Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Не приходят и не отправляются письма Exim4

https://forum.vestacp.com/viewtopic.php?f=31&t=15642

Page 1 of 1

Не приходят и не отправляются письма Exim4

Posted: Wed Nov 29, 2017 9:08 am
by Sisadin
Debian 8.9 - VestaCP 0.9.8 (amd64)
Здравствуйте! Уже 3 день борюсь чтобы заработала почта, помогите кто чем сможет.
На сервере был взлом, после чего перестали отправляться и приходить письма. На каждой из доменных директорий внедрили вредоносные скрипты *.php.
Методом рандомного написания команд нашел что в exim очередь из 300К писем (удалил). Но письма все так же не уходят и не приходят.
Вот некоторые логи из сервера.

var/log/exim4/mainlog

Code: Select all

2017-11-29 09:18:09 1eJnt3-0000jl-PL alt4.gmail-smtp-in.l.google.com [2607:f8b0:400e:c04::1b] Network is unreachable
2017-11-29 09:18:09 1eJnt3-0000jl-PL == [email protected] R=dnslookup T=remote_smtp defer (101): Network is unreachable
2017-11-29 09:20:16 1eJnbw-0001gI-Pd mx13.i.ua [213.186.119.6] Connection timed out
2017-11-29 09:20:16 1eJnbw-0001gI-Pd == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2017-11-29 09:20:16 1eJvCW-0007hz-4N == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:22:24 1eJnbd-0001cl-3Z gmail-smtp-in.l.google.com [64.233.166.27] Connection timed out
2017-11-29 09:24:31 1eJnbd-0001cl-3Z alt1.gmail-smtp-in.l.google.com [64.233.162.26] Connection timed out
2017-11-29 09:24:31 1eJnbd-0001cl-3Z == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2017-11-29 09:24:31 1eJvSE-0007ra-6e == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:24:31 1eJnEm-0000xf-EH == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:24:31 1eJw8r-0008Nb-Ti == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:24:31 1eJnHz-0000y5-Vh gmail-smtp-in.l.google.com [2a00:1450:400c:c09::1a] Network is unreachable
2017-11-29 09:26:38 1eJnHz-0000y5-Vh gmail-smtp-in.l.google.com [64.233.166.26] Connection timed out
2017-11-29 09:26:38 1eJnHz-0000y5-Vh == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2017-11-29 09:26:38 1eJuqs-0007N8-81 == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:26:38 1eJwPp-00005d-DY == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:26:38 End queue run: pid=3663
2017-11-29 09:36:47 1eJxrL-0001WS-Cl <= [email protected] U=Sisadin P=local S=2590 [email protected]
2017-11-29 09:36:47 1eJxrL-0001WS-Cl alt1.gmail-smtp-in.l.google.com [2a00:1450:4010:c05::1a] Network is unreachable
2017-11-29 09:36:47 1eJxrL-0001WS-Cl == [email protected] R=dnslookup T=remote_smtp defer (101): Network is unreachable
2017-11-29 09:41:47 Start queue run: pid=6280
2017-11-29 09:43:54 1eJnYv-0001am-Cg alt1.gmail-smtp-in.l.google.com [64.233.162.26] Connection timed out
2017-11-29 09:46:02 1eJnYv-0001am-Cg alt3.gmail-smtp-in.l.google.com [74.125.204.27] Connection timed out
2017-11-29 09:46:02 1eJnYv-0001am-Cg == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2017-11-29 09:46:02 1eJuqs-0007N8-81 == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJw8r-0008Nb-Ti == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJvIT-0007lR-Ro == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJnt3-0000jl-PL alt3.gmail-smtp-in.l.google.com [2404:6800:4008:c04::1a] Network is unreachable
2017-11-29 09:46:02 1eJnt3-0000jl-PL == [email protected] R=dnslookup T=remote_smtp defer (101): Network is unreachable
2017-11-29 09:46:02 1eJxrL-0001WS-Cl == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJvCW-0007hz-4N == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJnbd-0001cl-3Z == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJvSE-0007ra-6e == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJnbw-0001gI-Pd == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJnEm-0000xf-EH == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJnHz-0000y5-Vh == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJwPp-00005d-DY == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 1eJplN-0002TO-F0 == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
2017-11-29 09:46:02 End queue run: pid=6280
var/log/exim4/rejectlog.1

Code: Select all

2017-11-28 16:54:50 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=arcserve)
2017-11-28 16:57:38 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=micheal)
2017-11-28 17:00:28 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=adam)
2017-11-28 17:03:19 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=jorge)
2017-11-28 17:06:07 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=camera)
2017-11-28 17:09:01 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=green)
2017-11-28 17:11:58 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=reeves)
2017-11-28 17:14:47 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=workshop)
2017-11-28 17:17:37 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=angel)
2017-11-28 17:20:26 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=bkupexec)
2017-11-28 17:23:18 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=pr)
2017-11-28 17:26:13 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=antivirus)
2017-11-28 17:29:07 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=reception)
2017-11-28 17:31:58 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=smtp)
2017-11-28 17:34:52 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=monica)
2017-11-28 17:37:39 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=mailing)
2017-11-28 17:40:33 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=jennifer)
2017-11-28 17:43:29 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=scanuser)
2017-11-28 17:46:23 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=abel)
2017-11-28 17:49:15 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=nick)
2017-11-28 17:52:05 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=administrator)
2017-11-28 17:54:57 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=server)
2017-11-28 17:57:49 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=informix)
2017-11-28 18:00:47 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=recepcao)
2017-11-28 18:03:40 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=promo)
2017-11-28 18:06:33 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=yoursite)
2017-11-28 18:09:24 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=registration)
2017-11-28 18:12:12 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=test3)
2017-11-28 18:15:08 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=james)
2017-11-28 18:18:02 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=user1)
2017-11-28 18:20:59 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=digital)
2017-11-28 18:23:50 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=frank)
2017-11-28 18:26:44 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=payroll)
2017-11-28 18:29:36 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=simon)
2017-11-28 18:32:31 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=peter)
2017-11-28 18:35:31 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=document)
2017-11-28 18:38:27 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=blog)
2017-11-28 18:41:17 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=buchhaltung)
2017-11-28 18:42:11 H=localhost (www.camping-plein-soleil.be) [127.0.0.1] sender verify fail for <[email protected]>: Unrouteable address
2017-11-28 18:42:11 H=localhost (www.camping-plein-soleil.be) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2017-11-28 18:44:04 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=archivo)
2017-11-28 18:46:54 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=news)
2017-11-28 18:49:45 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=lab)
2017-11-28 18:50:18 dovecot_login authenticator failed for dfmain.diasoft-platform.ru (ADMIN) [93.91.8.32]: 535 Incorrect authentication data ([email protected])
2017-11-28 18:52:44 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=accounting)
2017-11-28 18:55:42 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=impresora)
2017-11-28 18:58:31 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=veritas)
2017-11-28 19:01:24 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=dispatch)
2017-11-28 18:58:31 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=veritas)
2017-11-28 19:01:24 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=dispatch)
2017-11-28 19:04:20 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=install)
2017-11-28 19:07:17 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=canon)
2017-11-28 19:10:14 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=ventas)
2017-11-28 19:56:20 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=stores)
2017-11-28 19:59:09 dovecot_login authenticator failed for (User) [91.200.12.140]: 535 Incorrect authentication data (set_id=scott)
2017-11-28 23:45:05 SMTP call from localhost [127.0.0.1] dropped: too many unrecognized commands (last was "ssd")
2017-11-28 23:48:31 SMTP call from localhost [127.0.0.1] dropped: too many unrecognized commands (last was "")
netstat -ntlp | grep LISTEN

Code: Select all

tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      345/apache2     
tcp        0      0 0.0.0.0:8083            0.0.0.0:*               LISTEN      428/vesta-nginx 
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      394/vsftpd      
tcp        0      0 51.254.136.201:53       0.0.0.0:*               LISTEN      376/named       
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      376/named       
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      375/sshd        
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1311/exim4      
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      376/named       
tcp        0      0 51.254.136.201:443      0.0.0.0:*               LISTEN      345/apache2     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1/init          
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      392/dovecot     
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      858/mysqld      
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      392/dovecot     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1/init          
tcp        0      0 51.254.136.201:80       0.0.0.0:*               LISTEN      345/apache2     
tcp6       0      0 :::22                   :::*                    LISTEN      375/sshd        
tcp6       0      0 ::1:25                  :::*                    LISTEN      1311/exim4      
tcp6       0      0 ::1:953                 :::*                    LISTEN      376/named       
tcp6       0      0 :::993                  :::*                    LISTEN      1/init          
tcp6       0      0 :::995                  :::*                    LISTEN      392/dovecot     
tcp6       0      0 :::110                  :::*                    LISTEN      392/dovecot     
tcp6       0      0 :::143                  :::*                    LISTEN      1/init
Заголовки одного из писем которые попадают в очередь exim

Code: Select all

1eJnYv-0001am-Cg-H
Sisadin 1002 1002
<[email protected]>
1511905025 0
-ident Sisadin
-received_protocol local
-body_linecount 2
-max_received_linelength 74
-auth_id Sisadin
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

194P Received: from Sisadin by vps220312.ovh.net with local (Exim 4.84_2)
        (envelope-from <[email protected]>)
        id 1eJnYv-0001am-Cg
        for [email protected]; Tue, 28 Nov 2017 22:37:05 +0100
025T To: [email protected]
057  Subject: WP Mail SMTP: Test mail to [email protected]
051  X-PHP-Originating-Script: 1002:class-phpmailer.php
038  Date: Tue, 28 Nov 2017 21:37:05 +0000
052F From: WordPress <[email protected]>
075I Message-ID: <[email protected]>
068  X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
018  MIME-Version: 1.0
040  Content-Type: text/plain; charset=UTF-8
Спасибо.

Re: Не приходят и не отправляются письма Exim4

Posted: Wed Nov 29, 2017 11:11 am
by imperio
Добрый день. Сначала уточните у поставщика услуг хостинга не было ли блокировок за спам с их стороны. Они вполне могли зафильтровать 25 порт.

Re: Не приходят и не отправляются письма Exim4

Posted: Wed Nov 29, 2017 4:42 pm
by Sisadin
Да действительно, порт был под блоком когда разблокировали письма начали доходить. Попадают в папку спам.
Roundcube как не работал так и не работает не принимает не посылает письма остаются в очереди.
Но главное что пересылка заработала. Есть ли какой туториал подробный с подробным описанием команд сетингов что бы опять вордпресы не ломанули и спам рекой ?
Спасибо.

Re: Не приходят и не отправляются письма Exim4

Posted: Wed Nov 29, 2017 4:49 pm
by imperio
Вероятнее всего стоят какие-то кривые плагины, через которые и ломают. Рекомендую проверить также директории вордпресса на наличие шеллов. Если нашли дыру в скрипте, то могли залить шелл.

Re: Не приходят и не отправляются письма Exim4

Posted: Wed Nov 29, 2017 4:51 pm
by imperio
Вспомните когда всё началось и консольной командой найдите все изменения после этой даты.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/