How can I check if someone is using Postfix on my server?

22 posts / 0 new
Last post
#1 Fri, 11/25/2011 - 13:29
pass

How can I check if someone is using Postfix on my server?

My upstream provider sent me a spam that apparently came from one of our servers. It is only used for mail and has no CMS or other applications on it, and everything is up-to-date for versions, yet when I check the processes running on this server, there are nearly 130 while the next server, with the same load and identical configuration and updates, has less than 70. The disk usage on the server is four times normal as well.

Here is what I see:

   13897 root 17:17 /usr/lib/postfix/master
      5366 postfix 20:10 smtpd -n smtp -t inet -u -c -o stress= -o smtpd_sasl_auth_enable=yes
      5368 postfix 20:10 anvil -l -t unix -u -c
      5369 postfix 20:10 trivial-rewrite -n rewrite -t unix -u -c
      5382 postfix 20:10 smtp -t unix -u -c
      5384 postfix 20:10 smtp -t unix -u -c
      5386 postfix 20:10 error -n retry -t unix -u -c
      5387 postfix 20:10 smtp -t unix -u -c
      5388 postfix 20:10 error -n retry -t unix -u -c
      5390 postfix 20:10 smtp -t unix -u -c
      5391 postfix 20:10 smtp -t unix -u -c
      5392 postfix 20:10 smtp -t unix -u -c
      5393 postfix 20:10 smtp -t unix -u -c
      5394 postfix 20:10 error -n retry -t unix -u -c
      5395 postfix 20:10 smtp -t unix -u -c
      5396 postfix 20:10 smtp -t unix -u -c
      5397 postfix 20:10 smtp -t unix -u -c
      5400 postfix 20:10 error -n retry -t unix -u -c
      5401 postfix 20:10 smtp -t unix -u -c
      5402 postfix 20:10 smtp -t unix -u -c
      5403 postfix 20:10 smtp -t unix -u -c
      5404 postfix 20:10 smtp -t unix -u -c
      5405 postfix 20:10 smtp -t unix -u -c
      5406 postfix 20:10 smtp -t unix -u -c
      5408 postfix 20:10 smtp -t unix -u -c
      5409 postfix 20:10 error -n retry -t unix -u -c
      5410 postfix 20:10 smtp -t unix -u -c
      5411 postfix 20:10 error -n retry -t unix -u -c
      5412 postfix 20:10 smtp -t unix -u -c
      5417 postfix 20:10 smtp -t unix -u -c
      5420 postfix 20:10 smtp -t unix -u -c
      5421 postfix 20:10 smtp -t unix -u -c
      5422 postfix 20:10 smtp -t unix -u -c
      5423 postfix 20:10 smtp -t unix -u -c
      5424 postfix 20:10 smtp -t unix -u -c
      5425 postfix 20:10 error -n retry -t unix -u -c
      5426 postfix 20:10 smtp -t unix -u -c
      5428 postfix 20:10 smtp -t unix -u -c
      5431 postfix 20:10 smtp -t unix -u -c
      5433 postfix 20:10 error -n retry -t unix -u -c
      5435 postfix 20:10 error -n retry -t unix -u -c
      5438 postfix 20:10 smtp -t unix -u -c
      5439 postfix 20:10 smtp -t unix -u -c
      5440 postfix 20:10 smtp -t unix -u -c
      5441 postfix 20:10 smtp -t unix -u -c
      5443 postfix 20:10 smtp -t unix -u -c
      5447 postfix 20:10 smtp -t unix -u -c
      5448 postfix 20:10 smtp -t unix -u -c
      5449 postfix 20:10 smtp -t unix -u -c
      5450 postfix 20:10 error -n retry -t unix -u -c
      5451 postfix 20:10 smtp -t unix -u -c
      5455 postfix 20:10 smtp -t unix -u -c
      5457 postfix 20:10 scache -l -t unix -u -c
      5473 postfix 20:11 smtp -t unix -u -c
      5497 postfix 20:11 smtp -t unix -u -c
      5498 postfix 20:11 smtp -t unix -u -c
      5499 postfix 20:11 trivial-rewrite -n rewrite -t unix -u -c
      5500 postfix 20:11 smtp -t unix -u -c
      5502 postfix 20:11 smtp -t unix -u -c
      5504 postfix 20:11 smtp -t unix -u -c
      5505 postfix 20:11 smtp -t unix -u -c
      5506 postfix 20:11 smtp -t unix -u -c
      5515 postfix 20:12 smtp -t unix -u -c
      5521 postfix 20:12 error -n retry -t unix -u -c
      5687 postfix 20:15 cleanup -z -t unix -u -c
      5689 postfix 20:15 bounce -z -n defer -t unix -u -c
      5690 postfix 20:15 bounce -z -n defer -t unix -u -c
      5691 postfix 20:15 bounce -z -n defer -t unix -u -c
      5692 postfix 20:15 bounce -z -n defer -t unix -u -c
      5693 postfix 20:15 bounce -z -n defer -t unix -u -c
      5694 postfix 20:15 bounce -z -n defer -t unix -u -c
      5695 postfix 20:15 bounce -z -n defer -t unix -u -c
      5696 postfix 20:15 bounce -z -n defer -t unix -u -c
      5697 postfix 20:15 bounce -z -n defer -t unix -u -c
      5698 postfix 20:15 bounce -z -n defer -t unix -u -c
      5699 postfix 20:15 bounce -z -n defer -t unix -u -c
      5700 postfix 20:15 bounce -z -n defer -t unix -u -c
      5702 postfix 20:15 bounce -z -n defer -t unix -u -c
      5704 postfix 20:15 bounce -z -t unix -u -c
      5705 postfix 20:15 bounce -z -t unix -u -c
      5706 postfix 20:15 cleanup -z -t unix -u -c
      5707 postfix 20:15 bounce -z -t unix -u -c
      5709 postfix 20:15 cleanup -z -t unix -u -c
      5710 postfix 20:15 bounce -z -t unix -u -c
      5711 postfix 20:15 cleanup -z -t unix -u -c
      5715 postfix 20:15 bounce -z -n defer -t unix -u -c
      5724 postfix 20:15 bounce -z -n defer -t unix -u -c
      5725 postfix 20:15 bounce -z -n defer -t unix -u -c
      5726 postfix 20:15 bounce -z -n defer -t unix -u -c
      5727 postfix 20:15 bounce -z -n defer -t unix -u -c
      15622 postfix 17:34 qmgr -l -t fifo -u
      15741 postfix 17:36 tlsmgr -l -t unix -u -c
      27677 postfix 18:57 pickup -l -t fifo -u -c
Fri, 11/25/2011 - 18:34
andreychek

Howdy,

Yeah, those are a lot of Postfix related processes. You may want to take a look at the mail queue, and see what all is in there.

You can do that by going into Webmin -> Postfix -> Mail Queue. From there, you can view the messages and their headers, which you can use to determine what is generating those messages.

-Eric

Sat, 11/26/2011 - 09:01
pass

I should have mentioned that already. The Mail Queue always shows zero messages.

Mon, 11/28/2011 - 09:15
andreychek

Hmm, that's an unusual amount of processes to always have 0 messages in the mail queue. We can take a look at a few other things though --

  • Could you attach a file containing the output of "ps auxw" on your server?

  • What does this command show: free -m

  • And this command too: uptime

  • Lastly, what does this show: mailq | tail -1

Mon, 11/28/2011 - 09:21
pass
ps auxw
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1  23320  1592 ?        Ss   Nov25   0:01 init
root      1184  0.0  0.0  21084  1020 ?        Ss   Nov25   0:01 cron
syslog    1217  0.0  0.0  12456   808 ?        Ss   Nov25   2:07 /sbin/syslogd -u syslog
postgres  1278  0.0  0.6 100916  6600 ?        S    Nov25   0:01 /usr/lib/postgresql/8.4/bin/postgres -D /var/lib/postgresql/8.4/mai
postgres  1289  0.0  0.1 100916  1756 ?        Ss   Nov25   0:09 postgres: writer process
postgres  1290  0.0  0.1 100916  1536 ?        Ss   Nov25   0:07 postgres: wal writer process
postgres  1291  0.0  0.1 101052  1832 ?        Ss   Nov25   0:08 postgres: autovacuum launcher process
postgres  1294  0.0  0.1  72456  1508 ?        Ss   Nov25   0:04 postgres: stats collector process
clamav    1611  0.0 13.9 227996 146736 ?       Ssl  Nov25   0:38 /usr/sbin/clamd
clamav    1708  0.0  0.1  42868  2048 ?        Ss   Nov25   0:00 /usr/bin/freshclam -d --quiet
root      1926  0.0  1.5  72576 16192 ?        Ss   Nov25   0:00 /usr/bin/perl /usr/share/usermin/miniserv.pl /etc/usermin/miniserv.
root      1938  0.0  0.0  19532   940 ?        Ss   Nov25   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_com
root      1963  0.0  2.5 204548 26332 ?        Ss   Nov25   0:03 /usr/sbin/apache2 -k start
root      1987  0.0  5.4 123188 56784 ?        Ss   Nov25   0:17 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.co
root      5518  0.0  0.2  49268  2580 ?        Ss   Nov25   0:01 /usr/sbin/sshd -D
mysql     5546  0.0  2.3 178096 24268 ?        Ssl  Nov25   0:14 /usr/sbin/mysqld
root      5760  0.0  4.6 153796 48868 ?        Ssl  Nov25   0:13 /usr/sbin/named -c /etc/bind/named.conf
proftpd   7256  0.0  0.1  69820  1908 ?        Ss   Nov27   0:07 proftpd: (accepting connections)
www-data  7540  0.0  0.7 201892  7484 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
www-data  7541  0.0  0.9 205572 10260 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
www-data  7542  0.0  0.9 205572 10252 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
www-data  7543  0.0  0.9 205572 10260 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
www-data  7544  0.0  0.9 205572 10248 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
www-data  7545  0.0  0.9 205572 10252 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
www-data  7947  0.0  0.9 205572 10252 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
root     14019  0.0  4.7 112728 49420 ?        Ss   14:33   0:01 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -
root     14057  0.0  5.8 124424 61780 ?        S    14:33   0:05 spamd child
root     14058  0.0  5.5 120488 57868 ?        S    14:33   0:04 spamd child
root     14174  0.0  0.2  37212  2292 ?        Ss   14:33   0:02 /usr/lib/postfix/master
postfix  14287  0.0  0.3  41788  3180 ?        S    14:33   0:00 tlsmgr -l -t unix -u -c
root     14299  0.0  0.0  16912   792 ?        Ss   14:33   0:00 /usr/sbin/dovecot
root     14300  0.0  0.3  75208  3420 ?        S    14:33   0:00 dovecot-auth
root     14301  0.0  0.3  75836  3352 ?        S    14:33   0:00 dovecot-auth -w
dovecot  15440  0.0  0.2  18724  2116 ?        S    14:34   0:00 imap-login
dovecot  15441  0.0  0.2  18724  2116 ?        S    14:34   0:00 imap-login
dovecot  15442  0.0  0.2  18724  2120 ?        S    14:34   0:00 imap-login
root     15474  0.0  0.3  70632  3308 ?        Ss   14:35   0:00 sshd: root@ttyp0
root     15495  0.0  0.1  17908  1980 ttyp0    Ss   14:35   0:00 -bash
postfix  15955  0.0  0.2  43568  2644 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15963  0.0  0.2  43568  2636 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15966  0.0  0.2  43568  2624 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15967  0.0  0.2  43568  2628 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15979  0.0  0.2  43568  2640 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15981  0.0  0.2  43568  2640 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15989  0.0  0.2  43568  2644 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15990  0.0  0.2  44460  2648 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15993  0.0  0.2  43568  2636 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  15998  0.0  0.2  44460  2640 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  16010  0.0  0.2  43568  2636 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  16016  0.0  0.2  43568  2616 ?        S    14:46   0:00 smtp -t unix -u -c
postfix  17411  0.0  0.2  43568  2644 ?        S    14:57   0:00 smtp -t unix -u -c
postfix  17438  0.0  0.2  43568  2632 ?        S    14:57   0:00 smtp -t unix -u -c
postfix  17442  0.0  0.2  43568  2632 ?        S    14:57   0:00 smtp -t unix -u -c
postfix  17444  0.0  0.2  43568  2640 ?        S    14:57   0:00 smtp -t unix -u -c
postfix  17448  0.0  0.2  43568  2644 ?        S    14:57   0:00 smtp -t unix -u -c
postfix  17586  0.0  0.2  43568  2644 ?        S    15:02   0:00 smtp -t unix -u -c
postfix  17587  0.0  0.2  43568  2632 ?        S    15:02   0:00 smtp -t unix -u -c
postfix  17588  0.0  0.2  43568  2636 ?        S    15:02   0:00 smtp -t unix -u -c
dovecot  17887  0.0  0.2  18708  2100 ?        S    15:08   0:00 pop3-login
dovecot  17888  0.0  0.1  18708  2096 ?        S    15:08   0:00 pop3-login
dovecot  17889  0.0  0.1  18708  2096 ?        S    15:08   0:00 pop3-login
dovecot  17890  0.0  0.2  18708  2100 ?        S    15:08   0:00 pop3-login
dovecot  17911  0.0  0.1  18708  2096 ?        S    15:09   0:00 pop3-login
dovecot  17912  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17913  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17915  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17916  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17917  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17918  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17919  0.0  0.2  18708  2100 ?        S    15:09   0:00 pop3-login
dovecot  17920  0.0  0.1  18708  2096 ?        S    15:09   0:00 pop3-login
postfix  18196  0.0  0.2  43568  2608 ?        S    15:19   0:00 smtp -t unix -u -c
postfix  18200  0.0  0.2  44460  2648 ?        S    15:19   0:00 smtp -t unix -u -c
postfix  18202  0.0  0.2  43568  2632 ?        S    15:19   0:00 smtp -t unix -u -c
postfix  18203  0.0  0.2  43568  2636 ?        S    15:19   0:00 smtp -t unix -u -c
postfix  18390  0.0  0.2  43568  2628 ?        S    15:25   0:00 smtp -t unix -u -c
postfix  18398  0.0  0.4  63304  4572 ?        S    15:25   0:00 smtpd -n smtp -t inet -u -c -o stress= -o smtpd_sasl_auth_enable=ye
postfix  23706  0.0  0.2  43568  2632 ?        S    15:46   0:00 smtp -t unix -u -c
postfix  23707  0.0  0.2  43568  2644 ?        S    15:46   0:00 smtp -t unix -u -c
postfix  23843  0.0  0.2  39276  2272 ?        S    15:48   0:00 anvil -l -t unix -u -c
postfix  24101  0.0  0.2  43568  2632 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24105  0.0  0.2  39272  2268 ?        S    15:53   0:00 error -n retry -t unix -u -c
postfix  24106  0.0  0.2  43568  2632 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24107  0.0  0.2  39484  2828 ?        S    15:53   0:00 trivial-rewrite -n rewrite -t unix -u -c
postfix  24112  0.0  0.2  43568  2632 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24114  0.0  0.2  43568  2632 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24115  0.0  0.2  43568  2632 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24117  0.0  0.2  43568  2640 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24118  0.0  0.2  44460  2628 ?        S    15:53   0:00 smtp -t unix -u -c
postfix  24133  0.0  0.2  43568  2624 ?        S    15:54   0:00 smtp -t unix -u -c
postfix  24134  0.0  0.2  43568  2620 ?        S    15:54   0:00 smtp -t unix -u -c
postfix  24137  0.0  0.2  43568  2628 ?        S    15:54   0:00 smtp -t unix -u -c
postfix  24138  0.0  0.2  43568  2632 ?        S    15:54   0:00 smtp -t unix -u -c
postfix  24193  0.0  0.2  39272  2272 ?        S    15:55   0:00 error -n retry -t unix -u -c
postfix  24195  0.0  0.2  39272  2268 ?        S    15:55   0:00 error -n retry -t unix -u -c
postfix  25901  0.1  0.9  46784  9828 ?        S    16:06   0:00 qmgr -l -t fifo -u
postfix  25904  0.0  0.2  43568  2604 ?        S    16:06   0:00 smtp -t unix -u -c
postfix  25905  0.0  0.2  43568  2616 ?        S    16:06   0:00 smtp -t unix -u -c
postfix  25906  0.0  0.2  43568  2624 ?        S    16:06   0:00 smtp -t unix -u -c
postfix  25910  0.0  0.2  44460  2620 ?        S    16:06   0:00 smtp -t unix -u -c
postfix  25941  0.0  0.2  39272  2264 ?        S    16:07   0:00 error -n retry -t unix -u -c
postfix  25942  0.0  0.2  39272  2264 ?        S    16:07   0:00 error -n retry -t unix -u -c
postfix  25943  0.0  0.2  40164  2264 ?        S    16:07   0:00 error -n retry -t unix -u -c
postfix  26005  0.0  0.2  39272  2268 ?        S    16:08   0:00 error -n retry -t unix -u -c
postfix  26006  0.0  0.2  39272  2264 ?        S    16:08   0:00 error -n retry -t unix -u -c
postfix  26073  0.0  0.3  39892  3200 ?        S    16:08   0:00 cleanup -z -t unix -u -c
www-data 26086  0.0  1.0 205572 10584 ?        S    08:09   0:00 /usr/sbin/apache2 -k start
postfix  26106  0.0  0.2  39272  2192 ?        S    16:09   0:00 error -n retry -t unix -u -c
postfix  26357  0.0  0.2  39308  2260 ?        S    16:13   0:00 bounce -z -n defer -t unix -u -c
postfix  26358  0.0  0.2  39308  2300 ?        S    16:13   0:00 bounce -z -n defer -t unix -u -c
postfix  26399  0.0  0.2  39276  2184 ?        S    16:13   0:00 pickup -l -t fifo -u -c
root     26407  0.0  0.1  14980  1116 ttyp0    R+   16:14   0:00 ps auxw
www-data 30204  0.0  1.0 205572 10608 ?        S    Nov27   0:00 /usr/sbin/apache2 -k start
free -m
             total       used       free     shared    buffers     cached
Mem:          1024        755        268          0          0          0
-/+ buffers/cache:        755        268
Swap:         1024          1       1022

uptime 16:16:32 up 2 days, 23:47, 1 user, load average: 0.07, 0.14, 0.09

mailq | tail -1 mailq: fatal: inet_addr_local[getifaddrs]: getifaddrs: Cannot allocate memory

Mon, 11/28/2011 - 10:08
andreychek

Hmm, are you using a VPS of some sort? If so, do you know what kind of VPS it is?

-Eric

Mon, 11/28/2011 - 10:15
pass

The provider supplies a Plesk environment, but I did not install any of it. I did a login via SSH and installed Virtualmin on two server instances, and both of them have run extremely well until last week.

Last week, like an idiot, we made a test account using test.com, log in test and password test. Within a few minutes we had two sessions logged in from Eastern Europe and one from Iran! We deleted the test account, but since then, Postfix has been 'sick'.

Perhaps it is a coincidence, but perhaps it is not!

Mon, 11/28/2011 - 12:20
andreychek

Hmm, well, I guess what I mean is -- is your system a dedicated server? Or is your system a VPS?

You have plenty of RAM available, and not many processes are running, so I'm trying to come up with alternative causes for the errors you're getting.

Also, what is the output of this command:

grep postfix /etc/security/limits.conf

Mon, 11/28/2011 - 12:29
pass

It is a VPS, and I have zip! in the file.

# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#        - NOTE: group and wildcard limits are not applied to root.
#          To apply a limit to the root user, <domain> must be
#          the literal username root.
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit (KB)
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority
#        - chroot - change root to directory (Debian-specific)
#
#<domain>      <type>  <item>         <value>
#

#*               soft    core            0
#root            hard    core            100000
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4

# End of file
Mon, 11/28/2011 - 12:52
andreychek

It is a VPS, and I have zip! in the file.

Okay, not having anything in that file is good, that means it's not that :-)

Do you know what kind of VPS software your provider uses? Some examples are Xen, KVM, and OpenVZ.

-Eric

Wed, 11/30/2011 - 05:07
pass

They are using Virtuozzo.

Wed, 11/30/2011 - 09:23
andreychek

Hmm, I think Virtuozzo uses the user_beancounters file for showing your various limits.

If you type this command, what output do you receive:

cat /proc/user_beancounters

Wed, 11/30/2011 - 14:32
pass
cat /proc/user_beancounters
Version: 2.5
       uid  resource                     held              maxheld              barrier                limit              failcnt
    54811:  kmemsize                 19420449             19633970             96636764            107374182                    0
            lockedpages                     0                    0                 2059                 2059                    0
            privvmpages                214418               214706               524288               550502                    0
            shmpages                    11115                11115                65536                65536                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            numproc                        82                   83                  500                  500                    0
            physpages                  139318               139371                    0  9223372036854775807                    0
            vmguarpages                     0                    0               262144  9223372036854775807                    0
            oomguarpages               139567               139620  9223372036854775807  9223372036854775807                    0
            numtcpsock                     27                   27                  550                  550                    0
            numflock                       14                   15                 1000                 1100                    0
            numpty                          1                    1                  102                  102                    0
            numsiginfo                      0                    2                 1024                 1024                    0
            tcpsndbuf                  402592               402592              5280000              7392000                    0
            tcprcvbuf                  409600               409600              5280000              7392000                    0
            othersockbuf               316560               316560              3840000              5376000                    0
            dgramrcvbuf                     0                 4656              3584000              3584000                    0
            numothersock                  180                  181                  400                  400              3187117
            dcachesize                1224456              1231968             14495514             16106127                    0
            numfile                      3437                 3493                17600                17600                    0
            dummy                           0                    0                    0                    0                    0
            dummy                           0                    0                    0                    0                    0
            dummy                           0                    0                    0                    0                    0
            numiptent                      24                   24  9223372036854775807  9223372036854775807                    0
Wed, 11/30/2011 - 15:13
andreychek

Howdy,

Okay, so, you can look at the "failcnt" field in that output to see any resource limits that are being reached.

In your case, the "numothersock" has quite a few failures, which may explain the problems you're seeing.

That parameter is described here:

http://wiki.openvz.org/Numothersock#numothersock

You seem to have a bunch of Postfix and Dovecot processes running, which could be contributing to that. What I would do for starters is to simply restart those two processes:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

After that, are you able to run this command:

mailq | tail -1 mailq

Wed, 11/30/2011 - 17:45
pass

I did restart each but the numbers actually increased, to 70 from 64 process.

The mailq command did not work - perhaps I am in the wrong directory?

mailq | tail -1 mailq
tail: cannot open `mailq' for reading: No such file or directory

Here is my mail queue:

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
55017103F5308    37114 Wed Nov 30 21:45:46  MAILER-DAEMON
(host mail.scadian.net[69.60.117.17] said: 450 4.7.1 <my.domainname.com>: Helo command rejected: Host not found (in reply to RCPT TO command))
                                         atlantianmissile-request@scadian.net

-- 36 Kbytes in 1 Request.

   1962 root Nov28 /usr/sbin/apache2 -k start
      10097 www-data Nov30 /usr/sbin/apache2 -k start
      10098 www-data Nov30 /usr/sbin/apache2 -k start
      10099 www-data Nov30 /usr/sbin/apache2 -k start
      10100 www-data Nov30 /usr/sbin/apache2 -k start
      10101 www-data Nov30 /usr/sbin/apache2 -k start
      10102 www-data Nov30 /usr/sbin/apache2 -k start
      11822 www-data Nov30 /usr/sbin/apache2 -k start
      22340 www-data Nov30 /usr/sbin/apache2 -k start
   3834 syslog Nov29 /sbin/syslogd -u syslog
   5942 root 00:26 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
      5943 root 00:26 dovecot-auth
      5945 root 00:26 dovecot-auth -w
      5947 dovecot 00:27 pop3-login
      5949 dovecot 00:27 imap-login
      5950 dovecot 00:27 imap-login
      5951 dovecot 00:27 imap-login
      7243 dovecot 00:30 pop3-login
      7246 dovecot 00:30 pop3-login
   6125 root 00:27 /usr/lib/postfix/master
      6127 postfix 00:27 qmgr -l -t fifo -u
      6128 postfix 00:27 pickup -l -t fifo -u -c
      7208 postfix 00:29 tlsmgr -l -t unix -u -c
      7209 postfix 00:29 anvil -l -t unix -u -c
      7210 postfix 00:29 trivial-rewrite -n rewrite -t unix -u -c
      7252 postfix 00:31 cleanup -z -t unix -u -c
      7432 postfix 00:32 local -t unix
   9535 proftpd Nov29 proftpd: (accepting connections)
   15561 postgrey Nov30 /usr/sbin/postgrey --pidfile=/var/run/postgrey.pid --daemonize --inet=10023
   15723 dkim-filter Nov30 /usr/sbin/dkim-filter -b v -x /etc/dkim-filter.conf -u dkim-filter -P /var/run/d ...
   18216 root Nov30 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
      7508 root 00:33 /usr/share/webmin/proc/index_tree.cgi
         7510 root 00:33 sh -c ps --cols 2048 -eo user:80,ruser:80,group:80,rgroup:80,pid,ppid,pgid,pcpu, ...
            7511 root 00:33 ps --cols 2048 -eo user:80,ruser:80,group:80,rgroup:80,pid,ppid,pgid,pcpu,vsz,ni ...
   19486 root Nov30 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/ ...
      1144 root Nov30 spamd child
      19488 root Nov30 spamd child
Wed, 11/30/2011 - 17:48
pass

Is it standard to show the IMAP login? There are POP3 logins only from a single machine every 20 minutes, so I do not understand why there appears to be several imap-login entries.

Wed, 11/30/2011 - 19:33
andreychek

The mailq command did not work - perhaps I am in the wrong directory?

Whoops, I that's a typo on my part.. the command I was looking for is actually this:

mailq | tail -1

Somehow, a second "mailq" ended up in the command I originally typed.

However, you did show what I was interested in -- how many messages in your mail queue there are, which is just one.

Is it standard to show the IMAP login?

Yup, you should see some of those.

You can take a look at /var/log/maillog or /var/log/mail.log to see if see if someone is logging in via IMAP.

But, I only see 5 of those processes, that's not too many.

I did restart each but the numbers actually increased, to 70 from 64 process.

What I'd actually look for is to determine if you have less open sockets.

If you look at your /proc/user_beancounters file again, check out the "numothersock" row -- you had 180 in use previously, what number are you seeing in the "held" column now?

It seems to be better, as "mailq" actually runs without generating an error now :-)

-Eric

Tue, 12/06/2011 - 19:20
pass

NUMOTHERSOCK is now showing 171.

BUT - here is where the oddness continues: I have been looking at Recorded Logins and I always get the message No Logins Recorded

even though I am logged in!

I would expect an output like this one from a different server: Recorded Logins

Username    Login From    TTY    Login At    Logout At    On For  
root e177016212.zzz. pts/0 07/Dec/2011 01:48 Still logged in
root g224131215.zzz. pts/0 05/Dec/2011 00:50 22:02 21:11
root c222044.zzz.yyy pts/0 02/Dec/2011 04:46 08:57 04:10
root g231183255.zzz. pts/0 01/Dec/2011 14:08 18:19 04:11
Tue, 12/13/2011 - 14:18
duncanbbd

Hi did you get your problem resolved ?

I got hacked recently due to bad PHP code (my own fault) I tracked it down by seeing in 'top' processes with high usage. that gave me an idea which user/website on the system was causing the problem.

I then noticed in /tmp and /var/tmp additional files which were owned by this user. I deleted them and rebooted the server. they came back a few times while I was updating the scripts, but they went away eventually once I had fixed all my scripts :o)

these scripts were using postfix to send email by this user.

not sure if this helps, but just giving my recent experience.

Brian

Tue, 12/13/2011 - 17:55
pass

I may have to wipe the server completely and do it all again by scratch:

OSSEC HIDS Notification. 2011 Dec 13 21:17:35

Received From: server->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s):

Process '16387' hidden from /proc. Possible kernel level rootkit.

Tue, 12/13/2011 - 22:33
andreychek

Well, I'm not familiar with OSSEC, but it's not uncommon for intrusion detection systems to have false positives... so before you remove anything, I'd spend some time reviewing what it found, and verifying that it is indeed bad.

-Eric

Wed, 12/14/2011 - 18:24
pass

My server is subject to a brute force attack almost every day, so I have concerns about every message I get now. Since I cannot be absolutely, positively sure that there was no intrusion and my skills are not up to the task, I am not sure if I did try to do a thorough check that I would be successful at that.