I just stood up a new server running C8 stream, postfix, SA, etc.
I keep seeing these log entries in maillog and wonder what to about them. I have not been able to find any research documents detailing if this is a problem nor how to prevent. Any documentation I have seen via web searches talks about configuration issues with spamass-milter. This to me looks like hackers. I get the same four lines over and over again from different IP addresses and the pid/socket/id number (26579 in this instance) are always linked. The number is different for each query/probe.
Nov 21 11:56:57 dream postfix/smtpd[26579]: connect from unknown[141.98.10.140] Nov 21 11:56:57 dream postfix/smtpd[26579]: warning: connect to Milter service unix:/run/spamass-milter/spamass-milter.sock: Permission denied Nov 21 11:56:57 dream postfix/smtpd[26579]: discarding EHLO keywords: CHUNKING Nov 21 11:56:57 dream postfix/smtpd[26579]: disconnect from unknown[141.98.10.140] ehlo=1 auth=0/1 quit=1 commands=2/3
What can I try to do to eliminate this? Other than taking up resources I'm not seeing anything else in the logs to show a problem. Should I be concerned?
Research has now shown that Redhat/Centos may have changed the default postfix setting. I do see the following parameter set: smtpd_discard_ehlo_keywords = chunking
Sounds like I need to add/set this as 'silent-discard' pseudo keyword to prevent this action from being logged.
Thanks in advance on your help and advice!
Jay
Am 21.11.2021 um 19:54 schrieb Jay Hart:
I just stood up a new server running C8 stream, postfix, SA, etc.
I keep seeing these log entries in maillog and wonder what to about them. I have not been able to find any research documents detailing if this is a problem nor how to prevent. Any documentation I have seen via web searches talks about configuration issues with spamass-milter. This to me looks like hackers. I get the same four lines over and over again from different IP addresses and the pid/socket/id number (26579 in this instance) are always linked. The number is different for each query/probe.
The issue has nothing to do with what you call "hackers". The cause is a misconfiguration on your side: take the error message literal. You have Postfix configured to make use of the spamass milter, everytime another system connects to the smtp daemon.
Nov 21 11:56:57 dream postfix/smtpd[26579]: connect from unknown[141.98.10.140] Nov 21 11:56:57 dream postfix/smtpd[26579]: warning: connect to Milter service unix:/run/spamass-milter/spamass-milter.sock: Permission denied Nov 21 11:56:57 dream postfix/smtpd[26579]: discarding EHLO keywords: CHUNKING Nov 21 11:56:57 dream postfix/smtpd[26579]: disconnect from unknown[141.98.10.140] ehlo=1 auth=0/1 quit=1 commands=2/3
What can I try to do to eliminate this? Other than taking up resources I'm not seeing anything else in the logs to show a problem. Should I be concerned?
Research has now shown that Redhat/Centos may have changed the default postfix setting. I do see the following parameter set: smtpd_discard_ehlo_keywords = chunking
You are totally on the wrong track.
Sounds like I need to add/set this as 'silent-discard' pseudo keyword to prevent this action from being logged.
Wrong.
Thanks in advance on your help and advice!
Run "postconf -n" and see where you have defined the spamass milter. Check whether the spamass milter is really running and that the socket is available under /run/spamass-milter/spamass-milter.sock. Given it is bacause the milter runs and has created its socket under that path, check the permissions (unix permissions and SELinux context) of the socket and the full path. Once the root cause is fixed your Postfix will work again as configured.
Jay
Alexander
Am 21.11.2021 um 19:54 schrieb Jay Hart:
I just stood up a new server running C8 stream, postfix, SA, etc.
I keep seeing these log entries in maillog and wonder what to about them. I have not been able to find any research documents detailing if this is a problem nor how to prevent. Any documentation I have seen via web searches talks about configuration issues with spamass-milter. This to me looks like hackers. I get the same four lines over and over again from different IP addresses and the pid/socket/id number (26579 in this instance) are always linked. The number is different for each query/probe.
The issue has nothing to do with what you call "hackers". The cause is a misconfiguration on your side: take the error message literal. You have Postfix configured to make use of the spamass milter, everytime another system connects to the smtp daemon.
Nov 21 11:56:57 dream postfix/smtpd[26579]: connect from unknown[141.98.10.140] Nov 21 11:56:57 dream postfix/smtpd[26579]: warning: connect to Milter service unix:/run/spamass-milter/spamass-milter.sock: Permission denied Nov 21 11:56:57 dream postfix/smtpd[26579]: discarding EHLO keywords: CHUNKING Nov 21 11:56:57 dream postfix/smtpd[26579]: disconnect from unknown[141.98.10.140] ehlo=1 auth=0/1 quit=1 commands=2/3
What can I try to do to eliminate this? Other than taking up resources I'm not seeing anything else in the logs to show a problem. Should I be concerned?
Research has now shown that Redhat/Centos may have changed the default postfix setting. I do see the following parameter set: smtpd_discard_ehlo_keywords = chunking
You are totally on the wrong track.
Sounds like I need to add/set this as 'silent-discard' pseudo keyword to prevent this action from being logged.
Wrong.
Thanks in advance on your help and advice!
Run "postconf -n" and see where you have defined the spamass milter. Check whether the spamass milter is really running and that the socket is available under /run/spamass-milter/spamass-milter.sock. Given it is bacause the milter runs and has created its socket under that path, check the permissions (unix permissions and SELinux context) of the socket and the full path. Once the root cause is fixed your Postfix will work again as configured.
[root@dream spamassassin]# postconf -n |grep milter milter_default_action = accept milter_protocol = 6 non_smtpd_milters = $smtpd_milters smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock
[root@dream spamassassin]# ls -al /var/run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock
Two things: 1. should the 'smtpd_milters' path be /var/run... vice unix:/run...
2. I just noticed I have two spamass-milter sockets running:
[root@dream spamass-milter]# ls -al /var/run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock
[root@dream spamass-milter]# ls -al /run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /run/spamass-milter/spamass-milter.sock
[root@dream share]# ss -l |grep spam u_str LISTEN 0 128 /run/spamass-milter/spamass-milter.sock 185043
[root@dream share]# ss -pl |grep spam u_str LISTEN 0 128 /run/spamass-milter/spamass-milter.sock 185043 * 0 users:(("spamass-milter",pid=16657,fd=4)) u_dgr UNCONN 0 0 * 198745 * 14567 users:(("spamd child",pid=17925,fd=4),("spamd child",pid=17924,fd=4),("spamd",pid=17891,fd=4)) u_dgr UNCONN 0 0 * 185042 * 14567 users:(("spamass-milter",pid=16657,fd=3)) tcp LISTEN 0 128 127.0.0.1:783 0.0.0.0:* users:(("spamd child",pid=17925,fd=6),("spamd child",pid=17924,fd=6),("spamd",pid=17891,fd=6)) tcp LISTEN 0 128 [::1]:783 [::]:* users:(("spamd child",pid=17925,fd=5),("spamd child",pid=17924,fd=5),("spamd",pid=17891,fd=5))
Been hunting around in the configs trying to determine why I got two processes running...Still looking into this.
Thanks,
Jay
Jay
Alexander
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 21.11.2021 um 22:36 schrieb Jay Hart:
[ ... ]
[root@dream spamassassin]# postconf -n |grep milter milter_default_action = accept milter_protocol = 6 non_smtpd_milters = $smtpd_milters smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock
Ok. I expect you have specified the spamass-milter by purpose.
[root@dream spamassassin]# ls -al /var/run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock
Two things:
- should the 'smtpd_milters' path be /var/run... vice unix:/run...
You know that there are unix sockets and tcp sockets? "unix:/path" just declares a unix type socket within the main.cf.
- I just noticed I have two spamass-milter sockets running:
[root@dream spamass-milter]# ls -al /var/run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock
[root@dream spamass-milter]# ls -al /run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /run/spamass-milter/spamass-milter.sock
It shouldn't be new to you that /var/run is a symlink to /run. So you don't have to distinguish sockets.
You haven't checked the whole path permissions up to the socket.
namei -lv /run/spamass-milter/spamass-milter.sock
Postfix must be able to reach the unix socket file. One way to achieve that is putting the postfix user in the sa-milt group. Or configure the spamass milter to provide a tcp socket and attach to that one within Postfix. Thus you would not have to care for path and file permissions.
[root@dream share]# ss -l |grep spam u_str LISTEN 0 128 /run/spamass-milter/spamass-milter.sock 185043
[root@dream share]# ss -pl |grep spam u_str LISTEN 0 128 /run/spamass-milter/spamass-milter.sock 185043 * 0 users:(("spamass-milter",pid=16657,fd=4)) u_dgr UNCONN 0 0 * 198745 * 14567 users:(("spamd child",pid=17925,fd=4),("spamd child",pid=17924,fd=4),("spamd",pid=17891,fd=4)) u_dgr UNCONN 0 0 * 185042 * 14567 users:(("spamass-milter",pid=16657,fd=3)) tcp LISTEN 0 128 127.0.0.1:783 0.0.0.0:* users:(("spamd child",pid=17925,fd=6),("spamd child",pid=17924,fd=6),("spamd",pid=17891,fd=6)) tcp LISTEN 0 128 [::1]:783 [::]:* users:(("spamd child",pid=17925,fd=5),("spamd child",pid=17924,fd=5),("spamd",pid=17891,fd=5))
Been hunting around in the configs trying to determine why I got two processes running...Still looking into this.
Thanks,
Jay
Alexander
Am 21.11.2021 um 22:36 schrieb Jay Hart:
[ ... ]
[root@dream spamassassin]# postconf -n |grep milter milter_default_action = accept milter_protocol = 6 non_smtpd_milters = $smtpd_milters smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock
Ok. I expect you have specified the spamass-milter by purpose.
[root@dream spamassassin]# ls -al /var/run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock
Two things:
- should the 'smtpd_milters' path be /var/run... vice unix:/run...
You know that there are unix sockets and tcp sockets? "unix:/path" just declares a unix type socket within the main.cf.
- I just noticed I have two spamass-milter sockets running:
[root@dream spamass-milter]# ls -al /var/run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock
[root@dream spamass-milter]# ls -al /run/spamass-milter/spamass-milter.sock srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /run/spamass-milter/spamass-milter.sock
It shouldn't be new to you that /var/run is a symlink to /run. So you don't have to distinguish sockets.
You haven't checked the whole path permissions up to the socket.
namei -lv /run/spamass-milter/spamass-milter.sock
[root@dream spamass-milter]# namei -lv /run/spamass-milter/spamass-milter.sock f: /run/spamass-milter/spamass-milter.sock dr-xr-xr-x root root / drwxr-xr-x root root run drwx--x--x sa-milt sa-milt spamass-milter srwxr-xr-x sa-milt sa-milt spamass-milter.sock
Postfix must be able to reach the unix socket file. One way to achieve that is putting the postfix user in the sa-milt group. Or configure the spamass milter to provide a tcp socket and attach to that one within Postfix. Thus you would not have to care for path and file permissions.
[root@dream files]# more /etc/group |grep post mail:x:12:postfix,dovecot postdrop:x:90: postfix:x:89: sa-milt:x:967:postfix
How would I change to a TCP socket? That sounds like a better way for me to do this. I'm out of my knowledge area now...
[root@dream share]# ss -l |grep spam u_str LISTEN 0 128 /run/spamass-milter/spamass-milter.sock 185043
[root@dream share]# ss -pl |grep spam u_str LISTEN 0 128 /run/spamass-milter/spamass-milter.sock 185043 * 0 users:(("spamass-milter",pid=16657,fd=4)) u_dgr UNCONN 0 0 * 198745 * 14567 users:(("spamd child",pid=17925,fd=4),("spamd child",pid=17924,fd=4),("spamd",pid=17891,fd=4)) u_dgr UNCONN 0 0 * 185042 * 14567 users:(("spamass-milter",pid=16657,fd=3)) tcp LISTEN 0 128 127.0.0.1:783 0.0.0.0:* users:(("spamd child",pid=17925,fd=6),("spamd child",pid=17924,fd=6),("spamd",pid=17891,fd=6)) tcp LISTEN 0 128 [::1]:783 [::]:* users:(("spamd child",pid=17925,fd=5),("spamd child",pid=17924,fd=5),("spamd",pid=17891,fd=5))
Been hunting around in the configs trying to determine why I got two processes running...Still looking into this.
Thanks,
Jay
Alexander
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
This is ultimately out of topic of the thread
On 11/21/21 4:22 PM, Jay Hart wrote:
Am 21.11.2021 um 22:36 schrieb Jay Hart:
drwx--x--x sa-milt sa-milt spamass-milter srwxr-xr-x sa-milt sa-milt spamass-milter.sock
When I've seen the names of the files above, it reminded me an abbreviation which we had in very high ranking British scientific journal. We have the concentration of [asphaltene] associates in one formulae which we denoted with letter N with subscript which was first three letter of the word "associates". One referee recommended to have native English speaker read our "proofread" sample. Which we didn't pay appropriate attention to and didn't notice what we should better change... But when we received reprints of published paper this subscript was just staring at me when I was reading it: first there letters of the word "associates".
;-)
Valeri
-
Alexander Dalloz -
Jay Hart -
Valeri Galtsev