Hi, folks.

I've been using stunnel on our mail server (sendmail, spamassassin, clamav, mailscanner, mailwatch). I note the following being written to syslog, and wonder if stunnel is causing it:

Mar 29 14:07:31 mail1 su(pam_unix)[29493]: session closed for user nobody

Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1723

Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33540

Mar 29 14:08:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket

Mar 29 14:08:43 mail1 su(pam_unix)[29640]: session opened for user nobody by (uid=0)

Mar 29 14:08:43 mail1 su(pam_unix)[29640]: session closed for user nobody

Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1724

Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33544

Mar 29 14:09:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket

Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1725

Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33546

Mar 29 14:10:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket

Mar 29 14:10:11 mail1 su(pam_unix)[30025]: session opened for user nobody by (uid=0)

Mar 29 14:10:11 mail1 su(pam_unix)[30025]: session closed for user nobody

Mar 29 14:10:33 mail1 su(pam_unix)[30075]: session opened for user nobody by (uid=0)

Mar 29 14:10:33 mail1 su(pam_unix)[30075]: session closed for user nobody

Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s accepted connection from 192.168.100.58:1726

Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: pop3s connected remote server from 127.0.0.1:33559

Mar 29 14:11:00 mail1 stunnel: LOG5[15993:3076422576]: Connection closed: 138 bytes sent to SSL, 42 bytes sent to socket

Mar 29 14:11:03 mail1 su(pam_unix)[30206]: session opened for user nobody by (uid=0)

Mar 29 14:11:03 mail1 su(pam_unix)[30206]: session closed for user nobody

Mar 29 14:11:06 mail1 su(pam_unix)[30215]: session opened for user nobody by (uid=0)

Mar 29 14:11:06 mail1 su(pam_unix)[30215]: session closed for user nobody

It's the sessions opened and closed for the user nobody that has me concerned. stunnel appears to be the only process being run by the user nobody. If, in fact, this is caused by stunnel, do I keep these (and only these) session opened/closed instances from being logged?

Thanks.

Dimitri


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.