Questions related to lsof command output

multisites used Ask the Experts™
I have a Linux Centos / Apache Webserver. It has just Domains, no mailboxes. But it runs Postfix because of the Domains' forms.
Frequently, when I issue a "lsof -i" command, it outputs things like in the attached text file. My questions:
1) What does this output really mean? Is this Server being used for relay? It has not open relay.
2) If so, is there anything I could imediately do to stop it?


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


I forgot to attach the file. Here it goes.
nociSoftware Engineer
Distinguished Expert 2018

Lets disect the first line:

smtp    13229  postfix   12u  IPv4 11809871       TCP> (ESTABLISHED)

it means youy have sessions that run from a process named smtp, processid 13229, owner postfix,
12u is the file handle 12, opened for update (others are r=read, w=write).
The file type on the handles is an IPv4 socket, the number is not realy important here.
The IPv4 Socket is TCP session, started on   port 49922 with destination: SMTP (port 25), the lik state is established (= active).

SYN_SENT is a starting connection,

You need to check postfix logging if this is legitemite mail. by verifying e-mail addresses (source & destination).
If you have mail sending forms, it might be that they are abused by robot posts.
you might have a code injection active (that would mean you also have a process running a php script sending mails...)

You need to determine from the postfix logging to what extent this is harmfull or not.
nociSoftware Engineer
Distinguished Expert 2018

To stop it quickly, stop postfix...
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.


Hi, noci:

You said some important things. As a matter of fact I also believe we may have any form(s) being abused. My question: is there a way to find out what are them, or from which of our hosted Domains it this happening?

My concern in stopping Postfix is that I need Postfix so that normal forms data from our Domains can be sent.

Anyway, thanks for your comments.


The only possibility I see is really form abuse, because, as I said, this Server has not mailboxes, just Domains.
Software Engineer
Distinguished Expert 2018
If the sender through a form is fixed, you should be able to find out which form is used.
(Postfix logging)
If the receiver is fixed. you can trace the mail (through postfix logging).
( this might be different for different forms).

You might be able to include a header line through a form that identifies the site involved?
to stop abuse, try to use things like Captcha's.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial