|
Horms wanted us to know:
>> I'm using ldirectord to monitor several services (80, 25, 110, and 143).
>> These services are load balanced all from the same director using
>> LVS-DR. This is all working properly.
And is still working properly. I'm in the middle of trying to get
heartbeat working with it so that I can have a backup load balancer.
I'm working through those problems, the biggest of which is that load
balancer 1 does not see the udp broadcasts coming from load balancer 2
and vice versa. So they both assume the other is dead and both try to
go active. I'm working through that right now.
>> In my sendmail logs, I'm getting this:
>> Jul 13 10:11:23 smtp1 sm-mta[24653]: i6DHBNXo024653: admin.domain.com
>> [10.100.100.150] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>> Jul 13 10:11:28 smtp1 sm-mta[24656]: i6DHBShO024656: admin.domain.com
>> [10.100.100.150] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>> Jul 13 10:11:33 smtp1 sm-mta[24659]: i6DHBXRd024659: admin.domain.com
>> [10.100.100.150] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
In the short term, I am ignoring it in syslog :-) Relevant lines:
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter f_mail { facility(mail); };
filter f_monitoring { not match("(did not issue)|(10.100.100.150)"); };
destination mail { file("/var/log/maillog"); };
log { source(src); filter(f_mail); filter(f_monitoring); destination(mail); };
>> I want to script the connection, such as:
>> send: expn root
>> expect: .*rootuser@xxxxxxxxxxxxxxxxxxx*
>> send: quit
This was a case very specific to my needs because it verified both that
the application was running and that basic authentication (ie LDAP) was
functional as well. I would hesitate to assume that expn or vrfy would
be enabled by default on any other smtp server since that can be used as
an attack vector for anything ranging from email address cultivation to
raw DDOS attacks.
>> I added this to the config file:
>> virtual = smtp.ivenue.com:smtp
>> real = smtp1.internaldomain.net->smtp2.internaldomain.net:smtp gate 10
>> checktype = negotiate
>> scheduler = wrr
>> request = "expn root"
>> receive = "rootuser@xxxxxxxxxxxxxxxxxx"
>> I restarted ldirectord and 'tcpdump -n -p -X port 25' shows that it's
>> still only connecting, doing a 'ehlo localhost.localdomain' and then
>> 'quit'. How come it is not doing my specified commands? I'm probably
>> misunderstanding the man pages.
>Not at all.
Thank you for the reply.
>I just checked the code and the smtp check does not actually do
>anything behond connecting and sending ehlo. In a nutshell it ignores
>the request and receive lines all together. Clearly there is room
>for improvement here. However it is not imediately clear what
>should be permitted in a request. Do you have some thoughts on this?
1) Continue to always do the EHLO, because if you omit that and skip
straight to whatever send string is defined, the smtp server will
generate a complaint about no HELO or EHLO.
2) I would use the full hostname instead of localhost.localdomain.
3) I would allow the user to completely define the request and receive
commands as indicated above, subject to bounds/length checking.
4) I hesitate to ask for ldirector be "SMTP aware" with any specific
limitations on "what should be permitted", other than length. A sample
setting and sample exchange (below) illustrates how I would utilize it
and could be a stepping stone for making it work with other protocols as
well (specifically thinking IMAP). I think a more useful request would
be the ability to specify more than one send sequence and correspondingly
more than one recv sequence. That complicates things though, both in
configuration and executing that configuration on the backend. It may
end up being less useful (because it's only for a very few specific
cases and more options to confuse the user).
Here is a sample send/recv SMTP exchange where the EHLO and QUIT are
hard coded.
request="EXPN root"
receive="rootmailbox@xxxxxxxxxx"
[todd@tlyons ~]$ telnet test1.ivenue.net 25
Trying 10.100.100.240...
Connected to test1.ivenue.net (10.100.100.240).
Escape character is '^]'.
220 test1.ivenue.net ESMTP Sendmail 8.12.11/8.12.11; Thu, 14 Oct 2004 09:49:42
-0700
EHLO tlyons.ivenue.net
250-test1.ivenue.net Hello tlyons.ivenue.net [10.100.20.166], pleased to meet
you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
EXPN root
250 2.1.5 <rootmailbox@xxxxxxxxxx>
QUIT
221 2.0.0 test1.ivenue.net closing connection
Connection closed by foreign host.
[todd@tlyons ~]$
Here is a sample send/recv IMAP exchange where the "a2 logout" is hard
coded.
request="a1 login cannonball@xxxxxxxxxxxxxx XxXxXxXxXxXxXxX"
receive="OK LOGIN Ok"
[todd@tlyons ~]$ telnet imap.test.ivenue.net 143
Trying 10.100.201.44...
Connected to imap.test.ivenue.net (10.100.201.44).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
* THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION
* STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision,
* Inc. See COPYING for distribution information.
a1 login cannonball@xxxxxxxxxxxxxx XxXxXxXxXxXxXxX
a1 OK LOGIN Ok.
a2 logout
* BYE Courier-IMAP server shutting down
a2 OK LOGOUT completed
Connection closed by foreign host.
[todd@tlyons ~]$
--
Regards... Todd
OS X: We've been fighting the "It's a mac" syndrome with upper management
for years now. Lately we've taken to just referring to new mac
installations as "Unix" installations when presenting proposals and
updates. For some reason, they have no problem with that. -- /.
Linux kernel 2.6.3-16mdkenterprise 2 users, load average: 0.00, 0.01, 0.00
|
