I had a email that was bounced yesterday that I have a question about. my mail.log is missing several hours before the email and starts back up right after the email started getting bounced. mail.info and syslog still have log info but mail.log is missing several hours. from syslog I found this Code: Jan 29 03:39:16 server postfix/smtpd[14727]: connect from some.domain.com[75.x.x.x] Jan 29 03:39:16 server postfix/smtpd[14727]: setting up TLS connection from some.domain.com[75.x.x.x] Jan 29 03:39:16 server postfix/smtpd[14727]: TLS connection established from some.domain.com[75.x.x.x]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jan 29 03:39:17 server postfix/policy-spf[14734]: handler sender_policy_framework: is decisive. Jan 29 03:39:17 server postfix/policy-spf[14734]: : Policy action=PREPEND Received-SPF: none (some.domain.com: No applicable sender policy available) receiver=server.server.com; identity=mfrom; envelope-from="[email protected]"; helo=some.domain.com; client-ip=75.x.x.x Jan 29 03:39:18 server postfix/smtpd[14727]: 57B494CC15E: client=some.domain.com[75.x.x.x] Jan 29 03:39:18 server postfix/cleanup[14735]: 57B494CC15E: message-id=<[email protected]> Jan 29 03:39:18 server postfix/qmgr[11372]: 57B494CC15E: from=<[email protected]>, size=8036, nrcpt=1 (queue active) Jan 29 03:39:18 server postfix/smtpd[14727]: disconnect from some.domain.com[75.x.x.x] Jan 29 03:39:18 server postfix/pickup[14443]: A1B1C4CC2D9: uid=10006 from=<customer5_guruweb> Jan 29 03:39:18 server postfix/cleanup[14735]: A1B1C4CC2D9: message-id=<[email protected]> Jan 29 03:39:18 server postfix/qmgr[11372]: A1B1C4CC2D9: from=<[email protected]>, size=413, nrcpt=1 (queue active) Jan 29 03:39:18 server postfix/local[14753]: A1B1C4CC2D9: to=<[email protected]>, relay=local, delay=0.3, delays=0.1/0.01/0/0.19, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-) Jan 29 03:39:18 server postfix/qmgr[11372]: A1B1C4CC2D9: removed Jan 29 03:39:24 server postfix/local[14736]: 57B494CC15E: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=7.5, delays=1.8/0.01/0/5.7, dsn=5.3.0, status=bounced (Command died with signal 6: "/usr/bin/procmail -f-") Jan 29 03:39:24 server postfix/cleanup[14735]: 3B4264CC2D9: message-id=<[email protected]> Jan 29 03:39:24 server postfix/qmgr[11372]: 3B4264CC2D9: from=<>, size=9965, nrcpt=1 (queue active) Jan 29 03:39:24 server postfix/bounce[14774]: 57B494CC15E: sender non-delivery notification: 3B4264CC2D9 Jan 29 03:39:24 server postfix/qmgr[11372]: 57B494CC15E: removed Jan 29 03:39:26 server postfix/smtp[14775]: certificate verification failed for some.domain.com: num=18:self signed certificate Jan 29 03:40:17 server postfix/smtp[14775]: 3B4264CC2D9: to=<[email protected]>, relay=some.domain.com[75.x.x.x]:25, delay=53, delays=0.01/0.02/2.5/51, dsn=4.0.0, status=deferred (host some.domain.com[75.x.x.x] said: 451 Temporary local problem - please try later (in reply to RCPT TO command)) Jan 29 03:42:38 server postfix/anvil[14731]: statistics: max connection rate 1/60s for (smtp:75.x.x.x) at Jan 29 03:39:16 Jan 29 03:42:38 server postfix/anvil[14731]: statistics: max connection count 1 for (smtp:75.x.x.x) at Jan 29 03:39:16 Jan 29 03:42:38 server postfix/anvil[14731]: statistics: max cache size 1 at Jan 29 03:39:16 Jan 29 04:09:02 server postfix/qmgr[11372]: 3B4264CC2D9: from=<>, size=9965, nrcpt=1 (queue active) Jan 29 04:09:04 server postfix/smtp[15289]: certificate verification failed for some.domain.com: num=18:self signed certificate Jan 29 04:09:55 server postfix/smtp[15289]: 3B4264CC2D9: to=<[email protected]>, relay=some.domain.com[75.x.x.x]:25, delay=1831, delays=1778/0.02/2.4/51, dsn=4.0.0, status=deferred (host some.domain.com[75.x.x.x] said: 451 Temporary local problem - please try later (in reply to RCPT TO command)) what could cause this error? and foremost what could cause my mail.log to be missing several hours while this took place? Code: Jan 29 03:39:24 server postfix/local[14736]: 57B494CC15E: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=7.5, delays=1.8/0.01/0/5.7, dsn=5.3.0, status=bounced [COLOR="Red"][B](Command died with signal 6: "/usr/bin/procmail -f-")[/B][/COLOR]
Nope Code: srv02:/# /usr/bin/procmail -v procmail v3.22 2001/09/10 Copyright (c) 1990-2001, Stephen R. van den Berg <[email protected]> Copyright (c) 1997-2001, Philip A. Guenther <[email protected]> Submit questions/answers to the procmail-related mailinglist by sending to: <[email protected]> And of course, subscription and information requests for this list to: <[email protected]> Locking strategies: dotlocking, fcntl() Default rcfile: $HOME/.procmailrc It may be writable by your primary group Your system mailbox: /var/mail/root
I checked permissions already and they looked right so I don't believe their wrong. besides after that I also updated the user so that permissions or files would be replaced to check and make myself feal better haha I have been known to make mistakes. but here you can take a look. Code: ls -la web5_xxx total 124 drwxr-xr-x 5 web5_xxx web5 4096 2008-01-30 05:59 . drwxr-xr-x 3 web5_xxx web5 4096 2007-10-20 21:25 .. -rw-r--r-- 1 root root 189 2008-01-30 05:59 .antivirus.rc -rw-r--r-- 1 root root 804 2008-01-30 05:59 .autoresponder.rc -rw-r--r-- 1 root root 69149 2008-01-30 05:59 .html-trap.rc -rw-r--r-- 1 root root 3889 2008-01-30 05:59 .local-rules.rc drwx------ 9 web5_xxx web5 4096 2007-11-09 16:45 Maildir -rw-r--r-- 1 root root 204 2008-01-30 05:59 .mailsize.rc -rw-r--r-- 1 root root 656 2008-01-30 05:59 .quota.rc drwx------ 2 web5_xxx web5 4096 2008-01-29 03:39 .spamassassin -rw-r--r-- 1 root root 1236 2008-01-30 05:59 .spamassassin.rc -rw-r--r-- 1 root root 2039 2008-01-30 05:59 .user_prefs -rw-r--r-- 1 root root 32 2008-01-30 05:59 .vacation.msg drwxrwxr-x 2 web5_xxx web5 4096 2007-10-20 21:25 web Thanks for taking the time to toss ideas at me falko. I put this server together back in October and never gave a lick of problems tell this fluk and hasn't since. everything seems to look right to myself and rkhunter, chrootkit, and clamav don't produce any negative results. I will continue to monitor the situation and ask if anything else seems to pop up. If you have any other ideas please feel free to toss them my way
Code: srv02:/# ls -la /var/www/web5 total 68 drwxr-xr-x 14 web5_xxx web5 4096 2008-01-30 05:59 . drwxr-xr-x 13 root root 4096 2007-10-20 21:30 .. drwxr-xr-x 2 root root 4096 2007-10-20 21:25 bin drwxr-xr-x 2 web5_xxx web5 4096 2007-10-20 21:24 cgi-bin drwxr-xr-x 2 root root 4096 2007-10-20 21:25 dev drwxr-xr-x 4 root root 4096 2007-10-20 21:25 etc -rw------- 1 web5_xxx web5 24 2008-01-30 05:59 .forward -rw-rw-r-- 1 root web5 53 2008-02-02 04:00 .htpasswd drwxr-xr-x 4 root root 4096 2007-10-20 21:25 lib drwxr-xr-x 4 web5_xxx web5 4096 2008-02-02 00:30 log lrwxrwxrwx 1 root root 44 2008-01-30 05:59 Maildir -> /var/www/web5/user/web5_xxx/Maildir drwxrwxrwx 2 web5_xxx web5 4096 2007-10-20 21:24 phptmp -rw-r--r-- 1 root root 494 2008-01-30 05:59 .procmailrc lrwxrwxrwx 1 root root 51 2008-01-30 05:59 .spamassassin -> /var/www/web5/user/web5_xxx/.spamassassin/ drwxr-xr-x 2 web5_xxx web5 4096 2007-10-20 21:24 ssl drwxr-xr-x 3 web5_xxx web5 4096 2007-10-20 21:25 user drwxr-xr-x 4 root root 4096 2007-10-20 21:25 usr lrwxrwxrwx 1 root root 52 2008-01-30 05:59 .vacation.cache -> /var/www/web5/user/web5_xxx/.vacation.cache drwxr-xr-x 3 root root 4096 2007-10-20 21:25 var drwxr-xr-x 17 web5_xxx web5 4096 2008-01-22 17:30 web
Yes I know that feeling too I will continue to monitor the server and see what if anything will happen again. either way, thanks for your time Falko.
