<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:9pt;font-family:Sans Serif">
<p>Hi, folks.</p>
<p></p>
<p>I've been using stunnel on our mail server (sendmail, spamassassin, clamav, mailscanner, mailwatch). I note the following being written to syslog, and wonder if stunnel is causing it:</p>
<p></p>
<p>Mar 29 14:07:31 mail1 su(pam_unix)[29493]: session closed for user nobody</p>
<p>Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1723</p>
<p>Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33540</p>
<p>Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket</p>
<p>Mar 29 14:08:43 mail1 su(pam_unix)[29640]: session opened for user nobody by (uid=0)</p>
<p>Mar 29 14:08:43 mail1 su(pam_unix)[29640]: session closed for user nobody</p>
<p>Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1724</p>
<p>Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33544</p>
<p>Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket</p>
<p>Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1725</p>
<p>Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33546</p>
<p>Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket</p>
<p>Mar 29 14:10:11 mail1 su(pam_unix)[30025]: session opened for user nobody by (uid=0)</p>
<p>Mar 29 14:10:11 mail1 su(pam_unix)[30025]: session closed for user nobody</p>
<p>Mar 29 14:10:33 mail1 su(pam_unix)[30075]: session opened for user nobody by (uid=0)</p>
<p>Mar 29 14:10:33 mail1 su(pam_unix)[30075]: session closed for user nobody</p>
<p>Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1726</p>
<p>Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33559</p>
<p>Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket</p>
<p>Mar 29 14:11:03 mail1 su(pam_unix)[30206]: session opened for user nobody by (uid=0)</p>
<p>Mar 29 14:11:03 mail1 su(pam_unix)[30206]: session closed for user nobody</p>
<p>Mar 29 14:11:06 mail1 su(pam_unix)[30215]: session opened for user nobody by (uid=0)</p>
<p>Mar 29 14:11:06 mail1 su(pam_unix)[30215]: session closed for user nobody</p>
<p></p>
<p>It's the <span style="font-weight:600;text-decoration:underline">sessions opened and closed for the user nobody</span> that has me concerned. stunnel appears to be the only process being run by the user nobody. If, in fact, this is caused by stunnel, do I keep these (and only these) session opened/closed instances from being logged?</p>
<p></p>
<p>Thanks.</p>
<p></p>
<p>Dimitri</p>
</body><br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>