Fedora Linux Support Community & Resources Center
  #1  
Old 7th March 2017, 03:16 PM
JCMateri Offline
Registered User
 
Join Date: Jan 2017
Location: Canada
Posts: 11
linuxfirefox
Selective failures of sendmail with rkhunter

Installation summary:

I'm using Fedora 25. I have sendmail/procmail installed with the default configuration (localhost connections only). I use dnf-automatic and rkhunter. I monitor my systems with monitorix.

Problem summary:

rkhunter stopped sending email notifications several days ago though there were positive hits of file changes but not rootkits. By contrast dnf-automatic sent notifications in the same time frame without any problem.

The last update of rkhunter was over a month ago (Feb 5). Its config file is time stamped the same day.

Monitorix shows the notification was sent by rkhunter but not deliverd which was confirmed by the lack of mail in the mail spool.

I can work around this problem but I would rather solve it. Any ideas?
Reply With Quote
  #2  
Old 7th March 2017, 03:34 PM
bobx001 Offline
Registered User
 
Join Date: Dec 2012
Location: santa barbara, CA
Posts: 388
linuxfedorafirefox
Re: Selective failures of sendmail with rkhunter

Question, can you trace the message that failed in the /var/log/maillog file ? and post the whole transaction here ?
example, I just tried to email myself in my own PC (with sendmail not running), and I get this, which I use only as an example:
Code:
Mar  7 16:35:08 nova sendmail[4652]: v27FYwmK004652: from=bobx, size=29, class=0, nrcpts=1, msgid=<201703071534.v27FYwmK004652@nova.servermasters.com>, relay=root@localhost
Mar  7 16:35:08 nova sendmail[4652]: v27FYwmK004652: to=bobx, ctladdr=bobx (1000/1000), delay=00:00:10, xdelay=00:00:00, mailer=relay, pri=30029, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
the key transaction identifier being: v27FYwmK004652
so, grep for that same transaction in the /var/log/maillog file and post all the entries here
Reply With Quote
  #3  
Old 7th March 2017, 04:52 PM
JCMateri Offline
Registered User
 
Join Date: Jan 2017
Location: Canada
Posts: 11
linuxfirefox
Re: Selective failures of sendmail with rkhunter

I used the command journalctl | grep mail | grep Mar and then went to the time when rkhunter would do its run.

The server name in /etc/hosts is spin and spin.mydomain.com. No configuration file has changed in over a month and everything worked fine until a few days ago.

Code:
Mar 07 03:25:32 spin sendmail[18741]: v279PWw7018741: from=root, size=308, class=0, nrcpts=2, msgid=<201703070925.v279PWw7018741@spin.mydomain.com>, relay=root@localhost
Mar 07 03:25:32 spin sendmail[18762]: v279PWUP018762: from=root, size=1594, class=0, nrcpts=1, msgid=<201703070925.v279PWUP018762@spin.mydomain.com>, relay=root@localhost
Mar 07 03:25:32 spin sendmail[18767]: v279PWM4018767: from=<root@spin.mydomain.com>, size=1845, class=0, nrcpts=1, msgid=<201703070925.v279PWUP018762@spin.mydomain.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Mar 07 03:25:32 spin sendmail[18766]: v279PWNF018766: from=<root@spin.mydomain.com>, size=548, class=0, nrcpts=2, msgid=<201703070925.v279PWw7018741@spin.mydomain.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Mar 07 03:25:32 spin sendmail[18741]: v279PWw7018741: to=terry@localhost,root@localhost, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60308, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (v279PWNF018766 Message accepted for delivery)
Mar 07 03:25:32 spin sendmail[18762]: v279PWUP018762: to=root@localhost, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31594, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (v279PWM4018767 Message accepted for delivery)
Mar 07 03:25:32 spin sendmail[18771]: v279PWM4018767: to=<root@spin.mydomain.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=121845, relay=spin.mydomain.com. [192.168.0.10], dsn=4.0.0, stat=Deferred: Connection refused by spin.mydomain.com.
Mar 07 03:25:32 spin sendmail[18769]: v279PWNF018766: to=<root@spin.mydomain.com>,<terry@spin.mydomain.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150548, relay=spin.mydomain.com. [192.168.0.10], dsn=4.0.0, stat=Deferred: Connection refused by spin.mydomain.com.
I note Message accepted for delivery followed by Connection refused by spin.mydomain.com
Reply With Quote
  #4  
Old 10th March 2017, 03:47 PM
bobx001 Offline
Registered User
 
Join Date: Dec 2012
Location: santa barbara, CA
Posts: 388
linuxfedorafirefox
Re: Selective failures of sendmail with rkhunter

Yeah: Connection refused by spin.mydomain.com.

Well, I guess that your MTA is not listening on any IP which translates to: spin.mydomain.com
netstat -an | grep tcp | grep ":25"

what does that give you ?
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

?
see if uncommenting and changing the Dj entry in sendmail.cf to just "spin" (it should read Djspin , like that , no spaces) and restarting sendmail would work. Of course you need to have a proper entry for spin in /etc/hosts, with an IP.
Reply With Quote
  #5  
Old 27th March 2017, 07:42 PM
JCMateri Offline
Registered User
 
Join Date: Jan 2017
Location: Canada
Posts: 11
linuxfirefox
Re: Selective failures of sendmail with rkhunter

Code:
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
So, no problem there. As stated above dnf-automatic sends its messages to root@localhost without problem. rkhunter sends its messages to root@localhost without any problem on other machines using the same config file.

In all cases sendmail is configured with its default settings (localhost connections only).
Reply With Quote
  #6  
Old 28th March 2017, 12:25 AM
gordon64 Offline
Registered User
 
Join Date: Mar 2017
Location: Australia
Posts: 195
linuxfirefox
Re: Selective failures of sendmail with rkhunter

Hi

forgive me for asking silly questions.

is spin.mydomain.com a local address by any chance? (Versus an external address to disguise a real address)

in which case, it must be in /etc/hosts

as example.....and only if local....I have set up a FQDN so that
Code:
cat /etc/hosts | grep spin.mydomain.com
should give you 2 hits

2) is it a crontab or a cron job?

have you got nocolors in it?

are you getting mail for full scan or only if warnings produced?

eg
https://sourceforge.net/p/rkhunter/wiki/scans/
__________________
tower asus z97m plus
laptop Acer aspire ES1-420-55H6
FF from unpack

Last edited by gordon64; 28th March 2017 at 12:36 AM.
Reply With Quote
  #7  
Old 30th March 2017, 05:12 PM
JCMateri Offline
Registered User
 
Join Date: Jan 2017
Location: Canada
Posts: 11
linuxfirefox
Re: Selective failures of sendmail with rkhunter

Quote:
Originally Posted by gordon64 View Post
Hi

forgive me for asking silly questions.

is spin.mydomain.com a local address by any chance? (Versus an external address to disguise a real address)

in which case, it must be in /etc/hosts
Local address: it is in /etc/hosts as both spin and spin.mydomain.com

Quote:

2) is it a crontab or a cron job?
It is the usual rkhunter cron job. Not defined by crontab.

Quote:

are you getting mail for full scan or only if warnings produced?
neither
Reply With Quote
  #8  
Old 2nd April 2017, 06:08 PM
JCMateri Offline
Registered User
 
Join Date: Jan 2017
Location: Canada
Posts: 11
linuxfirefox
Re: Selective failures of sendmail with rkhunter

It is amusing, interesting, and perhaps relevant that sendmail provides messages to root@spin.mydomain.com announcing that it cannot send rkhunter mail to root@spin.mydomain.com and it contains the full text of the rkhunter mail a couple of days after it was originally sent.

It might be relevant to state that the one computer where things do not work is an upgrade from f24 to f25. On those boxes where the exact same configurations work were fresh installs of f25. This may be relavant. However the upgrade was in December and things stopped working properly in early March. There had been no update of rkhunter near that date and the rkhunter config file is the same as on the other boxes.
Reply With Quote
Reply

Tags
failures, rkhunter, selective, sendmail

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Update from RH8 to FC4 sendmail failures kpearsonxyz EOL (End Of Life) Versions 3 17th August 2006 08:32 PM
sendmail startup delay and mail delivery failures pcharris Servers & Networking 4 1st September 2005 02:54 PM
Selective Internet Lag? smackdoobie Using Fedora 2 15th May 2005 08:10 AM
Yum is selective in FC3 ravalox Fedora Core 3 Test Releases 10 14th October 2004 07:09 PM


Current GMT-time: 20:31 (Sunday, 28-05-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat