Forum

This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.
Sentora Support Forums Sentora Forum Archives Sentora Public Support Forums v1.0.x General Support Forum v1.0.x v Dead.letter growing fast

Dead.letter growing fast
eirsik Offline
Sentora Member
*
OS: CentOS 7.2
Version: 1.0.3
Server: Dedicated Server
Posts: 13
Threads: 5
Joined: Jun 2016
Reputation: 0
Sex: Undisclosed
Thanks: 0
Given 2 thank(s) in 1 post(s)
#1
Dead.letter growing fast
 11-13-2018, 05:08 AM (This post was last modified: 11-13-2018, 05:14 AM by eirsik.)
Hi all,

So, my server have been up and running just fine for a few months, but just a few days ago I noticed that I had a dead.letter file in the root directory, that was eating space like a cookie monster. It was crazy 15GB big.

I opened it, read through a couple of thousand lines, which at that point was about 1% of the file.

I then googled but found only irrelevant threads to my dead.letter.

I proceeded to delete the file, and it got recreated after just a few seconds. And it's growing crazy.

My lfd.log keeps posting: *Suspicious Process* PID:13119 PPID:1243 User:postfix Uptime:69 secs EXE:/usr/libexec/postfix/smtpd CMDConfusedmtpd -n smtp -t inet -u -o stress= -s 2

I have scanned the server with ClamAV and it found nothing. The server is not using any wild amount of resources either. The load is about 0.05. And the network traffic according to netstat is normal, nothing suspicious.

Here is some quick pastes from the dead.letter file:
Code:
Time:    Sat Nov 10 22:24:25 2018 +0100
PID:     1576 (Parent PID:1243)
Account: postfix
Uptime:  89 seconds


Executable:

/usr/libexec/postfix/smtpd


Command Line (often faked in exploits):

smtpd -n smtp -t inet -u -o stress= -s 2


Network connections by the process (if any):

tcp: 0.0.0.0:25 -> 0.0.0.0:0
tcp6: 0.0.0.0:25 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/var/spool/postfix/pid/inet.smtp
anon_inode:[eventpoll]


Memory maps by the process (if any):

558fb9da2000-558fb9e2b000 r-xp 00000000 08:01 255811                     /usr/libexec/postfix/smtpd
558fba02a000-558fba02f000 r--p 00088000 08:01 255811                     /usr/libexec/postfix/smtpd
558fba02f000-558fba030000 rw-p 0008d000 08:01 255811                     /usr/libexec/postfix/smtpd
558fba030000-558fba032000 rw-p 00000000 00:00 0 
558fbad63000-558fbadc6000 rw-p 00000000 00:00 0                          [heap]
7f52a193d000-7f52a194c000 r-xp 00000000 08:01 4873                       /usr/lib64/libbz2.so.1.0.6
7f52a194c000-7f52a1b4b000 ---p 0000f000 08:01 4873                       /usr/lib64/libbz2.so.1.0.6
7f52a1b4b000-7f52a1b4c000 r--p 0000e000 08:01 4873                       /usr/lib64/libbz2.so.1.0.6
7f52a1b4c000-7f52a1b4d000 rw-p 0000f000 08:01 4873                       /usr/lib64/libbz2.so.1.0.6
7f52a1b4d000-7f52a1b72000 r-xp 00000000 08:01 4781                       /usr/lib64/liblzma.so.5.2.2
7f52a1b72000-7f52a1d71000 ---p 00025000 08:01 4781                       /usr/lib64/liblzma.so.5.2.2
7f52a1d71000-7f52a1d72000 r--p 00024000 08:01 4781                       /usr/lib64/liblzma.so.5.2.2
7f52a1d72000-7f52a1d73000 rw-p 00025000 08:01 4781                       /usr/lib64/liblzma.so.5.2.2
7f52a1d73000-7f52a1d8a000 r-xp 00000000 08:01 5168                       /usr/lib64/libelf-0.170.so
7f52a1d8a000-7f52a1f89000 ---p 00017000 08:01 5168                       /usr/lib64/libelf-0.170.so
7f52a1f89000-7f52a1f8a000 r--p 00016000 08:01 5168                       /usr/lib64/libelf-0.170.so
7f52a1f8a000-7f52a1f8b000 rw-p 00017000 08:01 5168                       /usr/lib64/libelf-0.170.so
7f52a1f8b000-7f52a1f8f000 r-xp 00000000 08:01 5116                       /usr/lib64/libattr.so.1.1.0
7f52a1f8f000-7f52a218e000 ---p 00004000 08:01 5116                       /usr/lib64/libattr.so.1.1.0
7f52a218e000-7f52a218f000 r--p 00003000 08:01 5116                       /usr/lib64/libattr.so.1.1.0
7f52a218f000-7f52a2190000 rw-p 00004000 08:01 5116                       /usr/lib64/libattr.so.1.1.0
7f52a2190000-7f52a21d4000 r-xp 00000000 08:01 7734                       /usr/lib64/libdw-0.170.so
7f52a21d4000-7f52a23d4000 ---p 00044000 08:01 7734                       /usr/lib64/libdw-0.170.so
7f52a23d4000-7f52a23d6000 r--p 00044000 08:01 7734                       /usr/lib64/libdw-0.170.so
7f52a23d6000-7f52a23d7000 rw-p 00046000 08:01 7734                       /usr/lib64/libdw-0.170.so
7f52a23d7000-7f52a23db000 r-xp 00000000 08:01 5148                       /usr/lib64/libcap.so.2.22
7f52a23db000-7f52a25da000 ---p 00004000 08:01 5148                       /usr/lib64/libcap.so.2.22
7f52a25da000-7f52a25db000 r--p 00003000 08:01 5148                       /usr/lib64/libcap.so.2.22
7f52a25db000-7f52a25dc000 rw-p 00004000 08:01 5148                       /usr/lib64/libcap.so.2.22
7f52a25dc000-7f52a25ee000 r-xp 00000000 08:01 13847                      /usr/lib64/libnss_myhostname.so.2
7f52a25ee000-7f52a27ed000 ---p 00012000 08:01 13847                      /usr/lib64/libnss_myhostname.so.2
7f52a27ed000-7f52a27f0000 r--p 00011000 08:01 13847                      /usr/lib64/libnss_myhostname.so.2
7f52a27f0000-7f52a27f1000 rw-p 00014000 08:01 13847                      /usr/lib64/libnss_myhostname.so.2
7f52a27f1000-7f52a27f6000 r-xp 00000000 08:01 4297                       /usr/lib64/libnss_dns-2.17.so
7f52a27f6000-7f52a29f6000 ---p 00005000 08:01 4297                       /usr/lib64/libnss_dns-2.17.so
7f52a29f6000-7f52a29f7000 r--p 00005000 08:01 4297                       /usr/lib64/libnss_dns-2.17.so
7f52a29f7000-7f52a29f8000 rw-p 00006000 08:01 4297                       /usr/lib64/libnss_dns-2.17.so
7f52a29f8000-7f52a2a04000 r-xp 00000000 08:01 4299                       /usr/lib64/libnss_files-2.17.so
7f52a2a04000-7f52a2c03000 ---p 0000c000 08:01 4299                       /usr/lib64/libnss_files-2.17.so
7f52a2c03000-7f52a2c04000 r--p 0000b000 08:01 4299                       /usr/lib64/libnss_files-2.17.so
7f52a2c04000-7f52a2c05000 rw-p 0000c000 08:01 4299                       /usr/lib64/libnss_files-2.17.so
7f52a2c05000-7f52a2c0b000 rw-p 00000000 00:00 0 
7f52a2c0b000-7f52a2c2f000 r-xp 00000000 08:01 4635                       /usr/lib64/libselinux.so.1
7f52a2c2f000-7f52a2e2e000 ---p 00024000 08:01 4635                       /usr/lib64/libselinux.so.1
7f52a2e2e000-7f52a2e2f000 r--p 00023000 08:01 4635                       /usr/lib64/libselinux.so.1
7f52a2e2f000-7f52a2e30000 rw-p 00024000 08:01 4635                       /usr/lib64/libselinux.so.1
7f52a2e30000-7f52a2e32000 rw-p 00000000 00:00 0 
7f52a2e32000-7f52a2e35000 r-xp 00000000 08:01 5897                       /usr/lib64/libkeyutils.so.1.5
7f52a2e35000-7f52a3034000 ---p 00003000 08:01 5897                       /usr/lib64/libkeyutils.so.1.5
7f52a3034000-7f52a3035000 r--p 00002000 08:01 5897                       /usr/lib64/libkeyutils.so.1.5
7f52a3035000-7f52a3036000 rw-p 00003000 08:01 5897                       /usr/lib64/libkeyutils.so.1.5
7f52a3036000-7f52a3038000 r-xp 00000000 08:01 3666                       /usr/lib64/libfreebl3.so
7f52a3038000-7f52a3237000 ---p 00002000 08:01 3666                       /usr/lib64/libfreebl3.so
7f52a3237000-7f52a3238000 r--p 00001000 08:01 3666                       /usr/lib64/libfreebl3.so
7f52a3238000-7f52a3239000 rw-p 00002000 08:01 3666                       /usr/lib64/libfreebl3.so
7f52a3239000-7f52a324e000 r-xp 00000000 08:01 29934                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f52a324e000-7f52a344d000 ---p 00015000 08:01 29934                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f52a344d000-7f52a344e000 r--p 00014000 08:01 29934                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f52a344e000-7f52a344f000 rw-p 00015000 08:01 29934                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f52a344f000-7f52a3456000 r-xp 00000000 08:01 4311                       /usr/lib64/librt-2.17.so
7f52a3456000-7f52a3655000 ---p 00007000 08:01 4311                       /usr/lib64/librt-2.17.so
7f52a3655000-7f52a3656000 r--p 00006000 08:01 4311                       /usr/lib64/librt-2.17.so
7f52a3656000-7f52a3657000 rw-p 00007000 08:01 4311                       /usr/lib64/librt-2.17.so
7f52a3657000-7f52a3664000 r-xp 00000000 08:01 8369                       /usr/lib64/libkrb5support.so.0.1
7f52a3664000-7f52a3863000 ---p 0000d000 08:01 8369                       /usr/lib64/libkrb5support.so.0.1
7f52a3863000-7f52a3864000 r--p 0000c000 08:01 8369                       /usr/lib64/libkrb5support.so.0.1
7f52a3864000-7f52a3865000 rw-p 0000d000 08:01 8369                       /usr/lib64/libkrb5support.so.0.1
7f52a3865000-7f52a3868000 r-xp 00000000 08:01 4816                       /usr/lib64/libcom_err.so.2.1
7f52a3868000-7f52a3a67000 ---p 00003000 08:01 4816                       /usr/lib64/libcom_err.so.2.1
7f52a3a67000-7f52a3a68000 r--p 00002000 08:01 4816                       /usr/lib64/libcom_err.so.2.1
7f52a3a68000-7f52a3a69000 rw-p 00003000 08:01 4816                       /usr/lib64/libcom_err.so.2.1
7f52a3a69000-7f52a3a9a000 r-xp 00000000 08:01 8361                       /usr/lib64/libk5crypto.so.3.1
7f52a3a9a000-7f52a3c99000 ---p 00031000 08:01 8361                       /usr/lib64/libk5crypto.so.3.1
7f52a3c99000-7f52a3c9b000 r--p 00030000 08:01 8361                       /usr/lib64/libk5crypto.so.3.1
7f52a3c9b000-7f52a3c9c000 rw-p 00032000 08:01 8361                       /usr/lib64/libk5crypto.so.3.1
7f52a3c9c000-7f52a3d74000 r-xp 00000000 08:01 8367                       /usr/lib64/libkrb5.so.3.3
7f52a3d74000-7f52a3f73000 ---p 000d8000 08:01 8367                       /usr/lib64/libkrb5.so.3.3
7f52a3f73000-7f52a3f81000 r--p 000d7000 08:01 8367                       /usr/lib64/libkrb5.so.3.3
7f52a3f81000-7f52a3f84000 rw-p 000e5000 08:01 8367                       /usr/lib64/libkrb5.so.3.3
7f52a3f84000-7f52a3fce000 r-xp 00000000 08:01 8357                       /usr/lib64/libgssapi_krb5.so.2.2
7f52a3fce000-7f52a41ce000 ---p 0004a000 08:01 8357                       /usr/lib64/libgssapi_krb5.so.2.2
7f52a41ce000-7f52a41cf000 r--p 0004a000 08:01 8357                       /usr/lib64/libgssapi_krb5.so.2.2
7f52a41cf000-7f52a41d1000 rw-p 0004b000 08:01 8357                       /usr/lib64/libgssapi_krb5.so.2.2
7f52a41d1000-7f52a41d9000 r-xp 00000000 08:01 4285                       /usr/lib64/libcrypt-2.17.so
7f52a41d9000-7f52a43d8000 ---p 00008000 08:01 4285                       /usr/lib64/libcrypt-2.17.so
7f52a43d8000-7f52a43d9000 r--p 00007000 08:01 4285                       /usr/lib64/libcrypt-2.17.so
7f52a43d9000-7f52a43da000 rw-p 00008000 08:01 4285                       /usr/lib64/libcrypt-2.17.so
7f52a43da000-7f52a4408000 rw-p 00000000 00:00 0 
7f52a4408000-7f52a44f1000 r-xp 00000000 08:01 4595                       /usr/lib64/libstdc++.so.6.0.19
7f52a44f1000-7f52a46f0000 ---p 000e9000 08:01 4595                       /usr/lib64/libstdc++.so.6.0.19
7f52a46f0000-7f52a46f8000 r--p 000e8000 08:01 4595                       /usr/lib64/libstdc++.so.6.0.19
7f52a46f8000-7f52a46fa000 rw-p 000f0000 08:01 4595                       /usr/lib64/libstdc++.so.6.0.19
7f52a46fa000-7f52a470f000 rw-p 00000000 00:00 0 
7f52a470f000-7f52a4724000 r-xp 00000000 08:01 4765                       /usr/lib64/libz.so.1.2.7
7f52a4724000-7f52a4923000 ---p 00015000 08:01 4765                       /usr/lib64/libz.so.1.2.7
7f52a4923000-7f52a4924000 r--p 00014000 08:01 4765                       /usr/lib64/libz.so.1.2.7
7f52a4924000-7f52a4925000 rw-p 00015000 08:01 4765                       /usr/lib64/libz.so.1.2.7
7f52a4925000-7f52a4927000 r-xp 00000000 08:01 4287                       /usr/lib64/libdl-2.17.so
7f52a4927000-7f52a4b27000 ---p 00002000 08:01 4287                       /usr/lib64/libdl-2.17.so
7f52a4b27000-7f52a4b28000 r--p 00002000 08:01 4287                       /usr/lib64/libdl-2.17.so
7f52a4b28000-7f52a4b29000 rw-p 00003000 08:01 4287                       /usr/lib64/libdl-2.17.so
7f52a4b29000-7f52a4b40000 r-xp 00000000 08:01 4307                       /usr/lib64/libpthread-2.17.so
7f52a4b40000-7f52a4d3f000 ---p 00017000 08:01 4307                       /usr/lib64/libpthread-2.17.so
7f52a4d3f000-7f52a4d40000 r--p 00016000 08:01 4307                       /usr/lib64/libpthread-2.17.so
7f52a4d40000-7f52a4d41000 rw-p 00017000 08:01 4307                       /usr/lib64/libpthread-2.17.so
7f52a4d41000-7f52a4d45000 rw-p 00000000 00:00 0 
7f52a4d45000-7f52a4d7f000 r-xp 00000000 08:01 4742                       /usr/lib64/libnspr4.so
7f52a4d7f000-7f52a4f7e000 ---p 0003a000 08:01 4742                       /usr/lib64/libnspr4.so
7f52a4f7e000-7f52a4f7f000 r--p 00039000 08:01 4742                       /usr/lib64/libnspr4.so
7f52a4f7f000-7f52a4f81000 rw-p 0003a000 08:01 4742                       /usr/lib64/libnspr4.so
7f52a4f81000-7f52a4f83000 rw-p 00000000 00:00 0 
7f52a4f83000-7f52a4f87000 r-xp 00000000 08:01 29953                      /usr/lib64/libplc4.so
7f52a4f87000-7f52a5186000 ---p 00004000 08:01 29953                      /usr/lib64/libplc4.so
7f52a5186000-7f52a5187000 r--p 00003000 08:01 29953                      /usr/lib64/libplc4.so
7f52a5187000-7f52a5188000 rw-p 00004000 08:01 29953                      /usr/lib64/libplc4.so
7f52a5188000-7f52a518b000 r-xp 00000000 08:01 29954                      /usr/lib64/libplds4.so
7f52a518b000-7f52a538a000 ---p 00003000 08:01 29954                      /usr/lib64/libplds4.so
7f52a538a000-7f52a538b000 r--p 00002000 08:01 29954                      /usr/lib64/libplds4.so
7f52a538b000-7f52a538c000 rw-p 00003000 08:01 29954                      /usr/lib64/libplds4.so
7f52a538c000-7f52a53b4000 r-xp 00000000 08:01 389                        /usr/lib64/libnssutil3.so
7f52a53b4000-7f52a55b3000 ---p 00028000 08:01 389                        /usr/lib64/libnssutil3.so
7f52a55b3000-7f52a55ba000 r--p 00027000 08:01 389                        /usr/lib64/libnssutil3.so
7f52a55ba000-7f52a55bb000 rw-p 0002e000 08:01 389                        /usr/lib64/libnssutil3.so
7f52a55bb000-7f52a56df000 r-xp 00000000 08:01 11810                      /usr/lib64/libnss3.so
7f52a56df000-7f52a58df000 ---p 00124000 08:01 11810                      /usr/lib64/libnss3.so
7f52a58df000-7f52a58e4000 r--p 00124000 08:01 11810                      /usr/lib64/libnss3.so
7f52a58e4000-7f52a58e6000 rw-p 00129000 08:01 11810                      /usr/lib64/libnss3.so
7f52a58e6000-7f52a58e8000 rw-p 00000000 00:00 0 
7f52a58e8000-7f52a590c000 r-xp 00000000 08:01 30055                      /usr/lib64/libsmime3.so
7f52a590c000-7f52a5b0b000 ---p 00024000 08:01 30055                      /usr/lib64/libsmime3.so
7f52a5b0b000-7f52a5b0e000 r--p 00023000 08:01 30055                      /usr/lib64/libsmime3.so
7f52a5b0e000-7f52a5b0f000 rw-p 00026000 08:01 30055                      /usr/lib64/libsmime3.so
7f52a5b0f000-7f52a5b5c000 r-xp 00000000 08:01 30056                      /usr/lib64/libssl3.so
7f52a5b5c000-7f52a5d5b000 ---p 0004d000 08:01 30056                      /usr/lib64/libssl3.so
7f52a5d5b000-7f52a5d5f000 r--p 0004c000 08:01 30056                      /usr/lib64/libssl3.so
7f52a5d5f000-7f52a5d60000 rw-p 00050000 08:01 30056                      /usr/lib64/libssl3.so
7f52a5d60000-7f52a5d61000 rw-p 00000000 00:00 0 
7f52a5d61000-7f52a5f24000 r-xp 00000000 08:01 4281                       /usr/lib64/libc-2.17.so
7f52a5f24000-7f52a6123000 ---p 001c3000 08:01 4281                       /usr/lib64/libc-2.17.so
7f52a6123000-7f52a6127000 r--p 001c2000 08:01 4281                       /usr/lib64/libc-2.17.so
7f52a6127000-7f52a6129000 rw-p 001c6000 08:01 4281                       /usr/lib64/libc-2.17.so
7f52a6129000-7f52a612e000 rw-p 00000000 00:00 0 
7f52a612e000-7f52a6144000 r-xp 00000000 08:01 4309                       /usr/lib64/libresolv-2.17.so
7f52a6144000-7f52a6343000 ---p 00016000 08:01 4309                       /usr/lib64/libresolv-2.17.so
7f52a6343000-7f52a6344000 r--p 00015000 08:01 4309                       /usr/lib64/libresolv-2.17.so
7f52a6344000-7f52a6345000 rw-p 00016000 08:01 4309                       /usr/lib64/libresolv-2.17.so
7f52a6345000-7f52a6347000 rw-p 00000000 00:00 0 
7f52a6347000-7f52a635e000 r-xp 00000000 08:01 4291                       /usr/lib64/libnsl-2.17.so
7f52a635e000-7f52a655d000 ---p 00017000 08:01 4291                       /usr/lib64/libnsl-2.17.so
7f52a655d000-7f52a655e000 r--p 00016000 08:01 4291                       /usr/lib64/libnsl-2.17.so
7f52a655e000-7f52a655f000 rw-p 00017000 08:01 4291                       /usr/lib64/libnsl-2.17.so
7f52a655f000-7f52a6561000 rw-p 00000000 00:00 0 
7f52a6561000-7f52a6716000 r-xp 00000000 08:01 4763                       /usr/lib64/libdb-5.3.so
7f52a6716000-7f52a6916000 ---p 001b5000 08:01 4763                       /usr/lib64/libdb-5.3.so
7f52a6916000-7f52a691d000 r--p 001b5000 08:01 4763                       /usr/lib64/libdb-5.3.so
7f52a691d000-7f52a6920000 rw-p 001bc000 08:01 4763                       /usr/lib64/libdb-5.3.so
7f52a6920000-7f52a6b54000 r-xp 00000000 08:01 8387                       /usr/lib64/libcrypto.so.1.0.2k
7f52a6b54000-7f52a6d54000 ---p 00234000 08:01 8387                       /usr/lib64/libcrypto.so.1.0.2k
7f52a6d54000-7f52a6d70000 r--p 00234000 08:01 8387                       /usr/lib64/libcrypto.so.1.0.2k
7f52a6d70000-7f52a6d7d000 rw-p 00250000 08:01 8387                       /usr/lib64/libcrypto.so.1.0.2k
7f52a6d7d000-7f52a6d81000 rw-p 00000000 00:00 0 
7f52a6d81000-7f52a6de8000 r-xp 00000000 08:01 8390                       /usr/lib64/libssl.so.1.0.2k
7f52a6de8000-7f52a6fe8000 ---p 00067000 08:01 8390                       /usr/lib64/libssl.so.1.0.2k
7f52a6fe8000-7f52a6fec000 r--p 00067000 08:01 8390                       /usr/lib64/libssl.so.1.0.2k
7f52a6fec000-7f52a6ff3000 rw-p 0006b000 08:01 8390                       /usr/lib64/libssl.so.1.0.2k
7f52a6ff3000-7f52a700f000 r-xp 00000000 08:01 6264                       /usr/lib64/libsasl2.so.3.0.0
7f52a700f000-7f52a720e000 ---p 0001c000 08:01 6264                       /usr/lib64/libsasl2.so.3.0.0
7f52a720e000-7f52a720f000 r--p 0001b000 08:01 6264                       /usr/lib64/libsasl2.so.3.0.0
7f52a720f000-7f52a7210000 rw-p 0001c000 08:01 6264                       /usr/lib64/libsasl2.so.3.0.0
7f52a7210000-7f52a7311000 r-xp 00000000 08:01 4289                       /usr/lib64/libm-2.17.so
7f52a7311000-7f52a7510000 ---p 00101000 08:01 4289                       /usr/lib64/libm-2.17.so
7f52a7510000-7f52a7511000 r--p 00100000 08:01 4289                       /usr/lib64/libm-2.17.so
7f52a7511000-7f52a7512000 rw-p 00101000 08:01 4289                       /usr/lib64/libm-2.17.so
7f52a7512000-7f52a77f0000 r-xp 00000000 08:01 134470                     /usr/lib64/mysql/libmysqlclient.so.18.0.0
7f52a77f0000-7f52a79ef000 ---p 002de000 08:01 134470                     /usr/lib64/mysql/libmysqlclient.so.18.0.0
7f52a79ef000-7f52a79f8000 r--p 002dd000 08:01 134470                     /usr/lib64/mysql/libmysqlclient.so.18.0.0
7f52a79f8000-7f52a7a0c000 rw-p 002e6000 08:01 134470                     /usr/lib64/mysql/libmysqlclient.so.18.0.0
7f52a7a0c000-7f52a7a12000 rw-p 00000000 00:00 0 
7f52a7a12000-7f52a7a72000 r-xp 00000000 08:01 4745                       /usr/lib64/libpcre.so.1.2.0
7f52a7a72000-7f52a7c72000 ---p 00060000 08:01 4745                       /usr/lib64/libpcre.so.1.2.0
7f52a7c72000-7f52a7c73000 r--p 00060000 08:01 4745                       /usr/lib64/libpcre.so.1.2.0
7f52a7c73000-7f52a7c74000 rw-p 00061000 08:01 4745                       /usr/lib64/libpcre.so.1.2.0
7f52a7c74000-7f52a7c82000 r-xp 00000000 08:01 12322                      /usr/lib64/liblber-2.4.so.2.10.7
7f52a7c82000-7f52a7e81000 ---p 0000e000 08:01 12322                      /usr/lib64/liblber-2.4.so.2.10.7
7f52a7e81000-7f52a7e82000 r--p 0000d000 08:01 12322                      /usr/lib64/liblber-2.4.so.2.10.7
7f52a7e82000-7f52a7e83000 rw-p 0000e000 08:01 12322                      /usr/lib64/liblber-2.4.so.2.10.7
7f52a7e83000-7f52a7ed5000 r-xp 00000000 08:01 12324                      /usr/lib64/libldap-2.4.so.2.10.7
7f52a7ed5000-7f52a80d5000 ---p 00052000 08:01 12324                      /usr/lib64/libldap-2.4.so.2.10.7
7f52a80d5000-7f52a80d7000 r--p 00052000 08:01 12324                      /usr/lib64/libldap-2.4.so.2.10.7
7f52a80d7000-7f52a80d8000 rw-p 00054000 08:01 12324                      /usr/lib64/libldap-2.4.so.2.10.7
7f52a80d8000-7f52a80fa000 r-xp 00000000 08:01 4272                       /usr/lib64/ld-2.17.so
7f52a82dc000-7f52a82ef000 rw-p 00000000 00:00 0 
7f52a82f8000-7f52a82f9000 rw-p 00000000 00:00 0 
7f52a82f9000-7f52a82fa000 r--p 00021000 08:01 4272                       /usr/lib64/ld-2.17.so
7f52a82fa000-7f52a82fb000 rw-p 00022000 08:01 4272                       /usr/lib64/ld-2.17.so
7f52a82fb000-7f52a82fc000 rw-p 00000000 00:00 0 
7ffeaa420000-7ffeaa441000 rw-p 00000000 00:00 0                          [stack]
7ffeaa4b9000-7ffeaa4bb000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


What is going on, and how to I fix this? I have made no changes to the system prior to this happening.
Here you can see the first 10.000 lines of the file lol.

The file is exceeding 1 million lines atm.

http://pasted.co/6f9ecdf9
Find
Reply
Thanks given by:
fearworks Offline
Support Staff
*****
OS: CentOS 7.5
Version: 1.0.3
Server: VPS/Dedicated
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation: 10
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
#2
RE: Dead.letter growing fast
 11-13-2018, 05:31 AM
It's not something I have heard of before, but from some quick Googling it looks like it might be logs of some sort that your server attempted to mail to someone but was not able to do so... maybe...

Have you a vanilla Sentora installation or is it highly tweaked/modified?

Maybe a cron job that is trying to email system info to a sys admin but never being able to?

I'm really not sure. I'll see if I can find anything else out about it, and if I do, I'll post back here.

Hopefully someone else who knows exactly what it is might be able to help you stop it!

Keith

EDIT: Are there any clues in your postfix logs to suggest something is trying to send out these logs - if that's what they are?
Find
Reply
Thanks given by:
eirsik Offline
Sentora Member
*
OS: CentOS 7.2
Version: 1.0.3
Server: Dedicated Server
Posts: 13
Threads: 5
Joined: Jun 2016
Reputation: 0
Sex: Undisclosed
Thanks: 0
Given 2 thank(s) in 1 post(s)
#3
RE: Dead.letter growing fast
 11-13-2018, 06:00 AM (This post was last modified: 11-13-2018, 06:01 AM by eirsik.)
(11-13-2018, 05:31 AM)fearworks Wrote: It's not something I have heard of before, but from some quick Googling it looks like it might be logs of some sort that your server attempted to mail to someone but was not able to do so... maybe...

Have you a vanilla Sentora installation or is it highly tweaked/modified?

Maybe a cron job that is trying to email system info to a sys admin but never being able to?

I'm really not sure. I'll see if I can find anything else out about it, and if I do, I'll post back here.

Hopefully someone else who knows exactly what it is might be able to help you stop it!

Keith

EDIT: Are there any clues in your postfix logs to suggest something is trying to send out these logs - if that's what they are?

Thanks for your reply.
I've checked the crontab, nothing there. Also checked sentora crontab.

I'm running vanilla Sentora. With a few simple addons such as, cert manager, ELFile manager, zGodx. No Sentora altering addons.

Here is the last hour of the maillog:
Code:
Nov 12 20:00:59 web201 sSMTP[16104]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16104]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16105]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16105]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16106]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16106]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16107]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16107]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16108]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16108]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16109]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16109]: Cannot open mail:25
Nov 12 20:02:44 web201 postfix/anvil[15900]: statistics: max connection rate 1/60s for (smtp:185.234.217.94) at Nov 12 19:55:40
Nov 12 20:02:44 web201 postfix/anvil[15900]: statistics: max connection count 1 for (smtp:185.234.217.94) at Nov 12 19:55:40
Nov 12 20:02:44 web201 postfix/anvil[15900]: statistics: max cache size 2 at Nov 12 19:55:42
Nov 12 20:02:55 web201 postfix/smtpd[16179]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:02:55 web201 postfix/smtpd[16179]: connect from unknown[185.36.81.43]
Nov 12 20:02:57 web201 postfix/smtpd[16179]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:02:57 web201 postfix/smtpd[16179]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:02:57 web201 postfix/smtpd[16179]: disconnect from unknown[185.36.81.43]
Nov 12 20:03:24 web201 sSMTP[16205]: Unable to locate mail
Nov 12 20:03:24 web201 sSMTP[16205]: Cannot open mail:25
Nov 12 20:03:59 web201 sSMTP[16221]: Unable to locate mail
Nov 12 20:03:59 web201 sSMTP[16221]: Cannot open mail:25
Nov 12 20:05:24 web201 postfix/smtpd[16304]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:05:24 web201 postfix/smtpd[16304]: connect from unknown[193.169.252.111]
Nov 12 20:05:27 web201 postfix/smtpd[16304]: warning: unknown[193.169.252.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:05:27 web201 postfix/smtpd[16304]: lost connection after AUTH from unknown[193.169.252.111]
Nov 12 20:05:27 web201 postfix/smtpd[16304]: disconnect from unknown[193.169.252.111]
Nov 12 20:06:29 web201 postfix/smtpd[16304]: connect from unknown[185.36.81.43]
Nov 12 20:06:31 web201 postfix/smtpd[16304]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:06:31 web201 postfix/smtpd[16304]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:06:31 web201 postfix/smtpd[16304]: disconnect from unknown[185.36.81.43]
Nov 12 20:06:59 web201 sSMTP[16353]: Unable to locate mail
Nov 12 20:06:59 web201 sSMTP[16353]: Cannot open mail:25
Nov 12 20:09:50 web201 postfix/smtpd[16416]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:09:50 web201 postfix/smtpd[16416]: connect from unknown[185.234.217.94]
Nov 12 20:09:52 web201 postfix/smtpd[16416]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:09:52 web201 postfix/smtpd[16416]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:09:52 web201 postfix/smtpd[16416]: disconnect from unknown[185.234.217.94]
Nov 12 20:10:07 web201 postfix/smtpd[16416]: connect from unknown[185.36.81.43]
Nov 12 20:10:10 web201 postfix/smtpd[16416]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:10:10 web201 postfix/smtpd[16416]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:10:10 web201 postfix/smtpd[16416]: disconnect from unknown[185.36.81.43]
Nov 12 20:11:00 web201 sSMTP[16515]: Unable to locate mail
Nov 12 20:11:00 web201 sSMTP[16515]: Cannot open mail:25
Nov 12 20:12:55 web201 postfix/anvil[16180]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:02:55
Nov 12 20:12:55 web201 postfix/anvil[16180]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:02:55
Nov 12 20:12:55 web201 postfix/anvil[16180]: statistics: max cache size 2 at Nov 12 20:10:07
Nov 12 20:13:43 web201 postfix/smtpd[16578]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:13:43 web201 postfix/smtpd[16578]: connect from unknown[185.36.81.43]
Nov 12 20:13:46 web201 postfix/smtpd[16578]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:13:46 web201 postfix/smtpd[16578]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:13:46 web201 postfix/smtpd[16578]: disconnect from unknown[185.36.81.43]
Nov 12 20:15:00 web201 sSMTP[16612]: Unable to locate mail
Nov 12 20:15:00 web201 sSMTP[16612]: Cannot open mail:25
Nov 12 20:16:09 web201 postfix/smtpd[16693]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:16:09 web201 postfix/smtpd[16693]: warning: hostname no-reverse-dns-configured.com does not resolve to address 80.82.70.189
Nov 12 20:16:09 web201 postfix/smtpd[16693]: connect from unknown[80.82.70.189]
Nov 12 20:16:11 web201 postfix/smtpd[16693]: warning: unknown[80.82.70.189]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:16:11 web201 postfix/smtpd[16693]: disconnect from unknown[80.82.70.189]
Nov 12 20:17:20 web201 postfix/smtpd[16693]: connect from unknown[185.36.81.43]
Nov 12 20:17:22 web201 postfix/smtpd[16693]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:17:22 web201 postfix/smtpd[16693]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:17:22 web201 postfix/smtpd[16693]: disconnect from unknown[185.36.81.43]
Nov 12 20:18:00 web201 sSMTP[16748]: Unable to locate mail
Nov 12 20:18:00 web201 sSMTP[16748]: Cannot open mail:25
Nov 12 20:20:42 web201 postfix/anvil[16580]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:13:43
Nov 12 20:20:42 web201 postfix/anvil[16580]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:13:43
Nov 12 20:20:42 web201 postfix/anvil[16580]: statistics: max cache size 1 at Nov 12 20:13:43
Nov 12 20:20:57 web201 postfix/smtpd[16868]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:20:57 web201 postfix/smtpd[16868]: connect from unknown[185.36.81.43]
Nov 12 20:20:59 web201 postfix/smtpd[16868]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:20:59 web201 postfix/smtpd[16868]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:20:59 web201 postfix/smtpd[16868]: disconnect from unknown[185.36.81.43]
Nov 12 20:22:00 web201 sSMTP[16916]: Unable to locate mail
Nov 12 20:22:00 web201 sSMTP[16916]: Cannot open mail:25
Nov 12 20:23:51 web201 postfix/smtpd[16955]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:23:51 web201 postfix/smtpd[16955]: connect from unknown[185.234.217.94]
Nov 12 20:23:53 web201 postfix/smtpd[16955]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:23:53 web201 postfix/smtpd[16955]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:23:53 web201 postfix/smtpd[16955]: disconnect from unknown[185.234.217.94]
Nov 12 20:24:34 web201 postfix/smtpd[16955]: connect from unknown[185.36.81.43]
Nov 12 20:24:36 web201 postfix/smtpd[16955]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:24:36 web201 postfix/smtpd[16955]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:24:36 web201 postfix/smtpd[16955]: disconnect from unknown[185.36.81.43]
Nov 12 20:25:00 web201 sSMTP[16987]: Unable to locate mail
Nov 12 20:25:00 web201 sSMTP[16987]: Cannot open mail:25
Nov 12 20:27:56 web201 postfix/anvil[16870]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:20:57
Nov 12 20:27:56 web201 postfix/anvil[16870]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:20:57
Nov 12 20:27:56 web201 postfix/anvil[16870]: statistics: max cache size 2 at Nov 12 20:24:34
Nov 12 20:28:07 web201 postfix/smtpd[17130]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:28:07 web201 postfix/smtpd[17130]: connect from unknown[185.36.81.43]
Nov 12 20:28:09 web201 postfix/smtpd[17130]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:28:09 web201 postfix/smtpd[17130]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:28:09 web201 postfix/smtpd[17130]: disconnect from unknown[185.36.81.43]
Nov 12 20:29:17 web201 postfix/smtpd[17130]: connect from unknown[193.169.252.111]
Nov 12 20:29:19 web201 postfix/smtpd[17130]: warning: unknown[193.169.252.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:29:19 web201 postfix/smtpd[17130]: lost connection after AUTH from unknown[193.169.252.111]
Nov 12 20:29:19 web201 postfix/smtpd[17130]: disconnect from unknown[193.169.252.111]
Nov 12 20:30:00 web201 sSMTP[17182]: Unable to locate mail
Nov 12 20:30:00 web201 sSMTP[17182]: Cannot open mail:25
Nov 12 20:31:43 web201 postfix/smtpd[17279]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:31:43 web201 postfix/smtpd[17279]: connect from unknown[185.36.81.43]
Nov 12 20:31:45 web201 postfix/smtpd[17279]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:31:45 web201 postfix/smtpd[17279]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:31:45 web201 postfix/smtpd[17279]: disconnect from unknown[185.36.81.43]
Nov 12 20:33:00 web201 sSMTP[17310]: Unable to locate mail
Nov 12 20:33:00 web201 sSMTP[17310]: Cannot open mail:25
Nov 12 20:35:05 web201 postfix/anvil[17131]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:28:07
Nov 12 20:35:05 web201 postfix/anvil[17131]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:28:07
Nov 12 20:35:05 web201 postfix/anvil[17131]: statistics: max cache size 1 at Nov 12 20:28:07
Nov 12 20:35:11 web201 postfix/smtpd[17406]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:35:11 web201 postfix/smtpd[17406]: warning: hostname no-reverse-dns-configured.com does not resolve to address 80.82.70.189
Nov 12 20:35:11 web201 postfix/smtpd[17406]: connect from unknown[80.82.70.189]
Nov 12 20:35:13 web201 postfix/smtpd[17406]: warning: unknown[80.82.70.189]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:35:13 web201 postfix/smtpd[17406]: disconnect from unknown[80.82.70.189]
Nov 12 20:35:19 web201 postfix/smtpd[17406]: connect from unknown[185.36.81.43]
Nov 12 20:35:22 web201 postfix/smtpd[17406]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:35:22 web201 postfix/smtpd[17406]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:35:22 web201 postfix/smtpd[17406]: disconnect from unknown[185.36.81.43]
Nov 12 20:37:01 web201 sSMTP[17460]: Unable to locate mail
Nov 12 20:37:01 web201 sSMTP[17460]: Cannot open mail:25
Nov 12 20:37:52 web201 postfix/smtpd[17478]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:37:52 web201 postfix/smtpd[17478]: connect from unknown[185.234.217.94]
Nov 12 20:37:55 web201 postfix/smtpd[17478]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:37:55 web201 postfix/smtpd[17478]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:37:55 web201 postfix/smtpd[17478]: disconnect from unknown[185.234.217.94]
Nov 12 20:38:55 web201 postfix/smtpd[17478]: connect from unknown[185.36.81.43]
Nov 12 20:38:57 web201 postfix/smtpd[17478]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:38:57 web201 postfix/smtpd[17478]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:38:57 web201 postfix/smtpd[17478]: disconnect from unknown[185.36.81.43]
Nov 12 20:39:01 web201 sSMTP[17511]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17511]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17512]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17512]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17513]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17513]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17514]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17514]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17515]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17515]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17516]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17516]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17517]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17517]: Cannot open mail:25
Nov 12 20:42:17 web201 postfix/anvil[17408]: statistics: max connection rate 1/60s for (smtp:80.82.70.189) at Nov 12 20:35:11
Nov 12 20:42:17 web201 postfix/anvil[17408]: statistics: max connection count 1 for (smtp:80.82.70.189) at Nov 12 20:35:11
Nov 12 20:42:17 web201 postfix/anvil[17408]: statistics: max cache size 2 at Nov 12 20:35:19
Nov 12 20:42:26 web201 sSMTP[17681]: Unable to locate mail
Nov 12 20:42:26 web201 sSMTP[17681]: Cannot open mail:25
Nov 12 20:42:29 web201 postfix/smtpd[17684]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:42:29 web201 postfix/smtpd[17684]: connect from unknown[185.36.81.43]
Nov 12 20:42:32 web201 postfix/smtpd[17684]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:42:32 web201 postfix/smtpd[17684]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:42:32 web201 postfix/smtpd[17684]: disconnect from unknown[185.36.81.43]
Nov 12 20:44:01 web201 sSMTP[17736]: Unable to locate mail
Nov 12 20:44:01 web201 sSMTP[17736]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17812]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17812]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17813]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17813]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17814]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17814]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17815]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17815]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17816]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17816]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17817]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17817]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17818]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17818]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17819]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17819]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17820]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17820]: Cannot open mail:25
Nov 12 20:45:52 web201 postfix/anvil[17685]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:42:29
Nov 12 20:45:52 web201 postfix/anvil[17685]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:42:29
Nov 12 20:45:52 web201 postfix/anvil[17685]: statistics: max cache size 1 at Nov 12 20:42:29
Nov 12 20:46:01 web201 sSMTP[17933]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17933]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17934]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17934]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17935]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17935]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17936]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17936]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17937]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17937]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17938]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17938]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17939]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17939]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17940]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17940]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17941]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17941]: Cannot open mail:25
Nov 12 20:46:05 web201 postfix/smtpd[17942]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:46:05 web201 postfix/smtpd[17942]: connect from unknown[185.36.81.43]
Nov 12 20:46:07 web201 postfix/smtpd[17942]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:46:07 web201 postfix/smtpd[17942]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:46:07 web201 postfix/smtpd[17942]: disconnect from unknown[185.36.81.43]
Nov 12 20:48:01 web201 sSMTP[18013]: Unable to locate mail
Nov 12 20:48:01 web201 sSMTP[18013]: Cannot open mail:25
Nov 12 20:48:01 web201 sSMTP[18014]: Unable to locate mail
Nov 12 20:48:01 web201 sSMTP[18014]: Cannot open mail:25
Nov 12 20:48:01 web201 sSMTP[18015]: Unable to locate mail
Nov 12 20:48:01 web201 sSMTP[18015]: Cannot open mail:25
Nov 12 20:49:01 web201 sSMTP[18082]: Unable to locate mail
Nov 12 20:49:01 web201 sSMTP[18082]: Cannot open mail:25
Nov 12 20:49:01 web201 sSMTP[18083]: Unable to locate mail
Nov 12 20:49:01 web201 sSMTP[18083]: Cannot open mail:25
Nov 12 20:49:01 web201 sSMTP[18084]: Unable to locate mail
Nov 12 20:49:01 web201 sSMTP[18084]: Cannot open mail:25
Nov 12 20:49:27 web201 postfix/anvil[17944]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:46:05
Nov 12 20:49:27 web201 postfix/anvil[17944]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:46:05
Nov 12 20:49:27 web201 postfix/anvil[17944]: statistics: max cache size 1 at Nov 12 20:46:05
Nov 12 20:49:42 web201 postfix/smtpd[18104]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:49:42 web201 postfix/smtpd[18104]: connect from unknown[185.36.81.43]
Nov 12 20:49:44 web201 postfix/smtpd[18104]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:49:44 web201 postfix/smtpd[18104]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:49:44 web201 postfix/smtpd[18104]: disconnect from unknown[185.36.81.43]
Nov 12 20:51:01 web201 sSMTP[18208]: Unable to locate mail
Nov 12 20:51:01 web201 sSMTP[18208]: Cannot open mail:25
Nov 12 20:51:53 web201 postfix/smtpd[18244]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:51:53 web201 postfix/smtpd[18244]: connect from unknown[185.234.217.94]
Nov 12 20:51:55 web201 postfix/smtpd[18244]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:51:55 web201 postfix/smtpd[18244]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:51:55 web201 postfix/smtpd[18244]: disconnect from unknown[185.234.217.94]
Nov 12 20:52:01 web201 sSMTP[18250]: Unable to locate mail
Nov 12 20:52:01 web201 sSMTP[18250]: Cannot open mail:25
Nov 12 20:53:01 web201 sSMTP[18277]: Unable to locate mail
Nov 12 20:53:01 web201 sSMTP[18277]: Cannot open mail:25
Nov 12 20:53:01 web201 sSMTP[18280]: Unable to locate mail
Nov 12 20:53:01 web201 sSMTP[18280]: Cannot open mail:25
All emails are working find btw. I and my users have no issues in sending and receiving emails
Find
Reply
Thanks given by:
fearworks Offline
Support Staff
*****
OS: CentOS 7.5
Version: 1.0.3
Server: VPS/Dedicated
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation: 10
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
#4
RE: Dead.letter growing fast
 11-13-2018, 08:53 AM
(11-13-2018, 06:00 AM)eirsik Wrote: Thanks for your reply.
I've checked the crontab, nothing there. Also checked sentora crontab.

I'm running vanilla Sentora. With a few simple addons such as, cert manager, ELFile manager, zGodx. No Sentora altering addons.

Here is the last hour of the maillog:
Code:
Nov 12 20:00:59 web201 sSMTP[16104]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16104]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16105]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16105]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16106]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16106]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16107]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16107]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16108]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16108]: Cannot open mail:25
Nov 12 20:00:59 web201 sSMTP[16109]: Unable to locate mail
Nov 12 20:00:59 web201 sSMTP[16109]: Cannot open mail:25
Nov 12 20:02:44 web201 postfix/anvil[15900]: statistics: max connection rate 1/60s for (smtp:185.234.217.94) at Nov 12 19:55:40
Nov 12 20:02:44 web201 postfix/anvil[15900]: statistics: max connection count 1 for (smtp:185.234.217.94) at Nov 12 19:55:40
Nov 12 20:02:44 web201 postfix/anvil[15900]: statistics: max cache size 2 at Nov 12 19:55:42
Nov 12 20:02:55 web201 postfix/smtpd[16179]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:02:55 web201 postfix/smtpd[16179]: connect from unknown[185.36.81.43]
Nov 12 20:02:57 web201 postfix/smtpd[16179]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:02:57 web201 postfix/smtpd[16179]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:02:57 web201 postfix/smtpd[16179]: disconnect from unknown[185.36.81.43]
Nov 12 20:03:24 web201 sSMTP[16205]: Unable to locate mail
Nov 12 20:03:24 web201 sSMTP[16205]: Cannot open mail:25
Nov 12 20:03:59 web201 sSMTP[16221]: Unable to locate mail
Nov 12 20:03:59 web201 sSMTP[16221]: Cannot open mail:25
Nov 12 20:05:24 web201 postfix/smtpd[16304]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:05:24 web201 postfix/smtpd[16304]: connect from unknown[193.169.252.111]
Nov 12 20:05:27 web201 postfix/smtpd[16304]: warning: unknown[193.169.252.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:05:27 web201 postfix/smtpd[16304]: lost connection after AUTH from unknown[193.169.252.111]
Nov 12 20:05:27 web201 postfix/smtpd[16304]: disconnect from unknown[193.169.252.111]
Nov 12 20:06:29 web201 postfix/smtpd[16304]: connect from unknown[185.36.81.43]
Nov 12 20:06:31 web201 postfix/smtpd[16304]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:06:31 web201 postfix/smtpd[16304]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:06:31 web201 postfix/smtpd[16304]: disconnect from unknown[185.36.81.43]
Nov 12 20:06:59 web201 sSMTP[16353]: Unable to locate mail
Nov 12 20:06:59 web201 sSMTP[16353]: Cannot open mail:25
Nov 12 20:09:50 web201 postfix/smtpd[16416]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:09:50 web201 postfix/smtpd[16416]: connect from unknown[185.234.217.94]
Nov 12 20:09:52 web201 postfix/smtpd[16416]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:09:52 web201 postfix/smtpd[16416]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:09:52 web201 postfix/smtpd[16416]: disconnect from unknown[185.234.217.94]
Nov 12 20:10:07 web201 postfix/smtpd[16416]: connect from unknown[185.36.81.43]
Nov 12 20:10:10 web201 postfix/smtpd[16416]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:10:10 web201 postfix/smtpd[16416]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:10:10 web201 postfix/smtpd[16416]: disconnect from unknown[185.36.81.43]
Nov 12 20:11:00 web201 sSMTP[16515]: Unable to locate mail
Nov 12 20:11:00 web201 sSMTP[16515]: Cannot open mail:25
Nov 12 20:12:55 web201 postfix/anvil[16180]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:02:55
Nov 12 20:12:55 web201 postfix/anvil[16180]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:02:55
Nov 12 20:12:55 web201 postfix/anvil[16180]: statistics: max cache size 2 at Nov 12 20:10:07
Nov 12 20:13:43 web201 postfix/smtpd[16578]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:13:43 web201 postfix/smtpd[16578]: connect from unknown[185.36.81.43]
Nov 12 20:13:46 web201 postfix/smtpd[16578]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:13:46 web201 postfix/smtpd[16578]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:13:46 web201 postfix/smtpd[16578]: disconnect from unknown[185.36.81.43]
Nov 12 20:15:00 web201 sSMTP[16612]: Unable to locate mail
Nov 12 20:15:00 web201 sSMTP[16612]: Cannot open mail:25
Nov 12 20:16:09 web201 postfix/smtpd[16693]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:16:09 web201 postfix/smtpd[16693]: warning: hostname no-reverse-dns-configured.com does not resolve to address 80.82.70.189
Nov 12 20:16:09 web201 postfix/smtpd[16693]: connect from unknown[80.82.70.189]
Nov 12 20:16:11 web201 postfix/smtpd[16693]: warning: unknown[80.82.70.189]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:16:11 web201 postfix/smtpd[16693]: disconnect from unknown[80.82.70.189]
Nov 12 20:17:20 web201 postfix/smtpd[16693]: connect from unknown[185.36.81.43]
Nov 12 20:17:22 web201 postfix/smtpd[16693]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:17:22 web201 postfix/smtpd[16693]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:17:22 web201 postfix/smtpd[16693]: disconnect from unknown[185.36.81.43]
Nov 12 20:18:00 web201 sSMTP[16748]: Unable to locate mail
Nov 12 20:18:00 web201 sSMTP[16748]: Cannot open mail:25
Nov 12 20:20:42 web201 postfix/anvil[16580]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:13:43
Nov 12 20:20:42 web201 postfix/anvil[16580]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:13:43
Nov 12 20:20:42 web201 postfix/anvil[16580]: statistics: max cache size 1 at Nov 12 20:13:43
Nov 12 20:20:57 web201 postfix/smtpd[16868]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:20:57 web201 postfix/smtpd[16868]: connect from unknown[185.36.81.43]
Nov 12 20:20:59 web201 postfix/smtpd[16868]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:20:59 web201 postfix/smtpd[16868]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:20:59 web201 postfix/smtpd[16868]: disconnect from unknown[185.36.81.43]
Nov 12 20:22:00 web201 sSMTP[16916]: Unable to locate mail
Nov 12 20:22:00 web201 sSMTP[16916]: Cannot open mail:25
Nov 12 20:23:51 web201 postfix/smtpd[16955]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:23:51 web201 postfix/smtpd[16955]: connect from unknown[185.234.217.94]
Nov 12 20:23:53 web201 postfix/smtpd[16955]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:23:53 web201 postfix/smtpd[16955]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:23:53 web201 postfix/smtpd[16955]: disconnect from unknown[185.234.217.94]
Nov 12 20:24:34 web201 postfix/smtpd[16955]: connect from unknown[185.36.81.43]
Nov 12 20:24:36 web201 postfix/smtpd[16955]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:24:36 web201 postfix/smtpd[16955]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:24:36 web201 postfix/smtpd[16955]: disconnect from unknown[185.36.81.43]
Nov 12 20:25:00 web201 sSMTP[16987]: Unable to locate mail
Nov 12 20:25:00 web201 sSMTP[16987]: Cannot open mail:25
Nov 12 20:27:56 web201 postfix/anvil[16870]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:20:57
Nov 12 20:27:56 web201 postfix/anvil[16870]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:20:57
Nov 12 20:27:56 web201 postfix/anvil[16870]: statistics: max cache size 2 at Nov 12 20:24:34
Nov 12 20:28:07 web201 postfix/smtpd[17130]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:28:07 web201 postfix/smtpd[17130]: connect from unknown[185.36.81.43]
Nov 12 20:28:09 web201 postfix/smtpd[17130]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:28:09 web201 postfix/smtpd[17130]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:28:09 web201 postfix/smtpd[17130]: disconnect from unknown[185.36.81.43]
Nov 12 20:29:17 web201 postfix/smtpd[17130]: connect from unknown[193.169.252.111]
Nov 12 20:29:19 web201 postfix/smtpd[17130]: warning: unknown[193.169.252.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:29:19 web201 postfix/smtpd[17130]: lost connection after AUTH from unknown[193.169.252.111]
Nov 12 20:29:19 web201 postfix/smtpd[17130]: disconnect from unknown[193.169.252.111]
Nov 12 20:30:00 web201 sSMTP[17182]: Unable to locate mail
Nov 12 20:30:00 web201 sSMTP[17182]: Cannot open mail:25
Nov 12 20:31:43 web201 postfix/smtpd[17279]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:31:43 web201 postfix/smtpd[17279]: connect from unknown[185.36.81.43]
Nov 12 20:31:45 web201 postfix/smtpd[17279]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:31:45 web201 postfix/smtpd[17279]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:31:45 web201 postfix/smtpd[17279]: disconnect from unknown[185.36.81.43]
Nov 12 20:33:00 web201 sSMTP[17310]: Unable to locate mail
Nov 12 20:33:00 web201 sSMTP[17310]: Cannot open mail:25
Nov 12 20:35:05 web201 postfix/anvil[17131]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:28:07
Nov 12 20:35:05 web201 postfix/anvil[17131]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:28:07
Nov 12 20:35:05 web201 postfix/anvil[17131]: statistics: max cache size 1 at Nov 12 20:28:07
Nov 12 20:35:11 web201 postfix/smtpd[17406]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:35:11 web201 postfix/smtpd[17406]: warning: hostname no-reverse-dns-configured.com does not resolve to address 80.82.70.189
Nov 12 20:35:11 web201 postfix/smtpd[17406]: connect from unknown[80.82.70.189]
Nov 12 20:35:13 web201 postfix/smtpd[17406]: warning: unknown[80.82.70.189]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:35:13 web201 postfix/smtpd[17406]: disconnect from unknown[80.82.70.189]
Nov 12 20:35:19 web201 postfix/smtpd[17406]: connect from unknown[185.36.81.43]
Nov 12 20:35:22 web201 postfix/smtpd[17406]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:35:22 web201 postfix/smtpd[17406]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:35:22 web201 postfix/smtpd[17406]: disconnect from unknown[185.36.81.43]
Nov 12 20:37:01 web201 sSMTP[17460]: Unable to locate mail
Nov 12 20:37:01 web201 sSMTP[17460]: Cannot open mail:25
Nov 12 20:37:52 web201 postfix/smtpd[17478]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:37:52 web201 postfix/smtpd[17478]: connect from unknown[185.234.217.94]
Nov 12 20:37:55 web201 postfix/smtpd[17478]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:37:55 web201 postfix/smtpd[17478]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:37:55 web201 postfix/smtpd[17478]: disconnect from unknown[185.234.217.94]
Nov 12 20:38:55 web201 postfix/smtpd[17478]: connect from unknown[185.36.81.43]
Nov 12 20:38:57 web201 postfix/smtpd[17478]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:38:57 web201 postfix/smtpd[17478]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:38:57 web201 postfix/smtpd[17478]: disconnect from unknown[185.36.81.43]
Nov 12 20:39:01 web201 sSMTP[17511]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17511]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17512]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17512]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17513]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17513]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17514]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17514]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17515]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17515]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17516]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17516]: Cannot open mail:25
Nov 12 20:39:01 web201 sSMTP[17517]: Unable to locate mail
Nov 12 20:39:01 web201 sSMTP[17517]: Cannot open mail:25
Nov 12 20:42:17 web201 postfix/anvil[17408]: statistics: max connection rate 1/60s for (smtp:80.82.70.189) at Nov 12 20:35:11
Nov 12 20:42:17 web201 postfix/anvil[17408]: statistics: max connection count 1 for (smtp:80.82.70.189) at Nov 12 20:35:11
Nov 12 20:42:17 web201 postfix/anvil[17408]: statistics: max cache size 2 at Nov 12 20:35:19
Nov 12 20:42:26 web201 sSMTP[17681]: Unable to locate mail
Nov 12 20:42:26 web201 sSMTP[17681]: Cannot open mail:25
Nov 12 20:42:29 web201 postfix/smtpd[17684]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:42:29 web201 postfix/smtpd[17684]: connect from unknown[185.36.81.43]
Nov 12 20:42:32 web201 postfix/smtpd[17684]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:42:32 web201 postfix/smtpd[17684]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:42:32 web201 postfix/smtpd[17684]: disconnect from unknown[185.36.81.43]
Nov 12 20:44:01 web201 sSMTP[17736]: Unable to locate mail
Nov 12 20:44:01 web201 sSMTP[17736]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17812]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17812]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17813]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17813]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17814]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17814]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17815]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17815]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17816]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17816]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17817]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17817]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17818]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17818]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17819]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17819]: Cannot open mail:25
Nov 12 20:45:01 web201 sSMTP[17820]: Unable to locate mail
Nov 12 20:45:01 web201 sSMTP[17820]: Cannot open mail:25
Nov 12 20:45:52 web201 postfix/anvil[17685]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:42:29
Nov 12 20:45:52 web201 postfix/anvil[17685]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:42:29
Nov 12 20:45:52 web201 postfix/anvil[17685]: statistics: max cache size 1 at Nov 12 20:42:29
Nov 12 20:46:01 web201 sSMTP[17933]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17933]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17934]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17934]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17935]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17935]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17936]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17936]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17937]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17937]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17938]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17938]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17939]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17939]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17940]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17940]: Cannot open mail:25
Nov 12 20:46:01 web201 sSMTP[17941]: Unable to locate mail
Nov 12 20:46:01 web201 sSMTP[17941]: Cannot open mail:25
Nov 12 20:46:05 web201 postfix/smtpd[17942]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:46:05 web201 postfix/smtpd[17942]: connect from unknown[185.36.81.43]
Nov 12 20:46:07 web201 postfix/smtpd[17942]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:46:07 web201 postfix/smtpd[17942]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:46:07 web201 postfix/smtpd[17942]: disconnect from unknown[185.36.81.43]
Nov 12 20:48:01 web201 sSMTP[18013]: Unable to locate mail
Nov 12 20:48:01 web201 sSMTP[18013]: Cannot open mail:25
Nov 12 20:48:01 web201 sSMTP[18014]: Unable to locate mail
Nov 12 20:48:01 web201 sSMTP[18014]: Cannot open mail:25
Nov 12 20:48:01 web201 sSMTP[18015]: Unable to locate mail
Nov 12 20:48:01 web201 sSMTP[18015]: Cannot open mail:25
Nov 12 20:49:01 web201 sSMTP[18082]: Unable to locate mail
Nov 12 20:49:01 web201 sSMTP[18082]: Cannot open mail:25
Nov 12 20:49:01 web201 sSMTP[18083]: Unable to locate mail
Nov 12 20:49:01 web201 sSMTP[18083]: Cannot open mail:25
Nov 12 20:49:01 web201 sSMTP[18084]: Unable to locate mail
Nov 12 20:49:01 web201 sSMTP[18084]: Cannot open mail:25
Nov 12 20:49:27 web201 postfix/anvil[17944]: statistics: max connection rate 1/60s for (smtp:185.36.81.43) at Nov 12 20:46:05
Nov 12 20:49:27 web201 postfix/anvil[17944]: statistics: max connection count 1 for (smtp:185.36.81.43) at Nov 12 20:46:05
Nov 12 20:49:27 web201 postfix/anvil[17944]: statistics: max cache size 1 at Nov 12 20:46:05
Nov 12 20:49:42 web201 postfix/smtpd[18104]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:49:42 web201 postfix/smtpd[18104]: connect from unknown[185.36.81.43]
Nov 12 20:49:44 web201 postfix/smtpd[18104]: warning: unknown[185.36.81.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:49:44 web201 postfix/smtpd[18104]: lost connection after AUTH from unknown[185.36.81.43]
Nov 12 20:49:44 web201 postfix/smtpd[18104]: disconnect from unknown[185.36.81.43]
Nov 12 20:51:01 web201 sSMTP[18208]: Unable to locate mail
Nov 12 20:51:01 web201 sSMTP[18208]: Cannot open mail:25
Nov 12 20:51:53 web201 postfix/smtpd[18244]: error: open database /etc/aliases.db: No such file or directory
Nov 12 20:51:53 web201 postfix/smtpd[18244]: connect from unknown[185.234.217.94]
Nov 12 20:51:55 web201 postfix/smtpd[18244]: warning: unknown[185.234.217.94]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:51:55 web201 postfix/smtpd[18244]: lost connection after AUTH from unknown[185.234.217.94]
Nov 12 20:51:55 web201 postfix/smtpd[18244]: disconnect from unknown[185.234.217.94]
Nov 12 20:52:01 web201 sSMTP[18250]: Unable to locate mail
Nov 12 20:52:01 web201 sSMTP[18250]: Cannot open mail:25
Nov 12 20:53:01 web201 sSMTP[18277]: Unable to locate mail
Nov 12 20:53:01 web201 sSMTP[18277]: Cannot open mail:25
Nov 12 20:53:01 web201 sSMTP[18280]: Unable to locate mail
Nov 12 20:53:01 web201 sSMTP[18280]: Cannot open mail:25
All emails are working find btw. I and my users have no issues in sending and receiving emails

I'd say something is definitely trying to send logs via mail but it isn't working.

What values do you have for:


Code:
Admin > Sentora Config > Debug logging mode


and


Code:
Admin > Sentora Config > Mail method


?

Keith
Find
Reply
Thanks given by:
republicus Offline
Sentora Member
*
OS: CentOS 7
Version: 1.0.3
Server: Dedicated && VPS
Posts: 38
Threads: 3
Joined: Feb 2018
Reputation: 0
Sex: Male
Thanks: 0
Given 3 thank(s) in 3 post(s)
#5
RE: Dead.letter growing fast
 11-13-2018, 10:07 AM
(11-13-2018, 05:08 AM)eirsik Wrote:
Code:
Time:    Sat Nov 10 22:24:25 2018 +0100
PID:     1576 (Parent PID:1243)
Account: postfix
Uptime:  89 seconds


Executable:

/usr/libexec/postfix/smtpd


Command Line (often faked in exploits):

smtpd -n smtp -t inet -u -o stress= -s 2


Network connections by the process (if any):

tcp: 0.0.0.0:25 -> 0.0.0.0:0
tcp6: 0.0.0.0:25 -> 0.0.0.0:0



It would appear to me smtpd is trying to make a connection on port 25 to the IP 0.0.0.0 -- which your system is alerting as suspicious.

I think you should look through your configs for any mail settings that may be empty or explicitly set with the IP 0.0.0.0 and correct it.

Did you make changes to postfix configs manually? Maybe configure SSL/TLS with Postfix? If you cannot find the settings in Sentora config, also look there. (Hint: /etc/sentora/configs/postfix/main.csf - "mynetworks" setting)

Have you installed CSF or CSF as a module?
If your email is sending and receiving mail okay and you are unable to locate the problem connection to 0.0.0.0:25 -- you can instruct CSF to ignore this message and prevent it from altering you further while you investigate the cause.

Edit:
Code:
/etc/csf/csf.pignore
Note: The CSF module may place these settings within the Sentora config hierarchy.  You may need to adjust there.  I can't be sure since I do not have this module.


Add line:
Code:
/usr/libexec/postfix/smtpd


Restart CSF service:
Code:
systemctl restart csf
Find
Reply
Thanks given by:
eirsik Offline
Sentora Member
*
OS: CentOS 7.2
Version: 1.0.3
Server: Dedicated Server
Posts: 13
Threads: 5
Joined: Jun 2016
Reputation: 0
Sex: Undisclosed
Thanks: 0
Given 2 thank(s) in 1 post(s)
#6
RE: Dead.letter growing fast
 11-13-2018, 09:18 PM
(11-13-2018, 08:53 AM)fearworks Wrote: I'd say something is definitely trying to send logs via mail but it isn't working.

What values do you have for:


Code:
Admin > Sentora Config > Debug logging mode


and


Code:
Admin > Sentora Config > Mail method


?

Keith

Debug logging mode is set to: db

Mail method is set to: mail

I use whmcs for all system mails to users, including sentora panel password etc.
Find
Reply
Thanks given by:
fearworks Offline
Support Staff
*****
OS: CentOS 7.5
Version: 1.0.3
Server: VPS/Dedicated
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation: 10
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
#7
RE: Dead.letter growing fast
 11-13-2018, 09:25 PM
(11-13-2018, 09:18 PM)eirsik Wrote: Debug logging mode is set to: db

Mail method is set to: mail

I use whmcs for all system mails to users, including sentora panel password etc.

I think you must have something trying to use the mail() function, or sendmail. I'm not an expert so not the best person to help you with this. If you're running WHMCS, maybe you have a customer/client who has recently installed a rogue script that's trying to do something on the server that it shouldn't? 

I've a feeling that it's not a Sentora issue though and is something else to do with your server, but I could be wrong. 

Good luck with it.

Keith
Find
Reply
Thanks given by:
eirsik Offline
Sentora Member
*
OS: CentOS 7.2
Version: 1.0.3
Server: Dedicated Server
Posts: 13
Threads: 5
Joined: Jun 2016
Reputation: 0
Sex: Undisclosed
Thanks: 0
Given 2 thank(s) in 1 post(s)
#8
RE: Dead.letter growing fast
 11-13-2018, 09:25 PM (This post was last modified: 11-13-2018, 09:32 PM by eirsik.)
(11-13-2018, 10:07 AM)republicus Wrote: It would appear to me smtpd is trying to make a connection on port 25 to the IP 0.0.0.0 -- which your system is alerting as suspicious.

I think you should look through your configs for any mail settings that may be empty or explicitly set with the IP 0.0.0.0 and correct it.

Did you make changes to postfix configs manually? Maybe configure SSL/TLS with Postfix? If you cannot find the settings in Sentora config, also look there. (Hint: /etc/sentora/configs/postfix/main.csf - "mynetworks" setting)

Have you installed CSF or CSF as a module?
If your email is sending and receiving mail okay and you are unable to locate the problem connection to 0.0.0.0:25 -- you can instruct CSF to ignore this message and prevent it from altering you further while you investigate the cause.

Edit:
Code:
/etc/csf/csf.pignore
Note: The CSF module may place these settings within the Sentora config hierarchy.  You may need to adjust there.  I can't be sure since I do not have this module.


Add line:
Code:
/usr/libexec/postfix/smtpd


Restart CSF service:
Code:
systemctl restart csf


Hi,

In main.cf the only IP specified is the ones under mynetworks:

Code:
mynetworks = 127.0.0.1, 195.201.146.xxx, 176.9.3.xxx

I have modified the main.cf and master.cf to enable SSL on email server. But it has been working fine for months. It suddenly started doing this.
IP 0.0.0.0 is not mentioned anywhere. The closes is 127.0.0.1 which is in master.cf:

Code:
127.0.0.1:10025 inet n  -       y       -       -       smtpd
-o mynetworks=127.0.0.0/8

Yes I have CSF installed. It's a great security addition :-)
Is it CSF who is dumping all these log entries into the dead.letter file?
Find
Reply
Thanks given by:
republicus Offline
Sentora Member
*
OS: CentOS 7
Version: 1.0.3
Server: Dedicated && VPS
Posts: 38
Threads: 3
Joined: Feb 2018
Reputation: 0
Sex: Male
Thanks: 0
Given 3 thank(s) in 3 post(s)
#9
RE: Dead.letter growing fast
 11-14-2018, 08:25 AM
(11-13-2018, 09:25 PM)eirsik Wrote: Hi,

In main.cf the only IP specified is the ones under mynetworks:

Code:
mynetworks = 127.0.0.1, 195.201.146.xxx, 176.9.3.xxx

I have modified the main.cf and master.cf to enable SSL on email server. But it has been working fine for months. It suddenly started doing this.
IP 0.0.0.0 is not mentioned anywhere. The closes is 127.0.0.1 which is in master.cf:

Code:
127.0.0.1:10025 inet n  -       y       -       -       smtpd
-o mynetworks=127.0.0.0/8

Yes I have CSF installed. It's a great security addition :-)
Is it CSF who is dumping all these log entries into the dead.letter file?

It turns out POSTFIX should be listening to 0.0.0.0:25 and this is normal behavior:

Code:
[root@sentora-dev ~]# netstat -lnp | grep :25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      612/master
tcp6       0      0 :::25                   :::*                    LISTEN      612/master
Note: netstat on CentOS requires yum install net-tools

Yes, it is CSF generating the alerts.
Find
Reply
Thanks given by:
eirsik Offline
Sentora Member
*
OS: CentOS 7.2
Version: 1.0.3
Server: Dedicated Server
Posts: 13
Threads: 5
Joined: Jun 2016
Reputation: 0
Sex: Undisclosed
Thanks: 0
Given 2 thank(s) in 1 post(s)
#10
RE: Dead.letter growing fast
 11-14-2018, 09:57 AM
(11-14-2018, 08:25 AM)republicus Wrote: It turns out POSTFIX should be listening to 0.0.0.0:25 and this is normal behavior:

Code:
[root@sentora-dev ~]# netstat -lnp | grep :25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      612/master
tcp6       0      0 :::25                   :::*                    LISTEN      612/master
Note: netstat on CentOS requires yum install net-tools

Yes, it is CSF generating the alerts.

Ah great.
So all this is a normal behavior. Then to make it stop I should put postfix in the ignore file of CSF? I don't want to delete the file once a day to stop it to eat up my hard drive lol
Find
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Is Sentora dead? rajeevrrs 2 2 ,950 12-17-2022, 09:20 AM
Last Post: TGates
Is Sentora Dead? Feilding Weather 0 2 ,045 07-04-2020, 03:11 AM
Last Post: Feilding Weather
Suhosin is a dead project. How will Sentora move on to PHP 7.x? worksmarter 16 39 ,346 07-28-2019, 03:37 PM
Last Post: Ron-e

Forum Jump:


Users browsing this thread: 1 Guest(s)