Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

skipsmtpcheck_hosts

Discussion in 'E-mail Discussion' started by JamesCTotalWeb, Jan 12, 2008.

  1. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    Hello one and all, I don't post here much (well hardly ever) But anyways for the last 3 days we have been under attack IP's from all over being used to relay thru our mail server.

    These emails just get stuck in queue and never go anywhere. They are not sent to any of the domains we host and for the most part they are sent to a domain that does not even resolve to anywhere.

    Well after long long hours of tweaking Exim config I found this line

    accept hosts = +skipsmtpcheck_hosts

    Now when I comment this out the emails stop making it to the queue but the attack is still going on. So my question is what is this line used for? and why is it letting other bogus users relay through the mail server?

    Any help would be greatful
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    that line (AFAIK) is used for whitelisted IP's and users of pop-before-relay

    by the looks of it, you have a compromised account on your server
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    Well I suggest people beware of it because it was leting all sort of people relay through Exim.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    if that is the case on your server then you have a compromised account, it doesnt allow unauthenticated/unwhitelisted users to relay, so you have a problem user somewhere....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator

    Well I beg to differ with you nick666 the emails were not going anywhere they just got frozen in qeue but Exim was not rejecting them till I removed that line in the config file. Once it was removed the relay was denied like always.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,772
    Likes Received:
    119
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    What is the contents of the file /etc/skipsmtpcheckhosts on the server that is affected by this?
     
  7. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator

    Nada nothing the file is empty.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    Well then you are an idiot for not investigating this further, no mail server should accept, let alone queue mail from unauthenticated users....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    Well thank you for so much help nick666 ...... I have been digging through the server for 4 days and have also had 3 other admins looking through it too . and guess what nothing just bounced emails in the queue (before I removed that line) since then nothing the emials have been refused on connection.

    So before you jump the gun and start name calling ask a simple question like " have you looked or had someone else look" or maybe even give a few suggestions of what you may think is the problem.

    If I wanted to hear the childish bull shit (such as name calling) I would go over to WHT.

    All I wanted to know is what that line was all about seeing how I have never noticed it before in the Exim config file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    I didnt actually mean to flame, but tbh you obviously have no clue what the problem is, and telling me that you beg to differ that there is something fundamentally wrong when your server is clearly accepting e-mail for outbound relay just annoyed me, so apologies for calling you an idiot but you really do need to have a proper look at it, removing the line is not really the solution, I would suggest getting someone with some experience of locating issues like that in to look at it, chirpy (on this forum) would get my recommendation, his company configserver have done us no wrong in the past
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    Well just to let everyone know what happened was Exim just choked on an update ...... the custom ACL rules had issues with the default rules so when I did a cPanel up grade I negletcted to take a close look at the Exim configuration it had a warning that there was an issue and that I should revert to the default settings then add what ever custom ACL rules back.

    In a panick I started making changes to the ACL rules at the very same time I reverted to the default ACL rules (thats when I found "accept hosts = +skipsmtpcheck_hosts") which I had not noticed before so it just looked like this rule caused the trouble.

    After a long and hard look at the server I added the rules back and the emails did not come back.

    Just so everyone understands Exim was not delivering any emails that were not ligit users it just stored them in the queue trying to figure out what to do with them. All the emails that were stuck in the queue were incomeing emails with 10 or 15 bogus email addresses and one wrong email address to a few of the sites hosted on the server. The total emails added up to 61440 emails in less then 8 hours .... LFD was blocking each IP after 10 (this is the setting we have for relay) so you can just do the math as to how many IP's were being blocked by the minute ,,,,,,,

    I suggest everyone try chripy's CSF and LFD cause it stood toe to toe with this and we never really seen any load issues the whole time the attack was going on.

    So anytime some one just jumps in and says "you have a compromised account" dont jump and have your OS reloaded or paying someone $100's just to tell you to click 3 buttons in WHM take the time to look and see what the real issue is. Then go from there with a fix ...... with that said I will now return to my read only trolling and think twice before I post a question here ......... it is much nicer just googleing for the answers that explains the real issues VS. coming here and getting bashed by those who think they know it all.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    although in part I agree with your last statement about investigating things further prior to paying people, in your initial post you said:
    Now forgive me for jumping to conclusions with the possible reason for it, but with the shoe on the other foot, what would your opinion be if that was stated to you?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice