Category Archives: Mail service

Blocking all mails originating from a domain in your cPanel server !

Basically, there are times when a particular domain in your server is involved in spamming or excessive mail delivery and you just want to block that domain alone from sending mails.  With the current setup with cPanel, it is not straightforward to establish this.

We will see how to do this step-by-step.

First, login to your WHM and navigate to, Home »Service Configuration »Exim Configuration Manager » Advanced editor

Find the portion “ROUTERS CONFIGURATION” and right under the section – PREROUTERS, give the following piece of code :

reject_domains:

driver = redirect
# RBL Blacklist incoming hosts
domains = +exim_blacklist
allow_fail
data = :fail: Connection rejected: Sorry dude :/

Once this is done, save the configuration.

Next, SSH to your server and open the file /etc/exim.conf for editing.

Open it and right after the first line (usually it is something like)  “#!!# cPanel Exim 4 Config”,  give in the following and save the file :

domainlist exim_blacklist = lsearch;/etc/eximblacklist

Save the file and restart exim.

Now, all you need to do is enter the concerned domain(s) in the file ‘/etc/eximblacklist‘ ( one domain – each line )

Now, when you test to see if you can send a mail from the domain, the following can be seen in logs :

DATE H=localhost (xxxxx]:44411 sender verify fail for <test1@domain.com>: Connection rejected: Sorry dude :/

This is it, do you still face any issue ? Post a comment below with the error / issue you get !

 

Qmail failing to restart !

When trying to restart Qmail are you getting the failure message ?

Check for the mailogs to see if you can spot something. If you are on a plesk server, you can find the logs at /usr/local/psa/var/log/maillog

Do you find an error like :

==================

Date host qmail: xxxxx alert: cannot start: unable to open mutex

Date host qmail: xxxxx alert: cannot start: unable to open mutex

==================

This can happen when you manually try to delete the qmail queue and you might just happen to delete a file from /var/qmail/queue folder. To solve this error, do the following :

# touch /var/qmail/queue/lock/sendmutex
# chown qmails:qmail /var/qmail/queue/lock/sendmutex

Once this is done, restart qmail as

# /etc/init.d/qmail start

Exim – Dropping SMTP connection at HELO/EHLO !

We are observing a brute-force attack towards SMTP connections from different IP addresses with the same machine name – “ylmf-pc“

It could be many malware affected machines involved or an extended IP spoofing.

If you have CSF configured properly, the IPs would be blocked at the firewall level.

Another solution is to drop the SMTP connection at HELO so that no further processing is carried out and no packet states of different IPs are examined. If CSF was to block these IPs, it could be a very large list and it could affect the performance of the server.

Add the following to EXIM ACL configuration file.

# vi /etc/exim.conf

acl_smtp_helo = acl_smtp_helo

#BEGIN ACL_SMTP_HELO_BLOCK
 drop
 condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
 log_message = HELO/EHLO - ylmf-pc blocked
 message = I Nailed You at HELO
 accept

#END ACL_SMTP_HELO_BLOCK

Restart exim once this is done.

# service exim restart

This would make sure that the connections from these ylmf-pc ‘s are dropped before further processing !

Update : If you want to block connections from other domains too, give the following piece of code in exim.conf instead of the above :

drop
   condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
   log_message = HELO/EHLO - HELO on heloblocks Blocklist
   message = HELO on heloblocks Blocklist
accept

Once the above config is given, create a new file ‘/etc/heloblocks’ and give in the domain name one by one.

Dont forget to restart exim once this is done.

Click here to read more about DDoS protection !!

 


Tracking down spamming in Plesk – 2

This post will help you to track down spamming from a Plesk server, if its employed using PHP scripts in any of the domains.

– Use this one to view the folders which have mail PHP scripts enabled and running.

# vi /var/qmail/bin/sendmail-wrapper

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

– Wait for at some time and then change sendmail back:

# rm -f /var/qmail/bin/sendmail
# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Once this is completed, run the following command, which will show you all the folders from where mail PHP scripts were run :

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

– If your PHP version is greater than 5.3, you can also consider about enabling extended logging which will help to add a header to all outgoing email and that will help you to track the location of the script which is involved in spamming.

Add the following line to your php.ini file :

mail.add_x_header = On

– Check out the headers ( check this post know about finding the headers from the queue ) and spot the script involved.

 

Tracking down spamming in Plesk – 1

Finding the source of spamming in a server provisioned with Plesk is a tough job.

Some of the useful commands which might help you are given down.

  • Find the number of mails hung in the queue :

# /var/qmail/bin/qmail-qstat

  • To get an idea about the the message headers of mails in queue :

# /var/qmail/bin/qmail-qread

The above one shows the senders and recipients of messages. Now try to find this message in the queue by its ID

# find /var/qmail/queue/mess/ -name XXXXXX ( <- Message ID )

cat the o/p file of the above command and inspect the message headers closely.

Examine the message and find the line “Received” to find out from where it was sent for the first time.

For example, if you find:

1-> Received: (qmail 19514 invoked by uid xxxx ); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID xxxx . Using this UID, it is possible to find the domain:

# grep xxxx /etc/passwd

2-> Received: (qmail 19622 invoked from network); date/time
Received: from external_domain.com (xx.xx.xx.xx)

It means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user. This might mean that the password of the email account has been compromised.

You can use the following command to find the users which have attempted to login via authentication. If you find lots of authentication attempts to a particular user/from a particular IP, then it might be the vulnerability present in your server.

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user

Also, when you check the headers of the mail in the queue, if you find that the mails are received from a particular IP address, like :

Received: (qmail 10728 invoked from network); date

Received: from unknown (HELO User) (xx.xx.xx.xx)

by domain.com with SMTP ; date

We can use the tool tcpdump to find out what is being communicated over the network from/to the IP in question :

# tcpdump -i venet0:0 -n src xx.xx.xx.xx \or dst xx.xx.xx.xx -s 2048 -w /home/wiresharklog.pcap

– Replace  venet0:0 with your appropriate interface

– Replace xx.xx.xx.xx with the IP in question.

You will obtain the logs in /home/wiresharklog.pcap. Open this pcap file using wireshark ( or any related softwares ) and have a glance through the ‘Statistics -> Flow graph’ . Check this if you can spot the connections/packets being sent over.

3-> If the “Received” line contains a UID of the user “apache” (for example, invoked by UID 48), it means that spam was sent through a PHP script. Find this post useful for dealing with this.

There is another case of spamming which has been noticed.

– When checking the qmail maillogs (usr/local/psa/var/log/maillog) :

date  xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
date  xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can see that spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used. This is applicable for servers running on older versions of Plesk.

The solution would be to upgrade Plesk to a more stable version.

Note : You can also check if there are any email accounts within your hosting environments which uses the mail name ‘test’. Around 90% of the accounts created as test are employed with weak passwords which make it easier for hackers to brute-force attack them.

Use this query to find if any such ones are there :

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

# SELECT m.mail_name, d.name FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='test' ;

Hope this was helpful 🙂

Clearing huge eximstats db !

The eximstats database might tend to grow in size if there is high amount of mailing from your server.

Check if the following value from WHM is set to a higher interval :

Home »Server Configuration »Tweak Settings

>> “The interval, in days, to retain Exim stats in the database”

You might need to reduce the time interval to retain the eximstats.

Under usual situation, eximstats will grow huge in size when there is spamming carried out from your server. First check if your server is involved in spamming and if so, find the source of spamming and eradicate it.

You can remove the eximstats mysql db as follows :

# mysql -u root -p
# use eximstats
# delete from sends;
# delete from smtp;
# delete from failures;
# delete from defers;

If the above tends to consume lots of time, you can use the below commands to clear eximstats :

# mysqladmin drop eximstats

# mysqladmin create eximstats

# mysql eximstats < /usr/local/cpanel/etc/eximstats_db.sql

 

Clear Qmail queue – Plesk

In order to clear the Qmail queue, initiate the following commands from shell :

# service qmail stop
# find /var/qmail/queue/mess -type f -exec rm {} \;
# find /var/qmail/queue/info -type f -exec rm {} \;
# find /var/qmail/queue/local -type f -exec rm {} \;
# find /var/qmail/queue/intd -type f -exec rm {} \;
# find /var/qmail/queue/todo -type f -exec rm {} \;
# find /var/qmail/queue/remote -type f -exec rm {} \;
# service qmail start

Another easy way to remove the mails from queue is by initiating :

/usr/local/psa/admin/sbin/mailqueuemng -D

Changing the Exim interface IP

In order to change the exim interface IP, do the following :

-SSH to your server and edit the file – /etc/mailips : This file controls the IP address from which each domains are allowed to send the mails. If the file is not present, create it. Open the file for editing using your preferred text editor. You will need to configure this file in the following way:

*: 192.168.0.1 (<- desired IP )

^ the option * denotes the entire list of domains in the server. If you require just one domain to send from a different IP, specify the domain there instead of ‘*’

– Disable the following from WHM

From WHM »Service Configuration »Exim Configuration Manager>> Domain and IPs>> Send mail from account’s dedicated IP address "on"

– Enable this option,

Reference /etc/mailips for outgoing SMTP connections.

And now, restart the exim service.

Exim cheatlist

# /var/log/exim_paniclog : info abt the exim program itself.

# /var/log/exim_mainlog : logs every single mail transaction.

# /var/log/exim_rejectlog : This logs delivery rejections.

# exim -bp : shows mails on the queue

# exim -bpc :This option counts the number of messages on the queue.

# exim -bpr :This option operates like -bp, but the output is not sorted into chronological order of message arrival.

# exiwhat : shows what exim is doing at the moment

# exim -bt [user]@domain : Test how Exim’s configuration will handle mail sent to the specified address.

# exiqgrep -f [user]@domain : Find messages from a particular sender in the queue.

# exiqgrep -r [user]@domain : Find messages to a particular addressee on your server.

# exim -Mrm <message-id> [ <message-id> ... ] : Remove a specific message(s) from the queue

# exiqgrep -o 36000 -i | xargs exim -Mrm : Remove all messages older than ten hours (36000 seconds)

# exim -Mvh <message-id> : View a specific message’s full headers.

# exim -Mvb <message-id> View a specific message’s body.

exim -bp | grep frozen | wc -l : Print number of frozen mails.

exiqgrep -z -i | xargs exim -Mrm : Delete frozen mails.

exim -bp | exiqgrep -i | xargs exim -Mrm : Remove all mails.

 

Some other useful commands :

– To list the folders from which mails can be generated :

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

– To list which mail account is reporting highest activity :

exim  -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n