I tried tcpdump, as you suggested, and what it reported was that apparently communication was being established at port 25 but for whatever reason GMail wouldn't respond:
GMail r...@roosevelt:/home/ilj % tcpdump -ni eth0 host 74.125.43.27 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:19:08.251414 IP 91.194.239.113.41831 > 74.125.43.27.25: Flags [S], seq 53304775, win 5840, options [mss 1460,sackOK,TS val 120648163 ecr 0,nop,wscale 6], length 0 12:19:11.251229 IP 91.194.239.113.41831 > 74.125.43.27.25: Flags [S], seq 53304775, win 5840, options [mss 1460,sackOK,TS val 120649063 ecr 0,nop,wscale 6], length 0 12:19:17.251213 IP 91.194.239.113.41831 > 74.125.43.27.25: Flags [S], seq 53304775, win 5840, options [mss 1460,sackOK,TS val 120650863 ecr 0,nop,wscale 6], length 0 ^C 3 packets captured 6 packets received by filter 0 packets dropped by kernel I tried another e-mail service which is very popular and pretty decent in the RuNet, the Yandex.Mail. All in all, the result was exactly the same: Yandex r...@roosevelt:/home/ilj % tcpdump -ni eth0 host 77.88.21.38 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:07:17.642244 IP 91.194.239.113.50441 > 77.88.21.38.25: Flags [S], seq 1208570375, win 5840, options [mss 1460,sackOK,TS val 126914980 ecr 0,nop,wscale 6], length 0 18:07:20.639119 IP 91.194.239.113.50441 > 77.88.21.38.25: Flags [S], seq 1208570375, win 5840, options [mss 1460,sackOK,TS val 126915880 ecr 0,nop,wscale 6], length 0 18:07:26.639116 IP 91.194.239.113.50441 > 77.88.21.38.25: Flags [S], seq 1208570375, win 5840, options [mss 1460,sackOK,TS val 126917680 ecr 0,nop,wscale 6], length 0 ^C 3 packets captured 3 packets received by filter 0 packets dropped by kernel For whatever reason the SMTP servers' replies wouldn't come in to my router. The firewall is out of question so it's something else. On Monday 28 June 2010 16:13:23 dan (ddp) wrote: > You could try using tcpdump to see if there is an error returned from > the remote smtp server. > > On Fri, Jun 25, 2010 at 5:24 AM, Ivan Lezhnjov Jr. > > <[email protected]> wrote: > > Yes, there are plenty but all the same. It's a message that states > > "ERROR: Error Sending email to 74.125.43.27 (smtp server)" nothing else, > > even with debug mode turned on. > > > > 2010/06/25 06:18:21 ossec-maild: DEBUG: Starting ... > > 2010/06/25 06:18:21 ossec-maild: INFO: Chrooted to directory: /var/ossec, > > using user: ossecm > > 2010/06/25 06:18:21 ossec-maild: INFO: Started (pid: 3266). > > 2010/06/25 06:18:40 ossec-syscheckd: INFO: Starting syscheck database > > (pre- scan). > > 2010/06/25 06:19:46 ossec-syscheckd: INFO: Finished creating syscheck > > database (pre-scan completed). > > 2010/06/25 06:21:46 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2010/06/25 06:22:17 ossec-maild(1223): ERROR: Error Sending email to > > 74.125.43.27 (smtp server) > > 2010/06/25 06:22:27 ossec-maild(1223): ERROR: Error Sending email to > > 74.125.43.27 (smtp server) > > 2010/06/25 06:25:10 ossec-syscheckd: INFO: Ending syscheck scan > > (forwarding database). > > 2010/06/25 06:25:30 ossec-rootcheck: INFO: Starting rootcheck scan. > > 2010/06/25 06:28:58 ossec-rootcheck: INFO: Ending rootcheck scan. > > > > I'm wondering what causes the error. The error message itself isn't > > really helpful. > > > > On Thursday 24 June 2010 16:52:00 dan (ddp) wrote: > >> Are there any errors in ossec.log regarding email? Have you tried > >> running the daemon in debug mode? > >> > >> OSSEC's email daemon is pretty bare bones, so it might be worth while > >> to route it through the system's smtpd. > >> > >> On Tue, Jun 22, 2010 at 3:19 AM, Ivan Lezhnjov Jr. > >> > >> <[email protected]> wrote: > >> > Hey guys! > >> > > >> > I've been using OSSEC for a while on two Linux based routers and I > >> > noticed that e-mail notifications on one of them is working almost > >> > perfectly, meaning that e-mail notifications are sent out and OSSEC > >> > can connect to the GMail's SMTP server but there's a problem. At > >> > irregular intervals OSSEC fails to connect to GMail's SMTP. > >> > > >> > The second machine wasn't able to send out even a single e-mail > >> > notification. > >> > > >> > Both machines use identical configuration (my e-mail address was > >> > mangled to spam-protect myself): > >> > > >> > <global> > >> > <email_notification>yes</email_notification> > >> > <email_to>[email protected]</email_to> > >> > <smtp_server>gmail-smtp-in.l.google.com</smtp_server> > >> > <email_from>[email protected]</email_from> > >> > </global> > >> > > >> > Each machine is located in a different network (autonomous > >> > systems/ISPs). > >> > > >> > I have trouble seeing why one machine would send out e-mail > >> > notifications successfully, albeit sometimes it fails to, due to its > >> > inability to connect to the specified SMTP server, so I thought I'd > >> > ask this here. > >> > > >> > Also, why another machine never succeeded at sending at least a single > >> > e-mail notification remains a complete mystery to me. It simply > >> > doesn't make sense when I try to approach and understand this issue > >> > with the "traditional" knowledge of e-mail infrastructure workflow. > >> > Identical configurations > >> > > >> > My goal is to have robust e-mail notifications and working. So, I've > >> > been wondering for a while why OSSEC works so unreliably with GMail's > >> > SMTP and if it's the same story with any other SMTP (I never tried > >> > any other). > >> > > >> > Also, I've been thinking about setting up my own SMTP server on these > >> > two routers but I'm not really sure what kind of setup I should aim > >> > for and/or if this will help at all. I'd appreciate it if someone > >> > gave a hint on this. > >> > > >> > -- > >> > > >> > Ivan Lezhnjov Jr. > >> > > >> > Europe, Ukraine, Simferopol > >> > > >> > +--------------------------------------------------------------------- > >> > -+ > >> > > >> > Key ID 0x5811D90C > >> > Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C > >> > Use GPG Exercise Your Right To Privacy > > > > -- > > > > Ivan Lezhnjov Jr. > > > > Europe, Ukraine, Simferopol > > > > +----------------------------------------------------------------------+ > > > > Key ID 0x5811D90C > > Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C > > Use GPG Exercise Your Right To Privacy -- Ivan Lezhnjov Jr. Europe, Ukraine, Simferopol +----------------------------------------------------------------------+ Key ID 0x5811D90C Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C Use GPG Exercise Your Right To Privacy
