/var/log/exim4/mainlog
/var/log/dovecot.log
Are the most important now …
I have all domains suspended, web and mail and only activated exim and dovecot and not for the attack. My hostname and many ip’s that emulate it appear in the logs.
It is assumed that if I suspend the domains, if a password has been stolen, that would not work, right?
You need a specialist or new servers and migrate the service.
We have told you what to test and what information to provide.
We can’t help you if you don’t cooperate.
Did you try all of these?
Did you try all of these too?
I restored the default file of exim4.conf and the attack stopped … I think that when updating the versions, that file has not been updated and has the previous hestiacp configuration and that it has remained permanently without updating … it could be ??
That file should not be overwritten during a exim package update. But as @jlguerrero already pointed out:
Currently we can just guess what’s wrong, and that isnt productive at all.
I don’t know, but it has been to put the last version that you have of the exim4 file and now everything works fine, it seemed that some line towards which they could make relay … now everything is fine for now
Thanks and sorry for bothering
this is what exim logs now show, it is very often, is it normal? Does it mean that they are still sending through my server? Or is this still effects of the attack that I have had
[107.173.181.192] F=[email protected] rejected RCPT [email protected]: Email account is sending too many emails - rate overlimit = 200.0 / 1h
Honestly, as we’ve written here (Please read this, before you start!) and always try to communicate: Hestia isnt a replacement for sysadmin knowledge, we expect that you can basic maintain (read and understand logs, know the basic exim commands or know to google "exim cheatsheet and so on) an exim server on your own - without the control panel. You got stated multiple times here from non-team (!) members, to get “professional” help from a specialist which have the missing knowledge.
In your current case, and again, due to less informations wild guessing, I would say you need to clean your mail queue.
Also, please don’t try to blame hestia for a issue that’s clearly on your side:
It isnt the control panel, also I dont think that the default exim template - which you probaly have overwritten during an upgrade (?) - includes an open relay configuration. So your basic issue is still unknown and I would strongly suggest to get someone to help you out here…
I also see in the logs;
[198.12.120.186] F = [email protected] rejected RCPT [email protected]: Rejected because 198.12.120.186 is in a black list at dnsbl-3.uceprotect.net
With my host name, but in the sending queue I don’t see that messages are being sent through my server as I saw in the attack this morning … Can someone explain to me what all that means?
Someone else is passing him?
Thanks
Please read my post above yours.
I’m sorry, my English is not very good, don’t worry, I won’t bother you anymore, it wasn’t my intention.
Greetings
this is a possible drastic solution
clamscan --infected --remove --recursive /home/
Maybe if you would have to check how clamd analyzes and delete viruses that come to it through the correu, this if hestiacp by default would have to look to put it to do it or at least from the panel, that you can choose how it has to act clamd when it analyzes a file that arrives by mail
It should work fine but for some reason:
Mon Aug 23 21:17:37 2021 → /var/spool/exim4/scan/1mIHK5-0002FM-RO/1mIHK5-0002FM-RO.eml: Win.Test.EICAR_HDB-1(a820e7caf57e262e5fad18e104f137bc:1070) FOUND
Mon Aug 23 21:19:12 2021 → /var/spool/exim4/scan/1mIHLc-0002L6-VN/1mIHLc-0002L6-VN.eml: Win.Test.EICAR_HDB-1(7d77863131348a33674084f2bbc8fbf5:935) FOUND
Mon Aug 23 21:21:00 2021 → /var/spool/exim4/scan/1mIHNM-0002UB-ID/1mIHNM-0002UB-ID.eml: Win.Test.EICAR_HDB-1(dec44a190d9b73cf07c7c313855cb3f8:940) FOUND
When I send an test email containing a virus but exim ignores it it might be an Debian11 bug will test some more tomorrow
1 Like
After issues with sending domains (Gmail doesn’t like using their servers to send spam… )
External server to Hestia works fine:
2021-08-24 07:22:22 1mIQlJ-00044q-LA H=xxxxX=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=info@xxx rejected after DATA: Message contains a virus (Win.Test.EICAR_HDB-1) and has been rejected.
It might be that Exim accepts “internal” mail as safe I don’t know…
Improvements are possible but Exim is a dragon to make modifications in. And if somebody is willing to write a tested update script for it feel free to submit a pull request for it.
Yes, I think that clamav is not working well and ignores the infected files, I get emails with attachments that contain viruses more than once! i use debian10
If ClamAV can’t detect it I can’t improve it. We relay for this kind of thing on 3rd party software…
Unless we switch over to a different program…
but when you do a scan if it detects and eliminates them, the problem is when you receive an email that lets them pass and does not delete them directly
I have just send an email for other domain not hosted on my server containing an virsus:
2021-08-24 07:22:22 1mIQlJ-00044q-LA H=xxxxX=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=info@xxx rejected after DATA: Message contains a virus (Win.Test.EICAR_HDB-1) and has been rejected.
Make sure that antivirus is enabled in the control panel and it should work fine.
Send a email from a second server (Internal mail is always allowed it looks like) and check /var/log/clamav/clamd.log and /var/log/exim4/mainlog
Email should contain a .txt file with:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
And check if it is working or not. If you don’t know how to debug a server / problems Hestia is not the right tool for you…
perfect, thanks, I close this topic