For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Damion's avatar
Damion
Icon for Cirrus rankCirrus
May 24, 2011

using snmp process monitoring for health monitor of smtpd

We created a postfix puremessage mx pool behind F5. As part of administrating mail, we need to quickly sort through the sea of information contained within the maillog file.

 

 

Unfortunately, our new pool behind the F5 using the simple tcp health monitor has gotten that much fuller with the all of the connects from the F5 checking in on the health of the service running on server:port

 

 

Any suggestion on how to configure postfix to not log connections from the two F5 interfaces, or a better health monitor would be greatly appreciated.

 

 

Thanks in advance,

 

 

Damion

 

 

Example:

 

May 24 11:30:57 pmx1 postfix/smtpd[8259]: disconnect from unknown[192.168.82.4]

 

May 24 11:30:59 pmx1 postfix/smtpd[8259]: connect from unknown[192.168.82.6]

 

May 24 11:30:59 pmx1 postfix/smtpd[8259]: lost connection after CONNECT from unknown[192.168.82.6]

 

May 24 11:30:59 pmx1 postfix/smtpd[8259]: disconnect from unknown[192.168.82.6]

 

May 24 11:31:02 pmx1 postfix/smtpd[8259]: connect from unknown[192.168.82.4]

 

May 24 11:31:02 pmx1 postfix/smtpd[8259]: lost connection after CONNECT from unknown[192.168.82.4]

 

May 24 11:31:02 pmx1 postfix/smtpd[8259]: disconnect from unknown[192.168.82.4]

 

May 24 11:31:04 pmx1 postfix/smtpd[8259]: connect from unknown[192.168.82.6]

 

May 24 11:31:04 pmx1 postfix/smtpd[8259]: lost connection after CONNECT from unknown[192.168.82.6]

 

May 24 11:31:04 pmx1 postfix/smtpd[8259]: disconnect from unknown[192.168.82.6]

 

 

basic
getting started
new to f5

7 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 27, 2011
    dsirrine posted a scripted SMTP monitor solution which you can check out here:

     

     

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/SMTP_scripted_monitor.html

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/44/aft/1176902/showtab/groupforums/Default.aspx1249983

     

     

    I'm not sure how you can ignore connection attempts from a specific IP or two in Postfix. You might try checking the man pages or online documentation.

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 27, 2011
    I don't believe there is an option for disabling logging for a specific IP address in postfix. I've never had a request to stop logging a client before... Increase yes (debug_peer_level and debug_peer_list)

     

     

    You could try asking on the postfix mailing list though... My version I run is a year or so old. The latest versions may have an additional option.

     

     

    Failing that, of course, you have the source code. You could add the option in yourself to drop the log level to 0 for a specific IP address list (Or lookup table would probably be better :). if you do, send the source to the list or weitse directly. You never know, he might like it.

     

     

     

    H
  • Damion's avatar
    Damion
    Icon for Cirrus rankCirrus
    Jul 06, 2011
    I was setting up monitoring through nagios, and have snmp processes monitoring the smtpd and spam filter processes.

     

     

    So the new question, is how can I get my snmp processes monitors on the system to trigger the F5 monitor that if two certain processes are down, to disable the smtp port?

     

     

    This would be a win win in that I have both a spam filter processes and the smtp process that if either fails, to stop smtp. And the 2nd win is the maillog wouldn't be logging connection attempts.
  • Damion's avatar
    Damion
    Icon for Cirrus rankCirrus
    Jul 06, 2011
    On the mail server system I added to /etc/snmp/snmpd.conf

     

    proc smtpd 150 1

     

    snmp will give an error string if there are more then 150 or fewer the 1 process running.

     

     

    Using snmpwalk I found the MIB snmpwalk -v2c -c public localhost prTable

     

    UCD-SNMP-MIB::prNames.1 = STRING: smtpd

     

    UCD-SNMP-MIB::prCount.1 = INTEGER: 0

     

    UCD-SNMP-MIB::prErrMessage.1 = STRING: Too few smtpd running ( = 0)

     

    UCD-SNMP-MIB::prNames.2 = STRING: pmx-milter

     

    UCD-SNMP-MIB::prCount.2 = INTEGER: 0

     

    UCD-SNMP-MIB::prErrMessage.2 = STRING: Too few pmx-milter running ( = 0)

     

     

    So I could use either snmpwalk or snmpget to retrieve the prErrMessage and act upon that.
  • Damion's avatar
    Damion
    Icon for Cirrus rankCirrus
    Jul 11, 2011
    ok, now here is the weird thing. trying to sync the newly created external monitor to the standby LTM we get the following error

     

    01070033:3: Monitor eav_snmp_pmx contains an argument that is not

     

     

    Is there anyway to get further information from the F5 LTM about what argument is the issue? Has anyone seen this before?

     

     

  • Damion's avatar
    Damion
    Icon for Cirrus rankCirrus
    Jul 12, 2011
    No arguments are passed, instead variables are added of

     

    OID = UCD-SNMP-MIB::prErrorFlag.1

     

    community = pub-lic

     

    expectedval = noError