Results 1 to 8 of 8

Thread: unknown UDP-Connections in zimbra.log

  1. #1
    harry12345 is offline Active Member
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    31
    Rep Power
    3

    Question unknown UDP-Connections in zimbra.log

    Hi,

    today I found a lot of unknown udp-connections where I ask myself what zimbra if doing there.
    Here an extract from zimbra.log:

    Feb 19 16:19:01 UDP Packet - Source:192.168.19.142,55737 Destination:157.56.52.16,40039 - [Outgoing]
    Feb 19 16:19:01 UDP Packet - Source:192.168.19.142,55737 Destination:213.199.179.160,40033 - [Outgoing]
    Feb 19 16:19:01 UDP Packet - Source:192.168.19.142,55737 Destination:111.221.77.140,40005 - [Outgoing]
    Feb 19 16:19:01 UDP Packet - Source:192.168.19.142,55737 Destination:213.199.179.154,40007 - [Outgoing]
    Feb 19 16:19:03 UDP Packet - Source:192.168.19.142,55737 Destination:91.65.49.186,48884 - [Outgoing]
    Feb 19 16:19:07 UDP Packet - Source:192.168.19.142,55737 Destination:91.65.49.186,48884 - [Outgoing]
    Feb 19 16:19:11 UDP Packet - Source:192.168.19.142,55737 Destination:157.55.130.160,40042 - [Outgoing]
    Feb 19 16:19:11 UDP Packet - Source:192.168.19.142,55737 Destination:157.56.52.19,40017 - [Outgoing]
    Feb 19 16:19:11 UDP Packet - Source:192.168.19.142,55737 Destination:65.55.223.16,40012 - [Outgoing]
    Feb 19 16:19:11 UDP Packet - Source:192.168.19.142,55737 Destination:111.221.77.149,40028 - [Outgoing]
    Feb 19 16:19:11 UDP Packet - Source:192.168.19.142,55737 Destination:64.4.23.160,40017 - [Outgoing]

    192.168.19.142 is my machine. I am using zimbra webclient (chrome).
    Why does zimbra tries to connect to these destinations? There a a lot of more targets in the complete log, tcp-targets too.

    Thanks for reply,

    Harry

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Specifically, which zimbra log are you talking about? What's happening on your server at the time you see these log entries? Which version and release of ZCS is in use on this server? Why don't you do a lookup on the IP addresses and see who owns them? You might get a clue from the answers to some or all of those questions.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    harry12345 is offline Active Member
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    31
    Rep Power
    3

    Default

    Hi Bill,

    I am talking about /var/log/zimbra.log. Because I found these entries in zimbra.log I think that theses entries are written by zimbra. We are using Zimbra NE 8.0.2.
    I want to know, why zimbra tries to connect to theses addresses. 192.168.19.142 is my client ip. nslookup is not helpful:
    e.g. nslookup 64.4.23.160 returns "server can't find 160.23.4.64.in-addr.arpa.: NXDOMAIN"
    nslookup 111.221.77.149 returns "server can't find 149.77.221.111.in-addr.arpa.: NXDOMAIN"
    Thank you,
    Harry

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Quote Originally Posted by harry12345 View Post
    I am talking about /var/log/zimbra.log. Because I found these entries in zimbra.log I think that theses entries are written by zimbra. We are using Zimbra NE 8.0.2.
    I want to know, why zimbra tries to connect to theses addresses. 192.168.19.142 is my client ip. nslookup is not helpful:
    e.g. nslookup 64.4.23.160 returns "server can't find 160.23.4.64.in-addr.arpa.: NXDOMAIN"
    nslookup 111.221.77.149 returns "server can't find 149.77.221.111.in-addr.arpa.: NXDOMAIN"
    You shouldn't use nslookup (it's deprecated) but something like this to find out where and what the IP address actually is. I did ask you some other questions which you haven't answered. In addition, have these log entries only appeared recently? Have your mail volumes increased lately? Do you have strong password protection on your ZCS accounts? Do you have anything else running on this server apart from ZCS? Have you checked to see if there's any increase in data traffic to/from your server? Have you checked if your server or any of it's accounts have been compromised?

    Quote Originally Posted by harry12345 View Post
    today I found a lot of unknown udp-connections where I ask myself what zimbra if doing there
    To specifically answer this question, it's not Zimbra that's doing this and it could be for any number of reasons as it's used by many (types of) applications. I don't see any such connections on my server and I would say that it's not normal so I guess you're going to have to do some digging to see what's causing it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    alessandro.motta is offline Trained Alumni
    Join Date
    Oct 2010
    Posts
    44
    Rep Power
    4

    Default

    I did a whois with 4 of the ip addresses you mentioned and they all belong to Microsoft.
    Do you have a Zimlet installed which could connect to some Microsoft services?

    Regards

  6. #6
    harry12345 is offline Active Member
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    31
    Rep Power
    3

    Default

    Hi,

    thank you for your tips. I figured out skype (from Microsoft) is doing the udp request.
    Do you know how skype is able to connect via chrome (zimbra) to zimbra server?

    Regards,
    Harry

  7. #7
    alessandro.motta is offline Trained Alumni
    Join Date
    Oct 2010
    Posts
    44
    Rep Power
    4

    Default

    Hello Harry,
    i can think only to the "Phone" Zimlet, which highlights the phone numbers in emails and allows you to start a Skype call.
    Try opening an email with a phone number and look for the udp packets.
    Regards

  8. #8
    harry12345 is offline Active Member
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    31
    Rep Power
    3

    Default

    Hi,

    I found the cause in /etc/rsyslog.d/60-zimbra.conf:
    zimbra uses syslog-server for logging and one default rule contains "local0.* -/var/log/zimbra.log".
    local0 is also used by our firewall....
    Thanks for help,
    Harry

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra closing active IMAP connections
    By gharris@metacarta.com in forum Administrators
    Replies: 3
    Last Post: 01-30-2011, 09:20 AM
  2. Replies: 3
    Last Post: 01-14-2011, 02:02 PM
  3. Zimbra 80 Port refuses connections
    By eduardo.mejia in forum Administrators
    Replies: 1
    Last Post: 06-21-2010, 10:21 PM
  4. Zimbra Server very slow - Too many SMTP connections
    By pc-nico in forum Administrators
    Replies: 23
    Last Post: 06-05-2008, 05:12 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •