Hi Gerald,
> We are getting this error on just one site.
> Maybe we should delete the site and recreate???
>
> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> It looks like what you get from swatch, but is only on this one site
Yeah, if you monitor Email Services with "Active Monitor" on a BlueQuartz,
then every 15 minutes Swatch will run the command "telnet localhost 25" to
see if Sendmail is up and running.
Example - reproduced from the command line:
[root@XXX web]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 localhost ESMTP Sendmail Ready; Tue, 27 May 2008 04:08:13 +0200
quit
221 2.0.0 XXX.XXX.net closing connection
Connection closed by foreign host.
Sendmail then logs the line ...
May 27 02:45:03 XXX sendmail[8764]: m4R0j23A008764: localhost [127.0.0.1] did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
... to /var/log/maillog
In that case we see that the originating host where that query came from was
[127.0.0.1].
Here is a different entry from a non-local host which generated a similar log
entry:
May 27 02:35:03 cbq sendmail[4679]: m4R0X2CU004679:
adsl190-2598128.dyn.etb.net.co [190.25.98.128] (may be forged) did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
There can be legit reasons for a non-local host to do this:
- Someone uses a third party site or tool to check if your MTA is running
(Nagios, Zenoss, Demarc, etc.)
- Someone tried to send an email and the connection got interrupted before
anything meaningful was sent after the initial connection to the MTA was
made.
However, most of these non-local probes on Sendmail are rather fishy and can
be attributed to malicious people sniffing around to see what they can find.
The probes themselves are harmless and I wouldn't worry about such sporadic
activity. If you use SMTP-Auth and haven't teared holes into
your /etc/mail/access file by allowing public IP address ranges to relay,
then you're fine.
--
With best regards,
Michael Stauber