We're under attack

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

We're under attack

Post by MarHMS » 2018-05-22 21:04

I require assistance on how to deal with the below mess.

We have 4 accounts that are constantly being locked out and that's due to hMailServer.
The accounts are authenticated via a domain controller.

Upon inspection of the logs, I've identified quite a few of our accounts that are being "drilled" by over 20 IP addresses.
These IP addresses are blacklisted IP addresses.

We utilize SpamAssassin.

What do you recommend?

Thanks in advance.

Apologies for the theatrics subject

Sample of the log below:

Code: Select all

"IMAPD"	2036	64410	"2018-05-22 06:10:17.861"	"92.63.193.20"	"RECEIVED: 2 emailaddress ***"
"IMAPD"	2036	64410	"2018-05-22 06:10:17.861"	"92.63.193.20"	"SENT: 2 NO Invalid user name or password."
"IMAPD"	2004	64409	"2018-05-22 06:10:18.380"	"5.188.9.185"	"RECEIVED: 2 login emailaddress ***"
"IMAPD"	2004	64409	"2018-05-22 06:10:18.380"	"5.188.9.185"	"SENT: 2 NO Invalid user name or password."

Code: Select all

"IMAPD"	2000	62097	"2018-05-22 01:51:07.446"	"94.100.178.104"	"RECEIVED: 6 MYRIGHTS "Junk E-mail""
"IMAPD"	2000	62097	"2018-05-22 01:51:07.446"	"94.100.178.104"	"SENT: * MYRIGHTS "Junk E-mail" lrswipkxtea[nl]6 OK Myrights complete"

Code: Select all

"SMTPD"	1028	64357	"2018-05-22 06:05:49.332"	"185.234.218.134"	"RECEIVED: ***"
"SMTPD"	1028	64357	"2018-05-22 06:05:49.332"	"185.234.218.134"	"SENT: 535 Authentication failed. Restarting authentication process."

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-05-22 22:56

Ensure passwords are strong and your autoban settings are strong.

If you want them reviewed then run this and post the results: viewtopic.php?f=20&t=30914
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: We're under attack

Post by mattg » 2018-05-23 01:19

MarHMS wrote:
2018-05-22 21:04
Upon inspection of the logs, I've identified quite a few of our accounts that are being "drilled" by over 20 IP addresses.
These IP addresses are blacklisted IP addresses.
I get heaps of these too

I routinely block all logon attempts from outside Australia.
MarHMS wrote:
2018-05-22 21:04
These IP addresses are blacklisted IP addresses.
Using Autoban or IP ranges in hMailserver? At your firewall? Using SPamAssassin? how are they blackilisted? (it seems clear that what you are doing isn't working if they are still connecting to your hmailserver)
MarHMS wrote:
2018-05-22 21:04
The accounts are authenticated via a domain controller.
Is this using AD integration in hMailserver?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-23 13:51

jimimaseye wrote:
2018-05-22 22:56
Ensure passwords are strong and your autoban settings are strong.

If you want them reviewed then run this and post the results: viewtopic.php?f=20&t=30914
I will perform the test tomorrow. It's now a holiday here: Labour Day.

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-23 13:55

mattg wrote:
2018-05-23 01:19
MarHMS wrote:
2018-05-22 21:04
Upon inspection of the logs, I've identified quite a few of our accounts that are being "drilled" by over 20 IP addresses.
These IP addresses are blacklisted IP addresses.
I get heaps of these too

I routinely block all logon attempts from outside Australia.
MarHMS wrote:
2018-05-22 21:04
These IP addresses are blacklisted IP addresses.
Using Autoban or IP ranges in hMailserver? At your firewall? Using SPamAssassin? how are they blackilisted? (it seems clear that what you are doing isn't working if they are still connecting to your hmailserver)
MarHMS wrote:
2018-05-22 21:04
The accounts are authenticated via a domain controller.
Is this using AD integration in hMailserver?
Yes, we're utilizing the AD integration in hMailServer..

I've made a list of majority of the IP addresses, particularly the ones that are causing the AD user account lockouts. I tested each on mxtoolbox and they were blacklisted.

For now, the account lockouts have ended (maybe temporarily), because I have blocked traffic from all those addresses in our main firewall.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-05-23 23:25

run this and post the results: viewtopic.php?f=20&t=30914

Let's see your settings.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-24 14:02

Code: Select all

2018-05-24   Hmailserver: 5.6.4-B2283

DOMAINS

   "Domain1.com" - emxxxxxxxx.com                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - fixxxxxxxxxxxxx.com            Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - fixxxxxxxxxx.com               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain4.com" - otxxxxxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - pixxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

RULES
  1, Global Spam Rule             Criteria:  Use AND
     Custom: X-Spam-Level              Contains        *********
                                  -----Actions-----
             Move To Folder                            Spam
 ---------------------------------------------------------------------
  2, whereareyounow.net Spam      Criteria:  Use AND
             From                      Contains        whereareyounow.net
                                  -----Actions-----
             Forward                                   ITDEPARTMENT@Domain3.com
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: False

There is a total of 2 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries: 30 Mins:  5   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:    10
Max Msg Size: 25600  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  50  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
 !! Service Not Enabled !!

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:       False        Use SA score: False -   5
              Subject Text: "[Possible Spam]"
  Spam delete threshold: 8         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
            b.barracudacentral.org      Score: 2     Result: 127.0.0.2|127.0.0.4

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete email. Notify Sender: False,  Notify Receiver: True

  Max Message Size: 26214
     CLAM AV:   True       Hostname: localhost    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.inf             Setup file
               *.js              JavaScript files
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.pif             Program information file
               *.rar             Winrar archives
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
               *.vbs             VBScript
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   No entries
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 465   / SMTP   -   None                
               0.0.0.0         / 587   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  E:\HMAIL\Logs\hmailserver_2018-05-24.log
    Error:    E:\HMAIL\Logs\ERROR_hmailserver_2018-05-24.log - !! ERRORS PRESENT !!
    Event:    E:\HMAIL\Logs\hmailserver_events.log - Not present
    Awstats:  E:\HMAIL\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory E:\Backup is writable.

ERROR: Messages exists which are located outside of the data directory E:\HMAIL\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     E:\HMAIL\Data
Log folder:      E:\HMAIL\Logs
Temp folder:     E:\HMAIL\Temp
Event folder:    E:\HMAIL\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.92, Hmailserver Forum.

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-24 14:07

Now that I am seeing this, I realize that auto-ban is disabled.

I believed we had disabled same due to the warning that our webmail could be blocked too. This is likely if staff's AD passwords have expired and they continue the log in attempt. Our approach is to lock user accounts for 1 hour after 5 invalid attempts. We should whitelist the webmail's IP, or is it the IP staff uses to access the webmail?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-05-24 14:13

So set an individual IP RANGE that covers the webmail server, set it priority 25 or more then re-enable autoban.

BTW this:

Code: Select all

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
Leaves you open to receiving spam.

ie,
from fictional@yourdomain TO you@yourdomain
Subject: do you want bigger tits?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-24 15:09

jimimaseye wrote:
2018-05-24 14:13
So set an individual IP RANGE that covers the webmail server, set it priority 25 or more then re-enable autoban.

BTW this:

Code: Select all

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
Leaves you open to receiving spam.

ie,
from fictional@yourdomain TO you@yourdomain
Subject: do you want bigger tits?
Thanks a lot! Will do.

Should I enable authentication for Local To Local?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-05-24 15:11

yes
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-24 18:29

Here are the new settings

Code: Select all

2018-05-24   Hmailserver: 5.6.4-B2283

DOMAINS

   "Domain1.com" - emxxxxxxxx.com                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - fixxxxxxxxxxxxx.com            Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - fixxxxxxxxxx.com               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain4.com" - otxxxxxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - pixxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

RULES
  1, Global Spam Rule             Criteria:  Use AND
     Custom: X-Spam-Level              Contains        *********
                                  -----Actions-----
             Move To Folder                            Spam
 ---------------------------------------------------------------------
  2, whereareyounow.net Spam      Criteria:  Use AND
             From                      Contains        whereareyounow.net
                                  -----Actions-----
             Forward                                   ITDEPARTMENT@Domain3.com
-----------------------------------------------------------------------------------------------

IP RANGES

IP: x.x.x.x - x.x.x.x 		Priority: 25     Name: Webmail1

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: x.x.x.x - x.x.x.x  		Priority: 25     Name: Webmail2

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: x.x.x.x - x.x.x.x 		Priority: 25     Name: Webmail3

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:     10
                              Minutes Before Reset:           30  (0.50 hours, 0.02 days)
                              Minutes to Autoban:             60  (1.00 hours, 0.04 days)

There is a total of 3 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries: 30 Mins:  5   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:    10
Max Msg Size: 25600  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  50  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
 !! Service Not Enabled !!

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:       False        Use SA score: False -   5
              Subject Text: "[Possible Spam]"
  Spam delete threshold: 8         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
            b.barracudacentral.org      Score: 2     Result: 127.0.0.2|127.0.0.4

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete email. Notify Sender: False,  Notify Receiver: True

  Max Message Size: 26214
     CLAM AV:   True       Hostname: localhost    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.inf             Setup file
               *.js              JavaScript files
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.pif             Program information file
               *.rar             Winrar archives
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
               *.vbs             VBScript
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   No entries
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 465   / SMTP   -   None                
               0.0.0.0         / 587   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  E:\HMAIL\Logs\hmailserver_2018-05-24.log
    Error:    E:\HMAIL\Logs\ERROR_hmailserver_2018-05-24.log - !! ERRORS PRESENT !!
    Event:    E:\HMAIL\Logs\hmailserver_events.log - Not present
    Awstats:  E:\HMAIL\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory E:\Backup is writable.

ERROR: Messages exists which are located outside of the data directory E:\HMAIL\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     E:\HMAIL\Data
Log folder:      E:\HMAIL\Logs
Temp folder:     E:\HMAIL\Temp
Event folder:    E:\HMAIL\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.92, Hmailserver Forum.


Also, can I untick the POP within the IP ranges?

Code: Select all

POP3:   True !! Protocol DISABLED !!

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-05-24 23:08

Yes, untick pop3 in the ranges (the protocol is disabled).

This is high:

Code: Select all

Max invalid logon attempts: 10
Mine is set at 1. Why have more? Allowed clients will already be configured so Invalid attempts will be deliberate attacks from unauthorised people.

(And, for what its worth, the GLOBAL SPAM rule has 9 asterix: I consider 3 as spam to spam folder on 3. I delete without trace on 7. I think your 9 is too high and you could improve by lowering assuming you are using standard scoring.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: We're under attack

Post by mattg » 2018-05-24 23:31

ALSO that latest diagnostic shows that an error log is present

Please show the contents of the error log

(I have my invalid login attepmts in Autoban set to 3. 10 is a lot)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-05-26 00:19

mattg wrote:
2018-05-24 23:31
ALSO that latest diagnostic shows that an error log is present

Please show the contents of the error log

(I have my invalid login attepmts in Autoban set to 3. 10 is a lot)
See excerpt below:

Code: Select all

"ERROR"	1072	"2018-05-24 00:00:00.011"	"Severity: 3 (Medium), Code: HM5050, Source: File::CreateDirectory, Description: Could not create the directory M:\Data\domain.com\Georgia.Bruff\68. Tried 5 times without success., Error code: 3, Message: The system cannot find the path specified"
"ERROR"	1072	"2018-05-24 00:00:00.011"	"Severity: 3 (Medium), Code: HM5026, Source: PersistentMessage::_WriteDataToMessageFile, Description: Message retrieval failed because message file M:\Data\domain.com\Georgia.Bruff\68\{68302791-CCF1-4C79-84ED-8E8DF87B5C68}.eml did not exist."
"ERROR"	1072	"2018-05-24 00:00:00.011"	"Severity: 3 (Medium), Code: HM5136, Source: TCPConnection::AsyncReadCompleted, Description: An error occured while parsing data. Data length: 42, Data: 23 UID FETCH 222 (RFC822.SIZE BODY.PEEK[]). Remote IP: 94.100.185.204"
"ERROR"	1072	"2018-05-24 00:00:00.011"	"Severity: 2 (High), Code: HM4208, Source: ExceptionHandler::Run, Description: An error occured while executing 'IOCPQueueWorkerTask'"
We do not have a M drive. Don't see where one is being referenced to in settings.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: We're under attack

Post by mattg » 2018-05-26 00:26

That was exactly at midnight. Any backup going on...?
Check the .ini to confirm it hasn't changed.

Is there only the one group of messages like that? or does it repeat?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-05-26 00:28

Its related to this:

Code: Select all

ERROR: Messages exists which are located outside of the data directory E:\HMAIL\Data.
ERROR: Full paths are stored in the database.

Run through this procedure: viewtopic.php?f=21&t=28914
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-06-11 23:40

jimimaseye wrote:
2018-05-26 00:28
Its related to this:

Code: Select all

ERROR: Messages exists which are located outside of the data directory E:\HMAIL\Data.
ERROR: Full paths are stored in the database.

Run through this procedure: viewtopic.php?f=21&t=28914
I remember I had this issue before. I was advised then to run Data Directory Synchroniser. I had, but obviously it wasn't resolved. I believed it had ran for a few days.

Anyways, I'm experiencing difficulties accessing the database file with DatabaseBrowserPortable. I'm getting the error attached.
However, it works with LINQPad. The SQL query doesn't work with it though.
[There was an error parsing the query. Token in error = right]
Attachments
Screenshot_2.png

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-06-11 23:51

Are you using the correct password? (It is not the admin password but the database password, decrypted, as stored in your ini file).

I know it works because i have used it myself.

Also are you using a windows user that had access permissions to the file (the same as your hmailserver service does).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-06-11 23:58

jimimaseye wrote:
2018-06-11 23:51
Are you using the correct password? (It is not the admin password but the database password, decrypted, as stored in your ini file).

I know it works because i have used it myself.
Yes, it is the correct password. I followed the procedure to acquire the password, and same was used to access the database in a different application, LINQPad. However, the new issue was with the SQL command.

I'm now getting the below error when I ran it as an Administrator.
I'm aware that this error is related to us using the default database rather than an external one. Same will be addressed soon.
Attachments
Screenshot_4.png

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-06-13 00:13

@jimimaseye any word on the SQL query?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-06-13 00:16

MarHMS wrote:
2018-06-13 00:13
@jimimaseye any word on the SQL query?
I'm away at the moment so not with computer to test. I will reply when I'm back.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-06-19 15:22

jimimaseye wrote:
2018-06-13 00:16
MarHMS wrote:
2018-06-13 00:13
@jimimaseye any word on the SQL query?
I'm away at the moment so not with computer to test. I will reply when I'm back.

[Entered by mobile. Excuse my spelling.]
Just a simple reminder

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-06-21 00:27

It seems that DatabasePortable has some restrictions on what it accepts as syntax the some rather limited SQL commands.

You can test for the absolute paths using:

Code: Select all

SELECT * FROM hm_messages where messagefilename not like '{%' ;
Im not sure how you can update them though (if it returns some results) because the DatabasePortable doesnt like the LEFT() and RIGHT() operators.

Lets hope that all of your paths are relative (ie, the above statement doesnt return any results).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: We're under attack

Post by jimimaseye » 2018-06-21 01:08

Here you go:

The guide has been updated with commands that will also work for you using DatabaseBrowser: viewtopic.php?f=21&t=28914
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-06-23 10:54

jimimaseye wrote:
2018-06-21 01:08
Here you go:

The guide has been updated with commands that will also work for you using DatabaseBrowser: viewtopic.php?f=21&t=28914
Thanks a lot! Will try on Monday.

MarHMS
Normal user
Normal user
Posts: 136
Joined: 2015-12-11 17:10

Re: We're under attack

Post by MarHMS » 2018-06-25 22:09

jimimaseye wrote:
2018-06-21 01:08
Here you go:

The guide has been updated with commands that will also work for you using DatabaseBrowser: viewtopic.php?f=21&t=28914
It works on my test environment... thanks a lot...
Now to migrate this database to SQL Server and perform the updates.

Post Reply