Sendmail & Biff filling up the logs

As a good sys admin, you should be checking your logs frequently. But it is so so boring, especially if you need to go through a bunch of numerous lines of general bullshit. Well now it was time to do some cleaning.

Checked my /var/log/messages, and four entries where made every night.

May 24 03:01:13 HOST kernel: TCP: []:56597 to []:113 tcpflags 0x2; tcp_input: Connection attempt to closed port

May 24 03:01:13 HOST kernel: Connection attempt to UDP from

Two connection to 113 (auth/ident), and two connection 512 (comsat/biff). Since it occurred every night, my first though, it must be a crontab job making these connections. FreeBSD cron deamon (periodic) runs every night at 03:01, but running all the daily cron jobs manual, made no entry in /var/log/message.

After searching on google, sendmail was a reoccurring hit. If you use `tcp.blackhole` for dropping incoming packets, sendmail will generate log entries. This is because it uses auth/ident to verify sender identity, and biff for notifying the user how receives mail. The cron jobs that runs every nigh sends local mail to root account, witch then activate ident request to localhost and a comsat/biff connection. Sendmail is the big sinner in this equation..

The fix
In order stop sendmail for spamming /var/log/message, you need to disable biff notification and identcheck. Or you can just install ident and biff. Not an option for me, since sendmail is just a sleeping service on my host.

Adding some lines to /usr/mail/ or /usr/mail/
(Use the latest if you have an host specific .mc file)

## Disable auth/ident
define(`confTO_IDENT’, `0s’)dnl
dnl Disable biff notification
define(`LOCAL_MAILER_ARGS’, `mail.local -B1′)

Then to active the changes:

In /etc/mail
# make
# make install
# /etc/rc.d/sendmail restart

Leave a Comments