Act as a MX backup

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
ashtec014
Normal user
Normal user
Posts: 41
Joined: 2019-09-05 11:56

Act as a MX backup

Post by ashtec014 » 2019-11-11 18:18

Hello Everyone,

I hope someone can help me about hmailserver Act as a MX backup. I followed the documentation posted here: https://www.hmailserver.com/documentati ... _mx_backup but I don't know if I did it right.

Code: Select all

[code]2019-11-11   Hmailserver: 5.6.7-B2425.16

DOMAINS
     (No Domains Entered)

-----------------------------------------------------------------------------------------------

IP RANGES

IP: 200.0.0.103 - 200.0.0.103     Priority: 25     Name: Internal Gateway

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      1
                              Minutes Before Reset:         1500  (25.00 hours, 1.04 days)
                              Minutes to Autoban:          10140  (169.00 hours, 7.04 days)

There is a total of 148 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  5 Mins: 60   Plain Text:         True  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands: 100  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
    arxxxxxx.com          - S: Local   R: Local  - Addr: All         (ok)
    saxxxxxxxxxxxxx.com      - S: Local   R: Local  - Addr: All         (ok)

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 2    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:       False        Use SA score: False -   5
              Subject Text: "[SPAM]"
  Spam delete threshold: 8         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 3     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
            b.barracudacentral.org      Score: 2     Result: 127.0.0.2
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
           bl.spameatingmonkey.net      Score: 2     Result: 127.0.0.2-3
                   cbl.abuseat.org      Score: 2     Result: 127.0.0.2
              zz.countries.nerd.dk      Score: 5     Result: 127.0.0.158|127.0.2.131|127.0.2.198

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete Attachments.

  Max Message Size: 26214
     CLAM AV:   True       Hostname: localhost    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.docm            Macro Enabled Office
               *.dotm            Macro Enabled Office
               *.exe             Executable file
               *.inf             Setup file
               *.js              JavaScript
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.pif             Program Information file
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
               *.vbs             MS Visual Basic Scripting
               *.xlsm            Macro enabled Office
               *.xltm            Macro Enabled Office
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   STL SSL
       Certificate: C:\Program Files (x86)\hMailServer\SSLCertificate\certificate.crt
       Private key: C:\Program Files (x86)\hMailServer\SSLCertificate\private.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: STL SSL
               0.0.0.0         / 110   / POP3   -   StartTLS Required   Cert: STL SSL
               0.0.0.0         / 143   / IMAP   -   StartTLS Required   Cert: STL SSL
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: STL SSL
               0.0.0.0         / 587   / SMTP   -   StartTLS Required   Cert: STL SSL
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: STL SSL
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: STL SSL
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-11-11.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-11-11.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Last Event: 2019/11/11
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory D:\EMAIL BACKUP is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: 
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MYSQL
Username=          ****
PasswordEncryption=1
Port=              3306
Server=            localhost
Internal=          0

[settings]
DisableAUTHList=25
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.96, Hmailserver Forum.
[/code]

Settings I setup here are just the same from my main mailserver. My problem is the botnet which is trying to login even don't have a domain setup. I also copy and pasted the script which I implemented from my main mailserver but it doesn't work here. The script from my mainserver EventHandlers.vbs is working fine and was able to filter/block botnets. I do not understand why its not working on my backup mailserver.

My main mailserver is being hosted using Windows Server 2012 whereas my backup mailserver is being hosted on windows server 2008.

Here is the log from very annoying botnet that was trying to authenticate. Upon checking using log analyzer this domain is not hosted in this mailserver but it keeps sending using different usernames.

Code: Select all

"SMTPD"	10156	55	"2019-11-11 18:22:51.644"	"200.0.0.103"	"SENT: 250-mx1.mydomain.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	9596	55	"2019-11-11 18:22:51.813"	"200.0.0.103"	"RECEIVED: AUTH LOGIN"
"SMTPD"	9596	55	"2019-11-11 18:22:51.814"	"200.0.0.103"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	10156	55	"2019-11-11 18:22:51.983"	"200.0.0.103"	"RECEIVED: bWFydmluQHJmcGIuY29t"
"SMTPD"	10156	55	"2019-11-11 18:22:51.984"	"200.0.0.103"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	10156	55	"2019-11-11 18:22:52.143"	"200.0.0.103"	"RECEIVED: ***"
"SMTPD"	10156	55	"2019-11-11 18:22:52.161"	"200.0.0.103"	"SENT: 535 Authentication failed. Too many invalid logon attempts."
"DEBUG"	9596	"2019-11-11 18:22:52.162"	"Ending session 55"
"DEBUG"	10156	"2019-11-11 18:50:39.965"	"Creating session 59"
"TCPIP"	10156	"2019-11-11 18:50:39.966"	"TCP - 200.0.0.103 connected to 200.0.0.10:587."
"DEBUG"	10156	"2019-11-11 18:50:39.969"	"Executing event OnClientConnect"
"DEBUG"	10156	"2019-11-11 18:50:39.970"	"Event completed"
"DEBUG"	10156	"2019-11-11 18:50:39.971"	"TCP connection started for session 52"
"SMTPD"	10156	52	"2019-11-11 18:50:39.972"	"200.0.0.103"	"SENT: 220 mx1.mydomain.com ESMTP"
"SMTPD"	9596	52	"2019-11-11 18:50:40.164"	"200.0.0.103"	"RECEIVED: EHLO localhost.localdomain"
"DEBUG"	9596	"2019-11-11 18:50:40.165"	"Executing event OnHELO"
"DEBUG"	9596	"2019-11-11 18:50:40.528"	"Event completed"
"SMTPD"	9596	52	"2019-11-11 18:50:40.529"	"200.0.0.103"	"SENT: 250-mx1.mydomain.com[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	10156	52	"2019-11-11 18:50:40.710"	"200.0.0.103"	"RECEIVED: STARTTLS"
"SMTPD"	10156	52	"2019-11-11 18:50:40.711"	"200.0.0.103"	"SENT: 220 Ready to start TLS"
"DEBUG"	7116	"2019-11-11 18:50:40.712"	"Performing SSL/TLS handshake for session 52. Verify certificate: False"
"TCPIP"	10156	"2019-11-11 18:50:41.232"	"TCPConnection - TLS/SSL handshake completed. Session Id: 52, Remote IP: 200.0.0.103, Version: TLSv1.2, Cipher: AES256-SHA, Bits: 256"
"SMTPD"	10156	52	"2019-11-11 18:50:41.450"	"200.0.0.103"	"RECEIVED: EHLO localhost.localdomain"
"DEBUG"	10156	"2019-11-11 18:50:41.451"	"Executing event OnHELO"
"DEBUG"	10156	"2019-11-11 18:50:41.799"	"Event completed"
"SMTPD"	10156	52	"2019-11-11 18:50:41.800"	"200.0.0.103"	"SENT: 250-mx1.mydomain.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	7116	52	"2019-11-11 18:50:42.013"	"200.0.0.103"	"RECEIVED: AUTH LOGIN"
"SMTPD"	7116	52	"2019-11-11 18:50:42.014"	"200.0.0.103"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	8060	52	"2019-11-11 18:50:42.251"	"200.0.0.103"	"RECEIVED: c3VwcG9ydEByZnBiLmNvbQ=="
"SMTPD"	8060	52	"2019-11-11 18:50:42.252"	"200.0.0.103"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	9596	52	"2019-11-11 18:50:42.450"	"200.0.0.103"	"RECEIVED: ***"
"SMTPD"	9596	52	"2019-11-11 18:50:42.468"	"200.0.0.103"	"SENT: 535 Authentication failed. Too many invalid logon attempts."
"DEBUG"	10156	"2019-11-11 18:50:42.469"	"Ending session 52"
"DEBUG"	9596	"2019-11-11 18:58:28.289"	"Creating session 60"
"TCPIP"	9596	"2019-11-11 18:58:28.290"	"TCP - 200.0.0.103 connected to 200.0.0.10:465."
"DEBUG"	9596	"2019-11-11 18:58:28.293"	"Executing event OnClientConnect"
"DEBUG"	9596	"2019-11-11 18:58:28.295"	"Event completed"
"DEBUG"	9596	"2019-11-11 18:58:28.295"	"TCP connection started for session 58"
"DEBUG"	9596	"2019-11-11 18:58:28.296"	"Performing SSL/TLS handshake for session 58. Verify certificate: False"
"TCPIP"	9596	"2019-11-11 18:58:29.286"	"TCPConnection - TLS/SSL handshake completed. Session Id: 58, Remote IP: 200.0.0.103, Version: TLSv1.2, Cipher: AES256-SHA, Bits: 256"
"SMTPD"	9596	58	"2019-11-11 18:58:29.287"	"200.0.0.103"	"SENT: 220 mx1.mydomain.com ESMTP"
"SMTPD"	10156	58	"2019-11-11 18:58:29.896"	"200.0.0.103"	"RECEIVED: EHLO localhost.localdomain"
"DEBUG"	10156	"2019-11-11 18:58:29.897"	"Executing event OnHELO"
"DEBUG"	10156	"2019-11-11 18:58:30.264"	"Event completed"
"SMTPD"	10156	58	"2019-11-11 18:58:30.265"	"200.0.0.103"	"SENT: 250-mx1.mydomain.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	7116	58	"2019-11-11 18:58:30.422"	"200.0.0.103"	"RECEIVED: AUTH LOGIN"
"SMTPD"	7116	58	"2019-11-11 18:58:30.422"	"200.0.0.103"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	10156	58	"2019-11-11 18:58:30.577"	"200.0.0.103"	"RECEIVED: bGlzdEByZnBiLmNvbQ=="
"SMTPD"	10156	58	"2019-11-11 18:58:30.578"	"200.0.0.103"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	7116	58	"2019-11-11 18:58:30.733"	"200.0.0.103"	"RECEIVED: ***"
"SMTPD"	7116	58	"2019-11-11 18:58:30.779"	"200.0.0.103"	"SENT: 535 Authentication failed. Too many invalid logon attempts."

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: Act as a MX backup

Post by ras07 » 2019-11-11 19:09

For a backup MX you normally don't need anything except port 25. Go into Settings/Advanced/TCP Ports and get rid of everything except 0.0.0.0 / 25 / SMTP. That will stop any activity at all on 587 or 465.

In addition, adding the (undocumented) setting DisableAUTHList=25 to the [Settings] section of your bin/hMailServer.INI file will stop anyone from trying to authenticate on port 25. You'll still get log entries if the botnets try to authenticate on 25 but they won't be able to do anything.

ashtec014
Normal user
Normal user
Posts: 41
Joined: 2019-09-05 11:56

Re: Act as a MX backup

Post by ashtec014 » 2019-11-16 08:46

ras07 wrote:
2019-11-11 19:09
For a backup MX you normally don't need anything except port 25. Go into Settings/Advanced/TCP Ports and get rid of everything except 0.0.0.0 / 25 / SMTP. That will stop any activity at all on 587 or 465.

In addition, adding the (undocumented) setting DisableAUTHList=25 to the [Settings] section of your bin/hMailServer.INI file will stop anyone from trying to authenticate on port 25. You'll still get log entries if the botnets try to authenticate on 25 but they won't be able to do anything.
Thank you for your response. Based on your recommendation, I was able to fix the issue. Thanks again, I appreciate it.

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Act as a MX backup

Post by Dravion » 2019-11-16 11:31

MX Records are set at DNS Level.
You can set as many MX Records you want
and set a threshold TTL for any MX.

Normally the first MX is set to TTL 10, the next to 20
and so in. If MX with TTL 10 doesnt react on threshold than MX TTL 20 is contacted ect.

Post Reply