Configure specific domains through AWS SES and others through local exim

In this post we will see how we can configure some domains in the server to relay through the amazon ses service and other domains which we dont want to go through ses to send via the local exim MTA.

First create the file /etc/excludeindomains and add the domains which you dont want to route through ses.

The format should be :

Next create a file /etc/excludeoutdomains and add the same domains in the following format :

These 2 files are for both incoming and outgoing mails. 

Add the following line under the Section CONFIG ( you will see similar lines there )

domainlist exclude_receiver_domains = lsearch;/etc/excludeindomains 
domainlist exclude_sender_domains = lsearch;/etc/excludeoutdomains

Next add the following lines in Section: ROUTERSTART

You need to write this in the section which we mention about the ses relaying. ( after the ” begin routers ” line )

domains = !+exclude_receiver_domains: !+local_domains 
senders = !*@+exclude_sender_domains

Rest you can follow in this documentation :

Just make sure you dont overwrite the ‘domains’ thing mentioned above as ‘domains = ! +local_domains’ as given in aws doc. This should not be domains = ! +local_domains if you want domains which should not route through ses. It should rather be as ( as mentioned above )

domains = !+exclude_receiver_domains: !+local_domains
senders = !*@+exclude_sender_domains

That’s it, wait a min though, dont forget to restart your exim 😉

Issue with Roundcube attachments in Plesk

Facing issues in uploading attachments to roundcube ? Last day, was not able to attach a PDF through webmail.

Apache error logs showed the following :

[Date [:error] [pid 12345:tid 123456789] [client xx.xx.xx.xx] [client xx.xx.xx.xx] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

Even though mod_security isn’t loaded, faced this issue.

Error was a bug in Plesk. To fix, go to Plesk – Tools & Settings > Web Application Firewall (ModSecurity) and enable it, then disable it.

Blocking all mails originating from a domain in your cPanel server !

Basically, there are times when a particular domain in your server is involved in spamming or excessive mail delivery and you just want to block that domain alone from sending mails.  With the current setup with cPanel, it is not straightforward to establish this.

We will see how to do this step-by-step.

First, login to your WHM and navigate to, Home »Service Configuration »Exim Configuration Manager » Advanced editor

Find the portion “ROUTERS CONFIGURATION” and right under the section – PREROUTERS, give the following piece of code :


driver = redirect
# RBL Blacklist incoming hosts
domains = +exim_blacklist
data = :fail: Connection rejected: Sorry dude :/

Once this is done, save the configuration.

Next, SSH to your server and open the file /etc/exim.conf for editing.

Open it and right after the first line (usually it is something like)  “#!!# cPanel Exim 4 Config”,  give in the following and save the file :

domainlist exim_blacklist = lsearch;/etc/eximblacklist

Save the file and restart exim.

Now, all you need to do is enter the concerned domain(s) in the file ‘/etc/eximblacklist‘ ( one domain – each line )

Now, when you test to see if you can send a mail from the domain, the following can be seen in logs :

DATE H=localhost (xxxxx]:44411 sender verify fail for <>: Connection rejected: Sorry dude :/

This is it, do you still face any issue ? Post a comment below with the error / issue you get !


Qmail failing to restart !

When trying to restart Qmail are you getting the failure message ?

Check for the mailogs to see if you can spot something. If you are on a plesk server, you can find the logs at /usr/local/psa/var/log/maillog

Do you find an error like :


Date host qmail: xxxxx alert: cannot start: unable to open mutex

Date host qmail: xxxxx alert: cannot start: unable to open mutex


This can happen when you manually try to delete the qmail queue and you might just happen to delete a file from /var/qmail/queue folder. To solve this error, do the following :

# touch /var/qmail/queue/lock/sendmutex
# chown qmails:qmail /var/qmail/queue/lock/sendmutex

Once this is done, restart qmail as

# /etc/init.d/qmail start

Exim – Dropping SMTP connection at HELO/EHLO !

We are observing a brute-force attack towards SMTP connections from different IP addresses with the same machine name – “ylmf-pc“

It could be many malware affected machines involved or an extended IP spoofing.

If you have CSF configured properly, the IPs would be blocked at the firewall level.

Another solution is to drop the SMTP connection at HELO so that no further processing is carried out and no packet states of different IPs are examined. If CSF was to block these IPs, it could be a very large list and it could affect the performance of the server.

Add the following to EXIM ACL configuration file.

# vi /etc/exim.conf

acl_smtp_helo = acl_smtp_helo

 condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
 log_message = HELO/EHLO - ylmf-pc blocked
 message = I Nailed You at HELO


Restart exim once this is done.

# service exim restart

This would make sure that the connections from these ylmf-pc ‘s are dropped before further processing !

Update : If you want to block connections from other domains too, give the following piece of code in exim.conf instead of the above :

   condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
   log_message = HELO/EHLO - HELO on heloblocks Blocklist
   message = HELO on heloblocks Blocklist

Once the above config is given, create a new file ‘/etc/heloblocks’ and give in the domain name one by one.

Dont forget to restart exim once this is done.

Click here to read more about DDoS protection !!


Tracking down spamming in Plesk – 2

This post will help you to track down spamming from a Plesk server, if its employed using PHP scripts in any of the domains.

– Use this one to view the folders which have mail PHP scripts enabled and running.

# vi /var/qmail/bin/sendmail-wrapper

(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

– Wait for at some time and then change sendmail back:

# rm -f /var/qmail/bin/sendmail
# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Once this is completed, run the following command, which will show you all the folders from where mail PHP scripts were run :

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

– If your PHP version is greater than 5.3, you can also consider about enabling extended logging which will help to add a header to all outgoing email and that will help you to track the location of the script which is involved in spamming.

Add the following line to your php.ini file :

mail.add_x_header = On

– Check out the headers ( check this post know about finding the headers from the queue ) and spot the script involved.


Tracking down spamming in Plesk – 1

Finding the source of spamming in a server provisioned with Plesk is a tough job.

Some of the useful commands which might help you are given down.

  • Find the number of mails hung in the queue :

# /var/qmail/bin/qmail-qstat

  • To get an idea about the the message headers of mails in queue :

# /var/qmail/bin/qmail-qread

The above one shows the senders and recipients of messages. Now try to find this message in the queue by its ID

# find /var/qmail/queue/mess/ -name XXXXXX ( <- Message ID )

cat the o/p file of the above command and inspect the message headers closely.

Examine the message and find the line “Received” to find out from where it was sent for the first time.

For example, if you find:

1-> Received: (qmail 19514 invoked by uid xxxx ); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID xxxx . Using this UID, it is possible to find the domain:

# grep xxxx /etc/passwd

2-> Received: (qmail 19622 invoked from network); date/time
Received: from (xx.xx.xx.xx)

It means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user. This might mean that the password of the email account has been compromised.

You can use the following command to find the users which have attempted to login via authentication. If you find lots of authentication attempts to a particular user/from a particular IP, then it might be the vulnerability present in your server.

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user

Also, when you check the headers of the mail in the queue, if you find that the mails are received from a particular IP address, like :

Received: (qmail 10728 invoked from network); date

Received: from unknown (HELO User) (xx.xx.xx.xx)

by with SMTP ; date

We can use the tool tcpdump to find out what is being communicated over the network from/to the IP in question :

# tcpdump -i venet0:0 -n src xx.xx.xx.xx \or dst xx.xx.xx.xx -s 2048 -w /home/wiresharklog.pcap

– Replace  venet0:0 with your appropriate interface

– Replace xx.xx.xx.xx with the IP in question.

You will obtain the logs in /home/wiresharklog.pcap. Open this pcap file using wireshark ( or any related softwares ) and have a glance through the ‘Statistics -> Flow graph’ . Check this if you can spot the connections/packets being sent over.

3-> If the “Received” line contains a UID of the user “apache” (for example, invoked by UID 48), it means that spam was sent through a PHP script. Find this post useful for dealing with this.

There is another case of spamming which has been noticed.

– When checking the qmail maillogs (usr/local/psa/var/log/maillog) :

date  xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
date  xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can see that spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used. This is applicable for servers running on older versions of Plesk.

The solution would be to upgrade Plesk to a more stable version.

Note : You can also check if there are any email accounts within your hosting environments which uses the mail name ‘test’. Around 90% of the accounts created as test are employed with weak passwords which make it easier for hackers to brute-force attack them.

Use this query to find if any such ones are there :

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

# SELECT m.mail_name, FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = AND m.account_id = WHERE m.mail_name='test' ;

Hope this was helpful 🙂

Clearing huge eximstats db !

The eximstats database might tend to grow in size if there is high amount of mailing from your server.

Check if the following value from WHM is set to a higher interval :

Home »Server Configuration »Tweak Settings

>> “The interval, in days, to retain Exim stats in the database”

You might need to reduce the time interval to retain the eximstats.

Under usual situation, eximstats will grow huge in size when there is spamming carried out from your server. First check if your server is involved in spamming and if so, find the source of spamming and eradicate it.

You can remove the eximstats mysql db as follows :

# mysql -u root -p
# use eximstats
# delete from sends;
# delete from smtp;
# delete from failures;
# delete from defers;

If the above tends to consume lots of time, you can use the below commands to clear eximstats :

# mysqladmin drop eximstats

# mysqladmin create eximstats

# mysql eximstats < /usr/local/cpanel/etc/eximstats_db.sql


Clear Qmail queue – Plesk

In order to clear the Qmail queue, initiate the following commands from shell :

# service qmail stop
# find /var/qmail/queue/mess -type f -exec rm {} \;
# find /var/qmail/queue/info -type f -exec rm {} \;
# find /var/qmail/queue/local -type f -exec rm {} \;
# find /var/qmail/queue/intd -type f -exec rm {} \;
# find /var/qmail/queue/todo -type f -exec rm {} \;
# find /var/qmail/queue/remote -type f -exec rm {} \;
# service qmail start

Another easy way to remove the mails from queue is by initiating :

/usr/local/psa/admin/sbin/mailqueuemng -D