Exim mail queue soaked

Portal Home > Knowledgebase > Articles Database > Exim mail queue soaked

Posted by Data 1 Systems, 11-17-2007, 03:39 PM
Hi everyone, been here 100 times, finally decided to join. I've picked up a lot of excellent tips from here. centos 2gigs ram cpanel whm My problem is similar to this thread: EDIT it won't let me post it? Anyway after complaints of "mail not being sent" I looked at a few things, found over 25,000 messages stuck in the queue. The messages no being sent thing is yahoo blocking me because of too many mails sent to their servers without a valid recipient. When I empty the queue it gathers about 200 mails an hour. Looks like it is coming from all over the world and they are using a valid ip from one of the domains hosted for sending. Bear with me I was reselling for years and this is my first real dedicated server. Reverse DNS is set up. I need a couple clues. Thanks-
Posted by david510, 11-17-2007, 09:50 PM
What is the exact error message you are getting when you try to send mail to yahoo from server?
Posted by Skylar MacMinn, 11-17-2007, 09:55 PM
Seems like you may need to fix this issue with yahoo itsself. YOu may also want to Go into WHM and click "Tweak Settings" and set a limit of emails an hour per account and Set "Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)" as ON This can be found under WHM>Server Configuration>Tweak Settings
Posted by Data 1 Systems, 11-18-2007, 10:23 AM
Thank you for the responses. I can't really limit any amount of mails, I host mostly bulletin boards that do use a mass e-mail feature. They don't send mail as nobody it uses the admin e-mail address so I will turn that off. That would help if there is a script on the server that is sending the mails. This is a header from one of them. The interface address is the IP of one of my customers accounts. The other info changes and host IP's have ranged from Australia, Russia, Belgium, the foreign country of California, just about anywhere. I'm thinking it's on someones computer (a trojan) that really is using his IP (or mail.hiswebaddress.com) as the SMTP... possibly somebody he knows that don't know this is happening. But wait there's more... the SMTP IP changes from time to time to another account on the server. Here is one of the header formats: 1ItTl3-0003XG-R9-H mailnull 47 12 1195329313 0 -helo_name b437bb35384c4e2 -host_address 78.57.200.223.1614 -host_name 78-57-200-223.ip.zebra.lt -interface_address 69.36.15.205.25 -received_protocol esmtp -body_linecount 497 -max_received_linelength 82 XX 4 justwheelinp@atving.us justwheelindd@atving.us justwheelin@atving.us justwheelind@atving.us 217P Received: from 78-57-200-223.ip.zebra.lt ([78.57.200.223] helo=b437bb35384c4e2) by host.d1shost.com with esmtp (Exim 4.68) (envelope-from ) id 1ItTl3-0003XG-R9; Sat, 17 Nov 2007 14:56:16 -0500 082P Received: from [78.57.200.223] by mx01.1and1.com; Sat, 17 Nov 2007 19:57:28 +0000 047I Message-ID: <01c82954$14c5fb10$dfc8394e@ohvca> 042F From: "Cleo Henson" 029T To: 083 Subject: are you going to pass up an opportunity to get a humungous EDITED? really? 038 Date: Sat, 17 Nov 2007 19:57:28 +0000 018 MIME-Version: 1.0 118 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0006_01C82954.14C5FB10" 014 X-Priority: 3 026 X-MSMail-Priority: Normal 051 X-Mailer: Microsoft Outlook Express 6.00.2800.1158 057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
Posted by Data 1 Systems, 11-18-2007, 10:28 AM
Here is another interesting one, sent to a yahoo address. The datacenter is the one that told me yahoo was blocking me, I have no real evidence to this myself. I trust them though. 1ItSvz-0002bz-BN-H mailnull 47 12 <> 1195326147 0 -ident mailnull -received_protocol local -body_linecount 49 -max_received_linelength 285 -allow_unqualified_recipient -allow_unqualified_sender -localerror XX 1 tennisqueen45@yahoo.com 150P Received: from mailnull by host.d1shost.com with local (Exim 4.68) id 1ItSvz-0002bz-BN for tennisqueen45@yahoo.com; Sat, 17 Nov 2007 14:02:27 -0500 047 X-Failed-Recipients: katjones@clerkofcourt.net 029 Auto-Submitted: auto-replied 060F From: Mail Delivery System 028T To: tennisqueen45@yahoo.com 059 Subject: Mail delivery failed: returning message to sender 049I Message-Id: 038 Date: Sat, 17 Nov 2007 14:02:27 -0500
Posted by RDOSTI, 11-18-2007, 11:27 AM
There about a 100 things to do (besides Panic). 1. Update Exim security features (WHM-Exim Editor) 2. Update Tweak Settings (WHM) to allow limited relays, and also set up SMTP tweak and setup a firewall , etc to make sure outbound emails using Only SMTP for relay so you can monitor who sent what and how. 3. Get new ips (Whitelisted ones) so yahoo gives you a second chance (i doubt they banned your domains). 4. Get SPF Records, Get Domainkey Records & Get SenderID allocated to your domains. 5. Control Spam with antivirus and antispam filters (inbound and outbound). 6. Remove domains that are sending the spam flow etc,etc. Regards
Posted by Data 1 Systems, 11-18-2007, 12:37 PM
Thank you fremont, I didn't see "update security features" anywhere... running WHM 11.11.0 I turned on spam assassin globally, disallowed "nobody" from sending, and I'm feverishly looking for some of the rest of the settings! The only thing I can't do due to customer usage is limit the amount of mails and remove domains. No use in changing the IP's until I can cure out the problem but I guess I can check by sending mail to someone on Yahoo? My wife still has a yahoo mail from years back I'll try that.
Posted by RDOSTI, 11-18-2007, 12:39 PM
update security features - basically means get everything optimized
Posted by Data 1 Systems, 11-18-2007, 02:19 PM
OK I have had another cup of coffee now. I ended up having to re enable "nobody" because I couldn't send mail from any of the boards or my contact forms. I saw in the mail tweak settings in that area: "PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively" Should I be using PHPSuexec and Suexec? What do I gain/loose? I know I'm being a pain but I have never managed a server at a level this deep before (was a reseller for a while) and I seriously want to provide the customers with the highest level of performance I can without compromising real security.
Posted by RDOSTI, 11-18-2007, 02:23 PM
PHPSuexec will prevent your scripts from using the 777 CHMOD and have some restrictions on particular developed scripts...the results are unknown.... But it does provide security so you know which script is sending out what stuff... Regards
Posted by RDOSTI, 11-18-2007, 02:43 PM
Added further...you may want to go to WHM-Plugins- Install ClamAV if its not there already. Installing MailScanner (search google "Mailscanner for CPanel" You can install it freely just following instructions. Though you should have a server with plenty of ram for that and spamassasin. WHM - Exim Configuration Editor - Try keeping everything ticked except *The recipient cannot be verified. Please check all recipients of this message to verify they are valid* OPTION and Use the old transport based OPTION (since you DONT want to use the old transport system) That should help considerably. Regards