
5417 postfix 20:10 smtp -t unix -u -c
5420 postfix 20:10 smtp -t unix -u -c
5421 postfix 20:10 smtp -t unix -u -c
5422 postfix 20:10 smtp -t unix -u -c
5423 postfix 20:10 smtp -t unix -u -c
5424 postfix 20:10 smtp -t unix -u -c
5425 postfix 20:10 error -n retry -t unix -u -c
5426 postfix 20:10 smtp -t unix -u -c
5428 postfix 20:10 smtp -t unix -u -c
5431 postfix 20:10 smtp -t unix -u -c
5433 postfix 20:10 error -n retry -t unix -u -c
5435 postfix 20:10 error -n retry -t unix -u -c
5438 postfix 20:10 smtp -t unix -u -c
5439 postfix 20:10 smtp -t unix -u -c
5440 postfix 20:10 smtp -t unix -u -c
5441 postfix 20:10 smtp -t unix -u -c
5443 postfix 20:10 smtp -t unix -u -c
5447 postfix 20:10 smtp -t unix -u -c
5448 postfix 20:10 smtp -t unix -u -c
5449 postfix 20:10 smtp -t unix -u -c
5450 postfix 20:10 error -n retry -t unix -u -c
5451 postfix 20:10 smtp -t unix -u -c
5455 postfix 20:10 smtp -t unix -u -c
5457 postfix 20:10 scache -l -t unix -u -c
5473 postfix 20:11 smtp -t unix -u -c
5497 postfix 20:11 smtp -t unix -u -c
5498 postfix 20:11 smtp -t unix -u -c
5499 postfix 20:11 trivial-rewrite -n rewrite -t unix -u -c
5500 postfix 20:11 smtp -t unix -u -c
5502 postfix 20:11 smtp -t unix -u -c
5504 postfix 20:11 smtp -t unix -u -c
5505 postfix 20:11 smtp -t unix -u -c
5506 postfix 20:11 smtp -t unix -u -c
5515 postfix 20:12 smtp -t unix -u -c
5521 postfix 20:12 error -n retry -t unix -u -c
5687 postfix 20:15 cleanup -z -t unix -u -c
5689 postfix 20:15 bounce -z -n defer -t unix -u -c
5690 postfix 20:15 bounce -z -n defer -t unix -u -c
5691 postfix 20:15 bounce -z -n defer -t unix -u -c
5692 postfix 20:15 bounce -z -n defer -t unix -u -c
5693 postfix 20:15 bounce -z -n defer -t unix -u -c
5694 postfix 20:15 bounce -z -n defer -t unix -u -c
5695 postfix 20:15 bounce -z -n defer -t unix -u -c
5696 postfix 20:15 bounce -z -n defer -t unix -u -c
5697 postfix 20:15 bounce -z -n defer -t unix -u -c
5698 postfix 20:15 bounce -z -n defer -t unix -u -c
5699 postfix 20:15 bounce -z -n defer -t unix -u -c
5700 postfix 20:15 bounce -z -n defer -t unix -u -c
5702 postfix 20:15 bounce -z -n defer -t unix -u -c
5704 postfix 20:15 bounce -z -t unix -u -c
5705 postfix 20:15 bounce -z -t unix -u -c
5706 postfix 20:15 cleanup -z -t unix -u -c
5707 postfix 20:15 bounce -z -t unix -u -c
5709 postfix 20:15 cleanup -z -t unix -u -c
5710 postfix 20:15 bounce -z -t unix -u -c
5711 postfix 20:15 cleanup -z -t unix -u -c
5715 postfix 20:15 bounce -z -n defer -t unix -u -c
5724 postfix 20:15 bounce -z -n defer -t unix -u -c
5725 postfix 20:15 bounce -z -n defer -t unix -u -c
5726 postfix 20:15 bounce -z -n defer -t unix -u -c
5727 postfix 20:15 bounce -z -n defer -t unix -u -c
15622 postfix 17:34 qmgr -l -t fifo -u
15741 postfix 17:36 tlsmgr -l -t unix -u -c
27677 postfix 18:57 pickup -l -t fifo -u -c
Howdy,
Yeah, those are a lot of Postfix related processes. You may want to take a look at the mail queue, and see what all is in there.
You can do that by going into Webmin -> Postfix -> Mail Queue. From there, you can view the messages and their headers, which you can use to determine what is generating those messages.
-Eric
I should have mentioned that already. The Mail Queue always shows zero messages.
Hmm, that's an unusual amount of processes to always have 0 messages in the mail queue. We can take a look at a few other things though --
Could you attach a file containing the output of "ps auxw" on your server?
What does this command show: free -m
And this command too: uptime
Lastly, what does this show: mailq | tail -1
ps auxw
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 23320 1592 ? Ss Nov25 0:01 init
root 1184 0.0 0.0 21084 1020 ? Ss Nov25 0:01 cron
syslog 1217 0.0 0.0 12456 808 ? Ss Nov25 2:07 /sbin/syslogd -u syslog
postgres 1278 0.0 0.6 100916 6600 ? S Nov25 0:01 /usr/lib/postgresql/8.4/bin/postgres -D /var/lib/postgresql/8.4/mai
postgres 1289 0.0 0.1 100916 1756 ? Ss Nov25 0:09 postgres: writer process
postgres 1290 0.0 0.1 100916 1536 ? Ss Nov25 0:07 postgres: wal writer process
postgres 1291 0.0 0.1 101052 1832 ? Ss Nov25 0:08 postgres: autovacuum launcher process
postgres 1294 0.0 0.1 72456 1508 ? Ss Nov25 0:04 postgres: stats collector process
clamav 1611 0.0 13.9 227996 146736 ? Ssl Nov25 0:38 /usr/sbin/clamd
clamav 1708 0.0 0.1 42868 2048 ? Ss Nov25 0:00 /usr/bin/freshclam -d --quiet
root 1926 0.0 1.5 72576 16192 ? Ss Nov25 0:00 /usr/bin/perl /usr/share/usermin/miniserv.pl /etc/usermin/miniserv.
root 1938 0.0 0.0 19532 940 ? Ss Nov25 0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_com
root 1963 0.0 2.5 204548 26332 ? Ss Nov25 0:03 /usr/sbin/apache2 -k start
root 1987 0.0 5.4 123188 56784 ? Ss Nov25 0:17 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.co
root 5518 0.0 0.2 49268 2580 ? Ss Nov25 0:01 /usr/sbin/sshd -D
mysql 5546 0.0 2.3 178096 24268 ? Ssl Nov25 0:14 /usr/sbin/mysqld
root 5760 0.0 4.6 153796 48868 ? Ssl Nov25 0:13 /usr/sbin/named -c /etc/bind/named.conf
proftpd 7256 0.0 0.1 69820 1908 ? Ss Nov27 0:07 proftpd: (accepting connections)
www-data 7540 0.0 0.7 201892 7484 ? S Nov27 0:00 /usr/sbin/apache2 -k start
www-data 7541 0.0 0.9 205572 10260 ? S Nov27 0:00 /usr/sbin/apache2 -k start
www-data 7542 0.0 0.9 205572 10252 ? S Nov27 0:00 /usr/sbin/apache2 -k start
www-data 7543 0.0 0.9 205572 10260 ? S Nov27 0:00 /usr/sbin/apache2 -k start
www-data 7544 0.0 0.9 205572 10248 ? S Nov27 0:00 /usr/sbin/apache2 -k start
www-data 7545 0.0 0.9 205572 10252 ? S Nov27 0:00 /usr/sbin/apache2 -k start
www-data 7947 0.0 0.9 205572 10252 ? S Nov27 0:00 /usr/sbin/apache2 -k start
root 14019 0.0 4.7 112728 49420 ? Ss 14:33 0:01 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -
root 14057 0.0 5.8 124424 61780 ? S 14:33 0:05 spamd child
root 14058 0.0 5.5 120488 57868 ? S 14:33 0:04 spamd child
root 14174 0.0 0.2 37212 2292 ? Ss 14:33 0:02 /usr/lib/postfix/master
postfix 14287 0.0 0.3 41788 3180 ? S 14:33 0:00 tlsmgr -l -t unix -u -c
root 14299 0.0 0.0 16912 792 ? Ss 14:33 0:00 /usr/sbin/dovecot
root 14300 0.0 0.3 75208 3420 ? S 14:33 0:00 dovecot-auth
root 14301 0.0 0.3 75836 3352 ? S 14:33 0:00 dovecot-auth -w
dovecot 15440 0.0 0.2 18724 2116 ? S 14:34 0:00 imap-login
dovecot 15441 0.0 0.2 18724 2116 ? S 14:34 0:00 imap-login
dovecot 15442 0.0 0.2 18724 2120 ? S 14:34 0:00 imap-login
root 15474 0.0 0.3 70632 3308 ? Ss 14:35 0:00 sshd: root@ttyp0
root 15495 0.0 0.1 17908 1980 ttyp0 Ss 14:35 0:00 -bash
postfix 15955 0.0 0.2 43568 2644 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15963 0.0 0.2 43568 2636 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15966 0.0 0.2 43568 2624 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15967 0.0 0.2 43568 2628 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15979 0.0 0.2 43568 2640 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15981 0.0 0.2 43568 2640 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15989 0.0 0.2 43568 2644 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15990 0.0 0.2 44460 2648 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15993 0.0 0.2 43568 2636 ? S 14:46 0:00 smtp -t unix -u -c
postfix 15998 0.0 0.2 44460 2640 ? S 14:46 0:00 smtp -t unix -u -c
postfix 16010 0.0 0.2 43568 2636 ? S 14:46 0:00 smtp -t unix -u -c
postfix 16016 0.0 0.2 43568 2616 ? S 14:46 0:00 smtp -t unix -u -c
postfix 17411 0.0 0.2 43568 2644 ? S 14:57 0:00 smtp -t unix -u -c
postfix 17438 0.0 0.2 43568 2632 ? S 14:57 0:00 smtp -t unix -u -c
postfix 17442 0.0 0.2 43568 2632 ? S 14:57 0:00 smtp -t unix -u -c
postfix 17444 0.0 0.2 43568 2640 ? S 14:57 0:00 smtp -t unix -u -c
postfix 17448 0.0 0.2 43568 2644 ? S 14:57 0:00 smtp -t unix -u -c
postfix 17586 0.0 0.2 43568 2644 ? S 15:02 0:00 smtp -t unix -u -c
postfix 17587 0.0 0.2 43568 2632 ? S 15:02 0:00 smtp -t unix -u -c
postfix 17588 0.0 0.2 43568 2636 ? S 15:02 0:00 smtp -t unix -u -c
dovecot 17887 0.0 0.2 18708 2100 ? S 15:08 0:00 pop3-login
dovecot 17888 0.0 0.1 18708 2096 ? S 15:08 0:00 pop3-login
dovecot 17889 0.0 0.1 18708 2096 ? S 15:08 0:00 pop3-login
dovecot 17890 0.0 0.2 18708 2100 ? S 15:08 0:00 pop3-login
dovecot 17911 0.0 0.1 18708 2096 ? S 15:09 0:00 pop3-login
dovecot 17912 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17913 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17915 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17916 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17917 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17918 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17919 0.0 0.2 18708 2100 ? S 15:09 0:00 pop3-login
dovecot 17920 0.0 0.1 18708 2096 ? S 15:09 0:00 pop3-login
postfix 18196 0.0 0.2 43568 2608 ? S 15:19 0:00 smtp -t unix -u -c
postfix 18200 0.0 0.2 44460 2648 ? S 15:19 0:00 smtp -t unix -u -c
postfix 18202 0.0 0.2 43568 2632 ? S 15:19 0:00 smtp -t unix -u -c
postfix 18203 0.0 0.2 43568 2636 ? S 15:19 0:00 smtp -t unix -u -c
postfix 18390 0.0 0.2 43568 2628 ? S 15:25 0:00 smtp -t unix -u -c
postfix 18398 0.0 0.4 63304 4572 ? S 15:25 0:00 smtpd -n smtp -t inet -u -c -o stress= -o smtpd_sasl_auth_enable=ye
postfix 23706 0.0 0.2 43568 2632 ? S 15:46 0:00 smtp -t unix -u -c
postfix 23707 0.0 0.2 43568 2644 ? S 15:46 0:00 smtp -t unix -u -c
postfix 23843 0.0 0.2 39276 2272 ? S 15:48 0:00 anvil -l -t unix -u -c
postfix 24101 0.0 0.2 43568 2632 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24105 0.0 0.2 39272 2268 ? S 15:53 0:00 error -n retry -t unix -u -c
postfix 24106 0.0 0.2 43568 2632 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24107 0.0 0.2 39484 2828 ? S 15:53 0:00 trivial-rewrite -n rewrite -t unix -u -c
postfix 24112 0.0 0.2 43568 2632 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24114 0.0 0.2 43568 2632 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24115 0.0 0.2 43568 2632 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24117 0.0 0.2 43568 2640 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24118 0.0 0.2 44460 2628 ? S 15:53 0:00 smtp -t unix -u -c
postfix 24133 0.0 0.2 43568 2624 ? S 15:54 0:00 smtp -t unix -u -c
postfix 24134 0.0 0.2 43568 2620 ? S 15:54 0:00 smtp -t unix -u -c
postfix 24137 0.0 0.2 43568 2628 ? S 15:54 0:00 smtp -t unix -u -c
postfix 24138 0.0 0.2 43568 2632 ? S 15:54 0:00 smtp -t unix -u -c
postfix 24193 0.0 0.2 39272 2272 ? S 15:55 0:00 error -n retry -t unix -u -c
postfix 24195 0.0 0.2 39272 2268 ? S 15:55 0:00 error -n retry -t unix -u -c
postfix 25901 0.1 0.9 46784 9828 ? S 16:06 0:00 qmgr -l -t fifo -u
postfix 25904 0.0 0.2 43568 2604 ? S 16:06 0:00 smtp -t unix -u -c
postfix 25905 0.0 0.2 43568 2616 ? S 16:06 0:00 smtp -t unix -u -c
postfix 25906 0.0 0.2 43568 2624 ? S 16:06 0:00 smtp -t unix -u -c
postfix 25910 0.0 0.2 44460 2620 ? S 16:06 0:00 smtp -t unix -u -c
postfix 25941 0.0 0.2 39272 2264 ? S 16:07 0:00 error -n retry -t unix -u -c
postfix 25942 0.0 0.2 39272 2264 ? S 16:07 0:00 error -n retry -t unix -u -c
postfix 25943 0.0 0.2 40164 2264 ? S 16:07 0:00 error -n retry -t unix -u -c
postfix 26005 0.0 0.2 39272 2268 ? S 16:08 0:00 error -n retry -t unix -u -c
postfix 26006 0.0 0.2 39272 2264 ? S 16:08 0:00 error -n retry -t unix -u -c
postfix 26073 0.0 0.3 39892 3200 ? S 16:08 0:00 cleanup -z -t unix -u -c
www-data 26086 0.0 1.0 205572 10584 ? S 08:09 0:00 /usr/sbin/apache2 -k start
postfix 26106 0.0 0.2 39272 2192 ? S 16:09 0:00 error -n retry -t unix -u -c
postfix 26357 0.0 0.2 39308 2260 ? S 16:13 0:00 bounce -z -n defer -t unix -u -c
postfix 26358 0.0 0.2 39308 2300 ? S 16:13 0:00 bounce -z -n defer -t unix -u -c
postfix 26399 0.0 0.2 39276 2184 ? S 16:13 0:00 pickup -l -t fifo -u -c
root 26407 0.0 0.1 14980 1116 ttyp0 R+ 16:14 0:00 ps auxw
www-data 30204 0.0 1.0 205572 10608 ? S Nov27 0:00 /usr/sbin/apache2 -k start
free -m
total used free shared buffers cached
Mem: 1024 755 268 0 0 0
-/+ buffers/cache: 755 268
Swap: 1024 1 1022
uptime 16:16:32 up 2 days, 23:47, 1 user, load average: 0.07, 0.14, 0.09
mailq | tail -1 mailq: fatal: inet_addr_local[getifaddrs]: getifaddrs: Cannot allocate memory
Hmm, are you using a VPS of some sort? If so, do you know what kind of VPS it is?
-Eric
The provider supplies a Plesk environment, but I did not install any of it. I did a login via SSH and installed Virtualmin on two server instances, and both of them have run extremely well until last week.
Last week, like an idiot, we made a test account using test.com, log in test and password test. Within a few minutes we had two sessions logged in from Eastern Europe and one from Iran! We deleted the test account, but since then, Postfix has been 'sick'.
Perhaps it is a coincidence, but perhaps it is not!
Hmm, well, I guess what I mean is -- is your system a dedicated server? Or is your system a VPS?
You have plenty of RAM available, and not many processes are running, so I'm trying to come up with alternative causes for the errors you're getting.
Also, what is the output of this command:
grep postfix /etc/security/limits.conf
It is a VPS, and I have zip! in the file.
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, <domain> must be
# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
It is a VPS, and I have zip! in the file.
Okay, not having anything in that file is good, that means it's not that :-)
Do you know what kind of VPS software your provider uses? Some examples are Xen, KVM, and OpenVZ.
-Eric
They are using Virtuozzo.
Hmm, I think Virtuozzo uses the user_beancounters file for showing your various limits.
If you type this command, what output do you receive:
cat /proc/user_beancounters
cat /proc/user_beancounters
Version: 2.5
uid resource held maxheld barrier limit failcnt
54811: kmemsize 19420449 19633970 96636764 107374182 0
lockedpages 0 0 2059 2059 0
privvmpages 214418 214706 524288 550502 0
shmpages 11115 11115 65536 65536 0
dummy 0 0 9223372036854775807 9223372036854775807 0
numproc 82 83 500 500 0
physpages 139318 139371 0 9223372036854775807 0
vmguarpages 0 0 262144 9223372036854775807 0
oomguarpages 139567 139620 9223372036854775807 9223372036854775807 0
numtcpsock 27 27 550 550 0
numflock 14 15 1000 1100 0
numpty 1 1 102 102 0
numsiginfo 0 2 1024 1024 0
tcpsndbuf 402592 402592 5280000 7392000 0
tcprcvbuf 409600 409600 5280000 7392000 0
othersockbuf 316560 316560 3840000 5376000 0
dgramrcvbuf 0 4656 3584000 3584000 0
numothersock 180 181 400 400 3187117
dcachesize 1224456 1231968 14495514 16106127 0
numfile 3437 3493 17600 17600 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
numiptent 24 24 9223372036854775807 9223372036854775807 0
Howdy,
Okay, so, you can look at the "failcnt" field in that output to see any resource limits that are being reached.
In your case, the "numothersock" has quite a few failures, which may explain the problems you're seeing.
That parameter is described here:
http://wiki.openvz.org/Numothersock#numothersock
You seem to have a bunch of Postfix and Dovecot processes running, which could be contributing to that. What I would do for starters is to simply restart those two processes:
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
After that, are you able to run this command:
mailq | tail -1 mailq
I did restart each but the numbers actually increased, to 70 from 64 process.
The mailq command did not work - perhaps I am in the wrong directory?
mailq | tail -1 mailq
tail: cannot open `mailq' for reading: No such file or directory
Here is my mail queue:
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
55017103F5308 37114 Wed Nov 30 21:45:46 MAILER-DAEMON
(host mail.scadian.net[69.60.117.17] said: 450 4.7.1 <my.domainname.com>: Helo command rejected: Host not found (in reply to RCPT TO command))
atlantianmissile-request@scadian.net
-- 36 Kbytes in 1 Request.
1962 root Nov28 /usr/sbin/apache2 -k start
10097 www-data Nov30 /usr/sbin/apache2 -k start
10098 www-data Nov30 /usr/sbin/apache2 -k start
10099 www-data Nov30 /usr/sbin/apache2 -k start
10100 www-data Nov30 /usr/sbin/apache2 -k start
10101 www-data Nov30 /usr/sbin/apache2 -k start
10102 www-data Nov30 /usr/sbin/apache2 -k start
11822 www-data Nov30 /usr/sbin/apache2 -k start
22340 www-data Nov30 /usr/sbin/apache2 -k start
3834 syslog Nov29 /sbin/syslogd -u syslog
5942 root 00:26 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
5943 root 00:26 dovecot-auth
5945 root 00:26 dovecot-auth -w
5947 dovecot 00:27 pop3-login
5949 dovecot 00:27 imap-login
5950 dovecot 00:27 imap-login
5951 dovecot 00:27 imap-login
7243 dovecot 00:30 pop3-login
7246 dovecot 00:30 pop3-login
6125 root 00:27 /usr/lib/postfix/master
6127 postfix 00:27 qmgr -l -t fifo -u
6128 postfix 00:27 pickup -l -t fifo -u -c
7208 postfix 00:29 tlsmgr -l -t unix -u -c
7209 postfix 00:29 anvil -l -t unix -u -c
7210 postfix 00:29 trivial-rewrite -n rewrite -t unix -u -c
7252 postfix 00:31 cleanup -z -t unix -u -c
7432 postfix 00:32 local -t unix
9535 proftpd Nov29 proftpd: (accepting connections)
15561 postgrey Nov30 /usr/sbin/postgrey --pidfile=/var/run/postgrey.pid --daemonize --inet=10023
15723 dkim-filter Nov30 /usr/sbin/dkim-filter -b v -x /etc/dkim-filter.conf -u dkim-filter -P /var/run/d ...
18216 root Nov30 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
7508 root 00:33 /usr/share/webmin/proc/index_tree.cgi
7510 root 00:33 sh -c ps --cols 2048 -eo user:80,ruser:80,group:80,rgroup:80,pid,ppid,pgid,pcpu, ...
7511 root 00:33 ps --cols 2048 -eo user:80,ruser:80,group:80,rgroup:80,pid,ppid,pgid,pcpu,vsz,ni ...
19486 root Nov30 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/ ...
1144 root Nov30 spamd child
19488 root Nov30 spamd child
Is it standard to show the IMAP login? There are POP3 logins only from a single machine every 20 minutes, so I do not understand why there appears to be several imap-login entries.
The mailq command did not work - perhaps I am in the wrong directory?
Whoops, I that's a typo on my part.. the command I was looking for is actually this:
mailq | tail -1
Somehow, a second "mailq" ended up in the command I originally typed.
However, you did show what I was interested in -- how many messages in your mail queue there are, which is just one.
Is it standard to show the IMAP login?
Yup, you should see some of those.
You can take a look at /var/log/maillog or /var/log/mail.log to see if see if someone is logging in via IMAP.
But, I only see 5 of those processes, that's not too many.
I did restart each but the numbers actually increased, to 70 from 64 process.
What I'd actually look for is to determine if you have less open sockets.
If you look at your /proc/user_beancounters file again, check out the "numothersock" row -- you had 180 in use previously, what number are you seeing in the "held" column now?
It seems to be better, as "mailq" actually runs without generating an error now :-)
-Eric
NUMOTHERSOCK is now showing 171.
BUT - here is where the oddness continues: I have been looking at Recorded Logins and I always get the message No Logins Recorded
even though I am logged in!
I would expect an output like this one from a different server: Recorded Logins
Username Login From TTY Login At Logout At On For
root e177016212.zzz. pts/0 07/Dec/2011 01:48 Still logged in
root g224131215.zzz. pts/0 05/Dec/2011 00:50 22:02 21:11
root c222044.zzz.yyy pts/0 02/Dec/2011 04:46 08:57 04:10
root g231183255.zzz. pts/0 01/Dec/2011 14:08 18:19 04:11
Hi did you get your problem resolved ?
I got hacked recently due to bad PHP code (my own fault) I tracked it down by seeing in 'top' processes with high usage. that gave me an idea which user/website on the system was causing the problem.
I then noticed in /tmp and /var/tmp additional files which were owned by this user. I deleted them and rebooted the server. they came back a few times while I was updating the scripts, but they went away eventually once I had fixed all my scripts :o)
these scripts were using postfix to send email by this user.
not sure if this helps, but just giving my recent experience.
Brian
I may have to wipe the server completely and do it all again by scratch:
OSSEC HIDS Notification. 2011 Dec 13 21:17:35
Received From: server->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s):
Process '16387' hidden from /proc. Possible kernel level rootkit.
Well, I'm not familiar with OSSEC, but it's not uncommon for intrusion detection systems to have false positives... so before you remove anything, I'd spend some time reviewing what it found, and verifying that it is indeed bad.
-Eric
My server is subject to a brute force attack almost every day, so I have concerns about every message I get now. Since I cannot be absolutely, positively sure that there was no intrusion and my skills are not up to the task, I am not sure if I did try to do a thorough check that I would be successful at that.