[NTLUG:Discuss] Please Help me interpret some Mail Log Entries...

Mon Jun 10 21:36:59 CDT 2002

Newsletters wrote:
> Newsletters wrote:
> 
> | Hello,
> |
> | I'm running my own mailserver, and I keep getting these entries from my
> | mail log.
> | Do I have anything to worry about?
> | Thanks in advance,
> | --JCR
> | =============
> | Maillog Entries:
> |
> | NOQUEUE: [213.69.69.202] did not issue MAIL/EXPN/VRFY/ETRN during
> | connection to MTA
> | e54Gj8921238: timeout waiting for input from [213.69.69.202] during
> 
> OK, I'm obviously getting the silent RTFM response.  I'll answer my own
> question so that anybody else that wonders about this type of message
> won't get the same treatment.

Wasn't intentional.

> 
> I found this on the Sendmail FAQ:
> 
> "Subject: Q4.18 -- What does "|NOQUEUE: Null connection from ...|" mean?
> Date: February 24, 2000
> Updated: March 12, 2000
> 
> An entry like:
> 
> NOQUEUE: Null connection from host.domain [IP.AD.DD.RESS]
> 
> in the logfile means that |host.domain| connected to your MTA but
> neither initiated transmission of a message (by issuing the |MAIL|
> command), nor used any of the commands that are logged separately
> (|EXPN/VRFY/ETRN|). Unless this happens very often, you can ignore this.
> If it happens very often, it's either someone playing around or it's a
> network problem.

Likely a log message you get when somone does some kind of scan.
I know that equipment I have on the internet gets scanned hundreds
if not thousands of times a day.

It is so severe in fact (the lastest being scans for MS SQL Server)
that I really think that about 90% of the folks on the internet
really have no business being there until they are properly educated
about "how things work".  MS of course encourages the opposite...
get online or else.  Oh well.

> 
> Note 1: The significant part of the message isn't the |NOQUEUE|, but the
> "|Null connection from ...|". In particular, |NOQUEUE| isn't an error
> indication, but just a "place-holder" when no queue ID has been
> assigned, typically because message collection hasn't started (yet). It
> can occur in other messages too, and there too the significant part is
> what comes *after* the |NOQUEUE|.
> 
> Note 2: In 8.10, the text which led to the confusion has been changed
> to: "|... did not issue MAIL/EXPN/VRFY/ETRN during connection to ...|".
> 
> =========
> 
> Note 2 is the only place where I found that I have to only consider my
> exact log messages is the same as the 'Null connection from ...'
> message, and is not a debug message that can also occur with the
> 'NOQUEUE:' indicator.
> 
> --I'll go away now!

No need to go away... answering your own question is perfectly
acceptable and it is a nice courtesy for the "silent" masses
who may have asked themselves the same question, but were afraid
to ask it openly.

Thanks for the followup,
Chris