[CentOS] New Server and noticing these maillog postfix entries: What to do about them?

Sun Nov 21 21:36:18 UTC 2021
Jay Hart <jhart at kevla.org>

> Am 21.11.2021 um 19:54 schrieb Jay Hart:
>> I just stood up a new server running C8 stream, postfix, SA, etc.
>> I keep seeing these log entries in maillog and wonder what to about them. I have not been able to find any research documents detailing
>> if
>> this is a problem nor how to prevent.  Any documentation I have seen via web searches talks about configuration issues with
>> spamass-milter.  This to me looks like hackers.  I get the same four lines over and over again from different IP addresses and the
>> pid/socket/id number (26579 in this instance) are always linked.  The number is different for each query/probe.
> The issue has nothing to do with what you call "hackers". The cause is a
> misconfiguration on your side: take the error message literal. You have
> Postfix configured to make use of the spamass milter, everytime another
> system connects to the smtp daemon.
>> Nov 21 11:56:57 dream postfix/smtpd[26579]: connect from unknown[]
>> Nov 21 11:56:57 dream postfix/smtpd[26579]: warning: connect to Milter service unix:/run/spamass-milter/spamass-milter.sock: Permission
>> denied
>> Nov 21 11:56:57 dream postfix/smtpd[26579]: discarding EHLO keywords: CHUNKING
>> Nov 21 11:56:57 dream postfix/smtpd[26579]: disconnect from unknown[] ehlo=1 auth=0/1 quit=1 commands=2/3
>> What can I try to do to eliminate this?  Other than taking up resources I'm not seeing anything else in the logs to show a problem.
>> Should I be concerned?
>> Research has now shown that Redhat/Centos may have changed the default postfix setting.  I do see the following parameter set:
>> smtpd_discard_ehlo_keywords = chunking
> You are totally on the wrong track.
>> Sounds like I need to add/set this as 'silent-discard' pseudo keyword to prevent this action from being logged.
> Wrong.
>> Thanks in advance on your help and advice!
> Run "postconf -n" and see where you have defined the spamass milter.
> Check whether the spamass milter is really running and that the socket
> is available under /run/spamass-milter/spamass-milter.sock. Given it is
> bacause the milter runs and has created its socket under that path,
> check the permissions (unix permissions and SELinux context) of the
> socket and the full path.
> Once the root cause is fixed your Postfix will work again as configured.

[root at dream spamassassin]# postconf -n |grep milter
milter_default_action = accept
milter_protocol = 6
non_smtpd_milters = $smtpd_milters
smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock

[root at dream spamassassin]# ls -al /var/run/spamass-milter/spamass-milter.sock
srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock

Two things:
1. should the 'smtpd_milters' path be /var/run... vice unix:/run...

2. I just noticed I have two spamass-milter sockets running:

[root at dream spamass-milter]# ls -al /var/run/spamass-milter/spamass-milter.sock
srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /var/run/spamass-milter/spamass-milter.sock

[root at dream spamass-milter]# ls -al /run/spamass-milter/spamass-milter.sock
srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 /run/spamass-milter/spamass-milter.sock

[root at dream share]# ss -l |grep spam
u_str LISTEN 0      128                      /run/spamass-milter/spamass-milter.sock 185043

[root at dream share]# ss -pl |grep spam
u_str LISTEN 0      128                                                   /run/spamass-milter/spamass-milter.sock 185043    * 0           
u_dgr UNCONN 0      0                                                                                           * 198745 * 14567      
users:(("spamd child",pid=17925,fd=4),("spamd child",pid=17924,fd=4),("spamd",pid=17891,fd=4))
u_dgr UNCONN 0      0                                                                                           * 185042 * 14567       
tcp   LISTEN 0      128                                                                         *    
users:(("spamd child",pid=17925,fd=6),("spamd child",pid=17924,fd=6),("spamd",pid=17891,fd=6))
tcp   LISTEN 0      128                                                                                   [::1]:783         [::]:*    
users:(("spamd child",pid=17925,fd=5),("spamd child",pid=17924,fd=5),("spamd",pid=17891,fd=5))

Been hunting around in the configs trying to determine why I got two processes running...Still looking into this.



>> Jay
> Alexander
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos