The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

skipsmtpcheck_hosts

Discussion in 'E-mail Discussions' started by JamesCTotalWeb, Jan 12, 2008.

  1. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello one and all, I don't post here much (well hardly ever) But anyways for the last 3 days we have been under attack IP's from all over being used to relay thru our mail server.

    These emails just get stuck in queue and never go anywhere. They are not sent to any of the domains we host and for the most part they are sent to a domain that does not even resolve to anywhere.

    Well after long long hours of tweaking Exim config I found this line

    accept hosts = +skipsmtpcheck_hosts

    Now when I comment this out the emails stop making it to the queue but the attack is still going on. So my question is what is this line used for? and why is it letting other bogus users relay through the mail server?

    Any help would be greatful
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    that line (AFAIK) is used for whitelisted IP's and users of pop-before-relay

    by the looks of it, you have a compromised account on your server
     
  3. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Well I suggest people beware of it because it was leting all sort of people relay through Exim.
     
  4. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    if that is the case on your server then you have a compromised account, it doesnt allow unauthenticated/unwhitelisted users to relay, so you have a problem user somewhere....
     
  5. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator

    Well I beg to differ with you nick666 the emails were not going anywhere they just got frozen in qeue but Exim was not rejecting them till I removed that line in the config file. Once it was removed the relay was denied like always.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What is the contents of the file /etc/skipsmtpcheckhosts on the server that is affected by this?
     
  7. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator

    Nada nothing the file is empty.
     
  8. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    Well then you are an idiot for not investigating this further, no mail server should accept, let alone queue mail from unauthenticated users....
     
  9. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Well thank you for so much help nick666 ...... I have been digging through the server for 4 days and have also had 3 other admins looking through it too . and guess what nothing just bounced emails in the queue (before I removed that line) since then nothing the emials have been refused on connection.

    So before you jump the gun and start name calling ask a simple question like " have you looked or had someone else look" or maybe even give a few suggestions of what you may think is the problem.

    If I wanted to hear the childish bull shit (such as name calling) I would go over to WHT.

    All I wanted to know is what that line was all about seeing how I have never noticed it before in the Exim config file.
     
  10. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    I didnt actually mean to flame, but tbh you obviously have no clue what the problem is, and telling me that you beg to differ that there is something fundamentally wrong when your server is clearly accepting e-mail for outbound relay just annoyed me, so apologies for calling you an idiot but you really do need to have a proper look at it, removing the line is not really the solution, I would suggest getting someone with some experience of locating issues like that in to look at it, chirpy (on this forum) would get my recommendation, his company configserver have done us no wrong in the past
     
  11. JamesCTotalWeb

    JamesCTotalWeb Well-Known Member

    Joined:
    Mar 20, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Well just to let everyone know what happened was Exim just choked on an update ...... the custom ACL rules had issues with the default rules so when I did a cPanel up grade I negletcted to take a close look at the Exim configuration it had a warning that there was an issue and that I should revert to the default settings then add what ever custom ACL rules back.

    In a panick I started making changes to the ACL rules at the very same time I reverted to the default ACL rules (thats when I found "accept hosts = +skipsmtpcheck_hosts") which I had not noticed before so it just looked like this rule caused the trouble.

    After a long and hard look at the server I added the rules back and the emails did not come back.

    Just so everyone understands Exim was not delivering any emails that were not ligit users it just stored them in the queue trying to figure out what to do with them. All the emails that were stuck in the queue were incomeing emails with 10 or 15 bogus email addresses and one wrong email address to a few of the sites hosted on the server. The total emails added up to 61440 emails in less then 8 hours .... LFD was blocking each IP after 10 (this is the setting we have for relay) so you can just do the math as to how many IP's were being blocked by the minute ,,,,,,,

    I suggest everyone try chripy's CSF and LFD cause it stood toe to toe with this and we never really seen any load issues the whole time the attack was going on.

    So anytime some one just jumps in and says "you have a compromised account" dont jump and have your OS reloaded or paying someone $100's just to tell you to click 3 buttons in WHM take the time to look and see what the real issue is. Then go from there with a fix ...... with that said I will now return to my read only trolling and think twice before I post a question here ......... it is much nicer just googleing for the answers that explains the real issues VS. coming here and getting bashed by those who think they know it all.
     
  12. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    although in part I agree with your last statement about investigating things further prior to paying people, in your initial post you said:
    Now forgive me for jumping to conclusions with the possible reason for it, but with the shoe on the other foot, what would your opinion be if that was stated to you?
     

Share This Page