On Fri, 21 Jul 2017 21:21:06 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
21.07.2017 20:36, Werner Flamme пишет:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
The thing that I find most interesting is that I do not have any entries in /var/log/mail at this time. Some minutes earlier and some minutes later there are, but not at this time. Both hosts use the same time source.
So I guess that there is a script running on the box that reads the postfix config entry for its relayhost (postconf -h relayhost) and sends a mail all by itself. And doing so, it uses a wrong IMAP command, LOGOUT instead of QUIT.
The only LOGOUT in found outside binary files is in </usr/lib64/ruby/2.1.0/net/imap.rb>. As far as I understand the code, near line 1200 the command LOGOUT is sent to the mailhost.
How can I find the script that uses this module? The file belongs to ruby2.1-stdlib, and this is required (rpm) by ruby2.1 only. This itself
This is just library; it is the same as looking at libc and asking which program is using it.
is required only by ruby, which in turn ist required by ruby-devel, yast2-services-manager and yast2-ruby-bindings.
Would any of those packages run a script that bypasses my local MTA? None of them has an entry in /etc/cron*. And none of the entries in /etc/cron* is scheduled at this time...
So, how could a find the script that is responsible for the mail log entries that my postmaster showed me?
BTW, just to make sure the ruby library is the right place, I modified the code a bit so that it should send QUIT now. If there are no more log entries from that host on monday, I can be sure to have found the proper place. But I still do not now how to locate the script...
You could add statement that logs program name at this point. I have zero experience with ruby but I'm sure there is standard way to obtain it.
Me neither, but fortunately some people do: https://stackoverflow.com/questions/4834821/how-can-i-get-the-name-of-the-co... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org