Good morning Heiko, Someone hacked my Mail server. In the exim logfile are many lines like
2014-05-29 10:51:58 1Wpw46-00056z-67 <= [email protected] H=(atozcwqyxdmh) [178.120.55.35] P=esmtpa A=fixed_login:[email protected] S=377 2014-05-29 10:51:59 1Wpw46-00056z-67 => [email protected] R=dnslookup T=remote_smtp H=mx2.optonline.net [167.206.4.79] 2014-05-29 10:51:59 1Wpw46-00056z-67 Completed 2014-05-29 10:52:17 1Wpw4O-00057H-S4 <= [email protected] H=node-204-239-139-95.domolink.tula.net (xvwgfmt) [95.139.239.204] P=esmtpa A=fixed_login:[email protected] S=397 2014-05-29 10:52:18 1Wpw4O-00057H-S4 => [email protected] R=dnslookup T=remote_smtp H=mx-ha02.web.de [213.165.67.120] X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256 DN="C=DE,O=1&1 Mail & Media GmbH,ST=Rhineland-Palatinate,L=Montabaur,CN=mx-ha02.web.de" 2014-05-29 10:52:18 1Wpw4O-00057H-S4 Completed 2014-05-29 10:52:25 1Wpw4W-00057g-DA <= [email protected] H=node-79-228-28-94.domolink.tula.net (hkueycr) [94.28.228.79] P=esmtpa A=fixed_login:[email protected] S=421 2014-05-29 10:52:25 no IP address found for host 5-43-134-194.k-telecom.org (during SMTP connection from [5.43.134.194]) 2014-05-29 10:52:28 1Wpw4W-00057g-DA => [email protected] R=dnslookup T=remote_smtp H=al-ip4-mx-vip2.prodigy.net [144.160.235.144] 2014-05-29 10:52:28 1Wpw4W-00057g-DA Completed I have only changed the password of the hacked account. There are only 2 PC's where this mail address is received I have checked this with "Kaspersky Rescue Disk" but nothing was found. For privacy the mail address and the domain are anonymised to [email protected]. Your idea to use the authenticator is good but the mail server is used for multiple domains and I just want to restrict this one which was hacked. Can I check the domain in the authenticator with a "if-else" like loop? if (domain == example.com) then { plain: driver = .. server_condition = ${if and{\ {def:tls_cipher}\ {match_ip{$sender_host_address}{iplsearch;/etc/exim4/hosts-auth-ok}}}} } else { plain: driver = .. server_condition = ${if and{\ {def:tls_cipher}\ ... } An other idea is to check the sender: [email protected] [email protected] [email protected] does not exist on my mailserver. Best regards, Basti Am 02.06.2014 20:57, schrieb Heiko Schlittermann: > Hello, > > basti <[email protected]> (Mo 02 Jun 2014 09:36:57 CEST): >> Hello, >> last week someone get the password of some mail addressees administered >> by a exim4 server. > > Does this mean: > Last week somebody got a username/password for an account at your Exim > server. > ? > >> First of all I have changes the passwords of the mail addressees. > > Now you've changed the passwords of all mail accounts? > >> Is it possible to allow connections for this mail addresses only from >> certain IP's? > > Probably want to restrict the logins to a list of certain IPs? > It should be sufficient to restrict the authentication offer to > a list of IPs. > > > begin authenticators > > # NOT TESTED! > > plain: > driver = .. > server_condition = ${if and{\ > {def:tls_cipher}\ > > {match_ip{$sender_host_address}{iplsearch;/etc/exim4/hosts-auth-ok}}}} > > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > > > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
