Good morning Heiko,
Someone hacked my Mail server. In the exim logfile are many lines like
2014-05-29 10:51:58 1Wpw46-00056z-67 <= vabih@???
H=(atozcwqyxdmh) [178.120.55.35] P=esmtpa
A=fixed_login:mailaddress@??? S=377
2014-05-29 10:51:59 1Wpw46-00056z-67 => bclar@??? R=dnslookup
T=remote_smtp H=mx2.optonline.net [167.206.4.79]
2014-05-29 10:51:59 1Wpw46-00056z-67 Completed
2014-05-29 10:52:17 1Wpw4O-00057H-S4 <= bu@???
H=node-204-239-139-95.domolink.tula.net (xvwgfmt) [95.139.239.204]
P=esmtpa A=fixed_login:mailaddress@??? S=397
2014-05-29 10:52:18 1Wpw4O-00057H-S4 => an_other_address@???
R=dnslookup T=remote_smtp H=mx-ha02.web.de [213.165.67.120]
X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256 DN="C=DE,O=1&1 Mail & Media
GmbH,ST=Rhineland-Palatinate,L=Montabaur,CN=mx-ha02.web.de"
2014-05-29 10:52:18 1Wpw4O-00057H-S4 Completed
2014-05-29 10:52:25 1Wpw4W-00057g-DA <= hupem@???
H=node-79-228-28-94.domolink.tula.net (hkueycr) [94.28.228.79] P=esmtpa
A=fixed_login:mailaddress@??? S=421
2014-05-29 10:52:25 no IP address found for host
5-43-134-194.k-telecom.org (during SMTP connection from [5.43.134.194])
2014-05-29 10:52:28 1Wpw4W-00057g-DA =>
also_an_other_address@??? R=dnslookup T=remote_smtp
H=al-ip4-mx-vip2.prodigy.net [144.160.235.144]
2014-05-29 10:52:28 1Wpw4W-00057g-DA Completed
I have only changed the password of the hacked account.
There are only 2 PC's where this mail address is received I have checked
this with "Kaspersky Rescue Disk" but nothing was found.
For privacy the mail address and the domain are anonymised to
mailaddress@???.
Your idea to use the authenticator is good but the mail server is used
for multiple domains and I just want to restrict this one which was hacked.
Can I check the domain in the authenticator with a "if-else" like loop?
if (domain == example.com) then
{
plain:
driver = ..
server_condition = ${if and{\
{def:tls_cipher}\
{match_ip{$sender_host_address}{iplsearch;/etc/exim4/hosts-auth-ok}}}}
}
else
{
plain:
driver = ..
server_condition = ${if and{\
{def:tls_cipher}\
...
}
An other idea is to check the sender:
vabih@???
bu@???
hupem@???
does not exist on my mailserver.
Best regards,
Basti
Am 02.06.2014 20:57, schrieb Heiko Schlittermann:
> Hello,
>
> basti <mailinglist@???> (Mo 02 Jun 2014 09:36:57 CEST):
>> Hello,
>> last week someone get the password of some mail addressees administered
>> by a exim4 server.
>
> Does this mean:
> Last week somebody got a username/password for an account at your Exim
> server.
> ?
>
>> First of all I have changes the passwords of the mail addressees.
>
> Now you've changed the passwords of all mail accounts?
>
>> Is it possible to allow connections for this mail addresses only from
>> certain IP's?
>
> Probably want to restrict the logins to a list of certain IPs?
> It should be sufficient to restrict the authentication offer to
> a list of IPs.
>
>
> begin authenticators
>
> # NOT TESTED!
>
> plain:
> driver = ..
> server_condition = ${if and{\
> {def:tls_cipher}\
> {match_ip{$sender_host_address}{iplsearch;/etc/exim4/hosts-auth-ok}}}}
>
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
>
>
>
