I find the exim docs tight and often intense. Still, it’s useful – if I’m found lying on the floor I only need to say “exim”.
I’ve been rummaging around the fourms looking for an answer to something related to the firewall blacklists, and that is IPv6 addresses.
I have made the assumption that I can just touch a file into
/etc/symbiosis/firewall/blacklist.d/ using the IPv6 address as the filename, no different from IPv4 addresses.
The above is kind of unrelated to this thread, although below it isn’t.
One thing I have noticed from my tests, is that sender locally blacklisted sends an email out to the failed sender, with a Subject of “Mail Delivery Failed”, so at least it isn’t bouncing with dirty, perverted subjects.
I have attempted my first regular expression based rule in
by_sender, I think this should work, just awaiting another spam from them.
Should catch sut1. co .uk, sut2. co .uk all the way up to sut9, unless I don’t need the
It should work but it’s masked to /64 – I’m not sure of the syntax but I’d try something like:
That’s fully out of whack. The blacklist should be consulted during the initial negotiation and result in a protocol rejection before you’ve even seen the message. (The sending mailserver will then probably report the failed delivery to the sender).
This is what the automatic system based on patterns does for files in the blacklist directory. It stores the top part of the IPv6, and replaces / by | because / is inconvenient in filenames. For exim - you need to single quote IPv6 addresses in files, because the : character is inconvenient for Exim - it’s a separator.
Not entirely sure what you mean here, the Failed Message bounce is correct, no? I do know that any sender that is hitting my firewall blocks won’t get a reply, but it is somewhat strange that the exim4 is rejecting receipt and sending it back. I would prefer it’s completely ignored, but that leads me down the roundcube filter path…
Edit: I’m wondering whether your “out of whack” statement is related to all my DKIM stuff? If so, then it’s unrelated as I haven’t setup all that on any vhost but my test vhost. If it isn’t, then I’m still baffled.
Not if the message is being sent by you (exim).
I might be misreading but you seemed to be saying that a hit in
/etc/exim4/blacklist/by_sender results in exim sending a Failed Delivery Notification – an email message – to the blocked sender.
Exim should say “go away” during the initial part of the smtp transaction (“550 Your email address or domain is locally blacklisted.”), log the incident and no more. The mailserver that’s been told to go away would usually issue a Failed Deliverty Notification to its sender, quoting the 5xx error and part of the message it tried to send.
If Exim is sending a message as a result of the rejection then something is wrong.
Ahhhh we are both confused, well, maybe I’m confused. But I get what you’re saying now, I just never understood how it arrived.
Basically, I saw the log message rejected receipt for each of the blocked senders, and thought to myself, “does this send a message back?”. So I added my gmail to the by_sender file, then sent an email to the server.
The server rejected the message in the way it rejected other messages, but then in gmail I saw the Mail Delivery Failed, so my immediate thought was, “Yes, it does send a reply.” without thinking any deeper on the matter, although I did look at the source and I thought it looked a bit odd, but pay no mind to it.
So you are correct, it doesn’t send replies to blacklisted senders, it’s just me playing too fast and loose.
Correction on my previous posting… IPv6 addresses need to be wrapped in double quotes, and not single quotes as I said.
I have now confirmed that dropping IPv6 addresses into
/etc/symbiosis/firewall/blacklist.d as filenames in the normal format of an IPv6 address, but with /64 on the end to signify a single IP.
The file needs to be created as previously noted by replacing the / (slash) with a | (pipe), however, it must be noted that you have to escape the pipe when creating the file.
Proof it works:
Feb 12 10:26:18 account snoopy: [uid:0 sid:492 tty:(none) cwd:/ filename:/sbin/ip6tables]: /sbin/ip6tables -A blacklist --src 240a:618b:0:d1::/64 -j DROP
Oh hang on, unless that’s just me adding the rule… But no! It’s dated today and I added that rule yesterday… but scrolling up a bit revealed the truth. It’s
iptables save and
ip6tables save, was wondering why I had them all hitting at the same time. So, no in the end this is proof of nothing other than the rule successfully being added to ip6tables rules. Whether it actually works or not, hasn’t actually been proven, but looking at the rule, it certainly looks fine to me.
At the time, I was unclear whether you were adding files to /etc/symbiosis/firewall/blacklist.d, or adding direct IP addresses into one of the Exim blacklist files. My comments refer to adding IPv6 addresses to the latter.
Should work too, no problem having multiple options available, I haven’t even looked at the Exim blacklist files, but I’ll be sure to take a peek.
Also if the file ends in .auto it’s likely to have been added by a patterns rule. If you place a file in the blacklist.d directory, iptables is updated pretty instantly I’ve found.
And it will rebuild its tables every 15 minutes, so the logs will show that happening.
Oh it definitely shows it in the logs, over and over, everytime I touch a file into there the firewall is pretty much immediately updated, which ofc makes it difficult to c&p IP addresses when it’s scrolling by so fast.
Cracked it though, just banning SSH attackers at the moment. Eventually I’ll move onto fail2ban but for now, if I can just reduce the hits per day a little, then maybe I’ll have time to introduce further changes.
tail -f logfile | less
tail -f logfile | grep SSH | less
where SSH is something on the line you are looking for,
If you have a restricted set of people using SSH, then you can get sshd to listen on some other random port and switch to using that for access. Once it’s working, you can then ban access to port 22. This goes some way to just keeping the script kiddies out. You can always get in using the console if this goes wrong and you find yourself locked out.
I’m on managed, so I’ve been advised by support that it’s not a great idea to move the port. I did do some usual SSH hardening, but that just locked support out of the server.
I’m live tailing the files, but I’m also watching for other stuff, I often grep too, but I’ve never tried grepping a live tail… Thanks for the tips.
Talking of zgrepping and grepping, here’s a quick bit of bash for those hunting down blacklisteds:
zgrep 'blacklisted by zen' /var/log/exim4/mainlog* | grep '2019-02-15' | wc -l
Will get you a blacklisted count for each day, very useful to see if you get anywhere near the Spamhaus daily limit (I don’t, thankfully).
admin@vm1:/etc/exim4$ /srv/.all-sites/utils/rblinfo 17 rbl services configured (non-spamhaus might 'tag') 12 rbl services show log rejection messages service sites rejections -------------------------------------------------------- zen.spamhaus.org 31 693 hostkarma.junkemailfilter.com 14 46 all.s5h.net 14 44 b.barracudacentral.org 20 35 all.spamrats.com 13 8 dbl.spamhaus.org 20 6 multi.uribl.com 20 5 truncate.gbudb.net 20 5 ubl.unsubscore.com 16 5 dnsbl.dronebl.org 14 4 all.bl.blocklist.de 16 1 bl.spamcop.net 16 1 bl.mailspike.net 18 0 rhsbl.sorbs.net 12 0 dyna.spamrats.com 5 0 noptr.spamrats.com 5 0 dnsbl.sorbs.net 1 0 TOTAL - 853 -------------------------------------------------------- spamassassin 31 10 clamav 31 74 -------------------------------------------------------- v20180729 : ~0.16s
It also counts ‘local’ rejections if /etc/exim/blacklist/by_sender exists.
At least one person managed to break it (blank output) but I never found out how.
Definitely gonna have to play with that (Next week - before I break the server over the weekend again).
I looked in that thread a number of times and that script always added to my confusion, but now, you have eased that confusion.
If you come back as @angrybanana I’ll delete it.
lol, easy now fella.
Wouldn’t it be angrytomato or angryredpepper anyway?
Yes or some would say ‘angryblue’ but in my defence, I was being flippant.