Exim4

norobro · 03-02-2009, 12:46 PM

I helped a friend upgrade her system from an old Mepis release to Lenny recently. She hosts her own website and sends/receives mail with exim4. I have been monitoring the logs remotely and in the past week there have been some entries in the exim4 log that have puzzled me.

For example:

Code:

2009-03-02 09:40:59 1LeAGJ-0003A3-Pg <= firstname.lastname@usa.net U=www-data P=local S=2191 id=fd0d105d658bca900bfe3394a031bd0d@www.foo.com
2009-03-02 09:41:20 1LeAGJ-0003A3-Pg => lizarita@maturez.com R=dnslookup T=remote_smtp H=mail.maturez.com [72.232.184.154]
2009-03-02 09:41:20 1LeAGJ-0003A3-Pg Completed

The "firstname.lastname@usa.net" is my friend's hosted email account that appears on her web pages and is not local to this machine. "www.foo.com" is her website. User "www-data" is aliased to her username in /etc/aliases.

I reran dpkg-reconfigure exim4-config and made sure the entries for relaying were blank .

Not being familiar with operating a mail server I looked at the exim4 documentation and frankly it is a bit overwhelming.

Is her system acting as a relay? If so, how do we stop it?

Thanks in advance for any help.

Norm

farslayer · 03-03-2009, 02:07 PM

You can use an open relay test to check, http://www.abuse.net/relay.html
To me, that looks like the website on the local machine sending an email to someone @maturez.com.

apache2 is run with user www-data

Code:

www-data 11837  0.0  3.3  83224 69848 ?        S    Mar02   0:00 /usr/sbin/apache2 -k start

I'm not familiar with EXIM either, so when I ran into a mail issue with my website (website wouldn't send mail) I just did aptitude install postfx, and my mail issue was resolved in under 5 miuntes. the postfix config allowed me to easily set a smarthost to relay mail for the server, while exim just sorta held onto everything, while showing in the logs it had been sent.. Guess I just find it easier to work with an MTA that I'm familiar with.

norobro · 03-03-2009, 03:07 PM

Quote:

Originally Posted by farslayer

To me, that looks like the website on the local machine sending an email to someone @maturez.com.

Bingo, Farslayer.

My friend has moodle installed on her machine. I had no prior knowledge of 'Moodle' and when upgrading her machine, I really didn't pay much attention to the program. The only thing that I did was backup the mysql files from her old system using 'mysqldump' and restore them to the the new lenny install. Come to find out she has email authentication enabled which allows anyone to self-create an account. This is a known security issue and spammers take advantage of it.

From the moodle site:

Quote:

The problems with these settings is that spammers can create a page on the Moodle site which they can fill with links and pictures of porn and other nasty stuff. This in turn comes up in Google searches for those things, and is used to boost ratings to porn sites or hacking sites designed to take over your personal computer. Note that this content is designed for people using search engines, and is usually not available from within the Moodle site itself (since spammers don't join any courses) so users and admins are usually not even aware their site is having this problem.

Apparently all outgoing mail, from moodle, has the administrators email address in the 'From:' field.

So, I don't have an exim4 problem after all.

Thanks for the tip, my friend.

Norm