Re: [exim] local server access

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Ltc Hotspot
Dátum:  
Címzett: Jasen Betts
CC: exim-users
Tárgy: Re: [exim] local server access
Hi, Jasen:

We configured a smarthost with an iptable to block all incoming port
traffic. What is the rule which allows for the local server to connect
to the address 127.0.0.1:25 ?

Read attached exim error log file and the current iptable
configuration for details.

Regards,
Hal

On Sun, Aug 20, 2017 at 3:23 AM, Jasen Betts <jasen@???> wrote:
> On 2017-08-20, Ltc Hotspot via Exim-users <exim-users@???> wrote:
>> Dear Exim Users:
>>
>> Is this a valid rule to authorize local access to Exim:
>> -A cP-Firewall-1-INPUT -s 127.0.0.1:25 -p tcp -m state --state NEW -m
>> tcp --dport 25 -j ACCEPT
>>
>
> No, "-s 127.0.0.1:25" is wrong.
>
> "-s 127.0.0.1/8" probably makes the most sense.
>
>
> You may want to specify adestination address too, especially if your
> firewall is doing NAT for some of 127.0.0.0/8.
>
>
> Local access in a different way is by having execute permission on
> /usr/lib/sendmail.
>
> --
> This email has not been checked by half-arsed antivirus software
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

The service “exim” appears to be down.

Server

imap.dslcomputer.com

Primary IP Address

97.74.13.78

Service Name

exim

Service Status

failed ?

Notification

The service “exim” appears to be down.

Service Check Method

The system failed to connect to this service’s TCP/IP port.

Reason

Service check failed to complete
Timeout while trying to connect to service: Died

Number of Restart Attempts

180

Service Check Raw Output

The 'exim' service passed the check.

Startup Log

Starting clamd: [ OK ]
Starting exim: [ OK ]
Starting spamd: (XID s7asa6) The “spamd” service is disabled.
[FAILED]

Log Messages

2017-08-19 22:38:04 exim 4.89 daemon started: pid=22409, -q1h, listening for SMTP on port 26 (IPv4) port 10025 (IPv4) port 587 (IPv4) port 52525 (IPv4) port 24 (IPv4) port 25 (IPv4) port 2525 (IPv4)
2017-08-19 22:23:01 exim 4.89 daemon started: pid=19902, -q1h, listening for SMTP on port 26 (IPv4) port 10025 (IPv4) port 587 (IPv4) port 52525 (IPv4) port 24 (IPv4) port 25 (IPv4) port 2525 (IPv4)

Memory Information

Used

2.3 GB

Available

1.69 GB

Installed

4 GB

Load Information

0.23 0.08 0.05

Uptime

6 days, 9 hours, 51 minutes, and 41 seconds

IOStat Information

avg-cpu: %user %nice %system %iowait %steal %idle 0.17 0.04 0.04 0.01 0.00 99.74 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn

Top Processes

PID

Owner

CPU %

Memory %

Command

24256

root

0.58

0.10

sshd: root [priv]

24278

root

0.54

0.31

/usr/local/cpanel/scripts/restartsrv_crond --check --notconfigured-ok

24149

root

0.52

0.70

tailwatchd - chkservd - crond check

7933

cpanelsolr

0.49

13.77

/usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:NewRatio=3 -XX:SurvivorRatio=4 -XX:TargetSurvivorRatio=90 -XX:MaxTenuringThreshold=8 -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 -XX:+CMSScavengeBeforeRemark -XX:PretenureSizeThreshold=64m -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=50 -XX:CMSMaxAbortablePrecleanTime=6000 -XX:+CMSParallelRemarkEnabled -XX:+ParallelRefProcEnabled -XX:-OmitStackTraceInFastThrow -verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:/home/cpanelsolr/server/logs/solr_gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=9 -XX:GCLogFileSize=20M -Dsolr.log.dir=/home/cpanelsolr/server/logs -Djetty.port=8984 -DSTOP.PORT=7984 -DSTOP.KEY=solrrocks -Dhost=127.0.0.1 -Duser.timezone=UTC -Djetty.home=/home/cpanelsolr/server -Dsolr.solr.home=/home/cpanelsolr/server/solr -Dsolr.install.dir=/home/cpanelsolr -Xss256k -Dsolr.autoSoftCommit.maxTime=3000 -Dsolr.log.muteconsole -XX:OnOutOfMemoryError=/home/cpanelsolr/bin/oom_solr.sh 8984 /home/cpanelsolr/server/logs -jar start.jar --module=http

24248

root

0.46

0.37

cPhulkd - processor - http socket

The chkservd process attempts to connect to “127.0.0.1:25” in order to validate that this service is functioning. If you blocked connections with iptables or the “Host Access Control” interface in WHM, this failure may be a false positive.

To resolve this issue, either open the firewall to allow connections as the root user to “127.0.0.1:25” or disable checks for this service in WHM’s “Service Manager” interface with the “Configure Monitor Settings” link below.

Configure Monitor Settings:
https://imap.dslcomputer.com:2087/scripts/srvmng#service-chkservd

Configure chkservd:
https://imap.dslcomputer.com:2087/scripts2/tweaksettings?find=chkservd

Disable HTML notifications:
https://imap.dslcomputer.com:2087/scripts2/tweaksettings?find=chkservd_plaintext_notify

The system generated this notice on Sunday, August 20, 2017 at 5:53:07 AM UTC.

root@imap [/etc/sysconfig]# vim iptables
"iptables" 71L, 5507C-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.214.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.210.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.151.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.219.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.206.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.27.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.191.158.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.172.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.36.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.155.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.69.130.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.213.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.200.247.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.218.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.200.129.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.205.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.222.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.69.62.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.68.193.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.60.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.154.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.148.229.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.186.22.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 54.149.26.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.28.30.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.118.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.142.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.144.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.147.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.152.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.29.162.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.58.5.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -s 52.58.7.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j DROP68,187%
-- INSERT --68,187%
COMMIT69,191%