UnixServerAdmin

Server Administration & Management

Logs files in linux (cPanel)

In a cPanel server, you may find logs are often stored differently comapring a control panel less server. Even Plesk saves logs in different paths. Here is a list of services and their log path that may help you finding the logs.

Apache
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
/usr/local/apache/domlogs/example.com

MySQL
/var/lib/mysql/hostname.err
hostname should be resemble your hostname.

Exim
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog

Courier-IMAP
/var/log/maillog

cPanel
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log

Pure-FTP
/var/log/messages
/var/log/xferlog  (symlinked to /usr/local/apache/domlogs/ftpxferlog)

System (cron, syslog, named, etc)
/var/log/messages
/var/log/boot.log
/var/log/cron
/var/log/dmesg

Security (ssh, ModSecurity, etc)
/var/log/secure
/usr/local/apache/logs/audit_log
/var/log/messages

August 15, 2011 Posted by | Apache, cPanel, Cron, DNS, Exim, Mod_Security, MySQL, Pure-FTPd, SSH, Tips & Tricks, Unix/Linux | , , , , , , , , , , | Leave a comment

How to change Exim IP Address

If you are not able to send mails with server IP OR If you are in the danger of getting your main server IP block by SpamCop because you had a few anoying spamers abusing your server then you could simply change your exim mailserver IP to avoid the effect of your main IP beeing blacklisted, then you can try changing the IP that exim uses by default. You can set exim to use any of the free Ip on the server. So here is process to change interface ip address for exim. Inside both incoming and outgoing exim mail server you will need to add an interface : so just edit

# vi /etc/exim_outgoing.conf and vi /etc/exim.conf

2) Check for the following parameters.
================
remote_smtp:
driver = smtp
================

Change to like this:
================
remote_smtp:
driver = smtp
interface=x.x.x.x
================

Add following lie :- “add interface = ip.you.want.to.use” and Replace “x.x.x.x” with your IP address.

# /etc/init.d/exim restart

NOTE: Just a reminder – If there is an exim update when you upgrade your cpanel server you will need to re-enter the interface again Once this is done, Also restart exim for the changes to take effect.

August 12, 2011 Posted by | Exim | | Leave a comment

How to send mail from client dedicated IP rather than the server main IP

Here is option in cpanel that will send outgoing email using dedicated ip rather than the server’s main ip

1) Login to server WHM –> Service Configuration –> Exim Configuration Editor

Enable the option :- Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)

2) open the file /etc/mailips using your favourite editor like vi and put the following entries:-

# vi /etc/mailips

======================
unixserveradmin.com: 122.124.124.125
======================

Here unixserveradmin.com is the customer domain

3) open the file /etc/mail_reverse_dns and put the reverse DNS entry for the domain there.

# vi /etc/mail_reverse_dns

=======================
122.124.124.125: unixserveradmin.com
=======================

4) Restart exim

# /etc/init.d/exim restart

Thats it. Check the e-mail header and see the difference.

August 11, 2011 Posted by | Exim | | Leave a comment

Exim Commands

Exim Commands :-

1) To delete mails in the mail queue older than a day
# exiqgrep -o 86400 -i | xargs exim -Mrm

2) To delete mails in the mail queue older than 3 day
# exiqgrep -o 259200 -i | xargs exim -Mrm

3) exim -bp|grep $name Will show the mail in queue for $name
# exim -Mvh $MSGID View message header
# exim -Mvb $MSGID View message body
# exim -M $MSGID Force delivery of message
# exim -v -M $MSGID View the transact of message

4) Force delivery of one message
# exim -M email-id

5) Force another queue run
# exim -qf

6) Force another queue run and attempt to flush the frozen message
# exim -qff

7) View the log for the message
# exim -Mvl messageID

8) View the body/content of the message
# exim -Mvb messageID

9) View the header of the message
# exim -Mvh messageID

10) Remove message without sending any error message
# exim -Mrm messageID

11) Giveup and fail message to bounce the message to the Sender
# exim -Mg messageID

12) How much mail in the queue?
# exim -bpr | grep “<” | wc -l

13) How many Frozen mails in the queue
# exim -bpr | grep frozen | wc -l

14) Deleting Frozen Messages
# exim -bpr | grep frozen | awk {‘print $3’} | xargs exim -Mrm

15) Removing Bad/Nobody Mail
# exiqgrep -i -f nobody | xargs exim -Mrm

16) Removes Mail with weird Characters (Spam)
# exiqgrep -i -f “^<>$” | xargs exim -Mrm

17) Delete mails from a particular domain
# exiqgrep -i -f domain.com | xargs exim -Mrm

18) Flush the entire Mail queue
# exiqgrep -i -f | xargs exim -Mrm

19) To find out, how many messages are there in the mail queue
# exim -bpc

20) To check the mails in the queue
# exim -bp

21) Who is having large number of emails?
# exim -bp | exiqsumm

22) To force exim update:
# /scripts/eximup –force

August 10, 2011 Posted by | Exim | | 1 Comment

Excessive mail sent by an user alert for cPanel

If you need a simple script to alert you by mail when a user exceeds a predefined mail rate limit, then check this out.

#######################################################################
#!/bin/bash
mailflag=0
limit=5
mailid=unixserv@unixserveradmin.com
chkdate=`date -d “60 minute ago” +%Y-%m-%d %k`
mailfile=$(mktemp)
for i in `mysql –batch –skip-column-names -e ” use eximstats; select user,email,msgid from sends where
mailtime like ‘$chkdate%’;” | awk ‘{print $1}’ | sort | uniq -c | sort -n | sed ‘s/^ *//’| sed ‘s/ /:/’`
do
k=`echo $i | cut -d ‘:’ -f1`
username=`echo $i | cut -d ‘:’ -f2`
if [ “$k” -gt “$limit” ]
then
mailflag=1
echo -e “nnn Excessive mail sent by user : $username nn” >> $mailfile
echo -e “=========================================” >> $mailfile
echo ”     mailtime           msgid   email   processed       user    size    ip      auth” >> $mailfile
mysql –batch –skip-column-names -e ” use eximstats; select * from sends where mailtime like ‘$chkdate%’ and
user like ‘$username’;” >> $mailfile
echo -e “=========================================” >> $mailfile
fi
done
if [ “$mailflag” == 1 ]
then
cat $mailfile | mail -s “Excessive mail sent by user” $mailid
fi
rm -rf $mailfile

# You need to edit the limit and mailid variables according to your requirement. eg:
limit=300
mailid=unixserv@unixserveradmin.com
#######################################################################

August 9, 2011 Posted by | cPanel, Exim, Shell Script | , , | 1 Comment

Prevent Spam with Antivirus.exim in cPanel

cPanel servers have a good small file named as antivirus.exim. It is a central filter for the exim mail server which lets you setup all kinds of good filters which helps you to stop spam from coming in and going out of your server.

In this article I will provide you my /etc/antivirus.exim config file which will help you to protect your servers from spammers. First off the default /etc/antivirus.exim has a couple different rule sets in it. The main ones are attachment filters to help stop email viruses from your users. They stop things like .src and .com and .exe attachments. This shows you some custom rules to stop spammers from sending out of your server, you can also use it to stop spam from coming in. I don’t really go into a lot of detail for filtering incoming mail since other applications like Spam Assassin handle that better IMO. You will need root access to your cPanel server.

You need root access to your Cpanel server as usual. First off we need to create a special log file for these filters do this:

# touch /var/log/filter.log

# chmod 0644 /var/log/filter.log

Now open up the configuration file

# vi /etc/antivirus.exim

It should have a whole whack of comments at the top. Here’s the webhostgear.com antivirus.exim configuration. Simple add this to your existing file, save the changes and they take effect instantly.

######################################################
# START
# Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644
## Common Spam
if # Header Spam
$header_subject: contains “Pharmaceutical”
or $header_subject: contains “Viagra”
or $header_subject: contains “Cialis”
or $header_subject: is “The Ultimate Online Pharmaceutical”
or $header_subject: contains “***SPAM***”
or $header_subject: contains “[SPAM]”
# Body Spam
or $message_body: contains “Cialis”
or $message_body: contains “Viagra”
or $message_body: contains “Leavitra”
or $message_body: contains “St0ck”
or $message_body: contains “Viaagrra”
or $message_body: contains “Cia1iis”
or $message_body: contains “URGENT BUSINESS PROPOSAL”
or $message_body matches “angka[^s]+[net|com|org|biz|info|us|name]+?”
or $message_body matches “v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok”then
# Log Message – SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text “Message has been rejected because it hasn
# triggered our central filter.”
logwrite “$tod_log $message_id from $sender_address contained spam keywords” seen finish
endif
# END
# Filters all incoming an outgoing mail
# START
# All outgoing mail on the server only – what is sent out#Check forwarders so it doesn’t get blocked
# Forwarders still work =)## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
$header_from contains “@citibank.com” or
$header_from contains “@bankofamerica.com” or
$header_from contains “@wamu.com” or
$header_from contains “@ebay.com” or
$header_from contains “@chase.com” or
$header_from contains “@paypal.com” or
$header_from contains “@wellsfargo.com” or
$header_from contains “@bankunited.com” or
$header_from contains “@bankerstrust.com” or
$header_from contains “@bankfirst.com” or
$header_from contains “@capitalone.com” or
$header_from contains “@citizensbank.com” or
$header_from contains “@jpmorgan.com” or
$header_from contains “@wachovia.com” or
$header_from contains “@bankone.com” or
$header_from contains “@suntrust.com” or
$header_from contains “@amazon.com” or
$header_from contains “@banksecurity.com” or
$header_from contains “@visa.com” or
$header_from contains “@mastercard.com” or
$header_from contains “@mbna.com”
)
then
logwrite “$tod_log $message_id from $sender_address is fraud”
seen finish
endif ## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
$header_from contains “@hotmail.com” or
$header_from contains “@yahoo.com” or
$header_from contains “@aol.com”
)
then
logwrite “$tod_log $message_id from $sender_address is forged fake”
seen finish
endif ## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is “local” or
$received_protocol is “esmtpa”
) and (
# Paypal
$message_body: contains “Dear valued PayPal member” or
$message_body: contains “Dear valued PayPal customer” or
$message_body: contains “Dear Paypal” or
$message_body: contains “The PayPal Team” or
$message_body: contains “Dear Paypal Customer” or
$message_body: contains “Paypal Account Review Department” or
# Ebay
$message_body: contains “Dear eBay member” or
$message_body: contains “Dear eBay User” or
$message_body: contains “The eBay team” or
$message_body: contains “Dear eBay Community Member” or
# Banks
$message_body: contains “Dear Charter One Customer” or
$message_body: contains “Dear wamu.com customer” or
$message_body: contains “Dear valued Citizens Bank member” or
$message_body: contains “Dear Visa” or
$message_body: contains “Dear Citibank” or
$message_body: contains “Citibank Email” or
$message_body: contains “Dear customer of Chase Bank” or
$message_body: contains “Dear Bank of America customer” or
# ISPs
$message_body: contains “Dear AOL Member” or
$message_body: contains “Dear AOL Customer”
)then
logwrite “$tod_log $message_id from $sender_address is phishing”
seen finish
endif# END
# All outgoing mail on the server only – what is sent out
######################################################

The log file will have the logging format like this:

/var/log/filter.log
2006-05-10 12:05:13 1Fds7S-0002Sa-MV from smooth595@gmail.com contained spam keywords
2006-05-10 14:18:47 1FduCn-0006GV-1r from dayton.nowellu7xn@gmail.com contained spam keywords
2006-04-27 15:44:35 1FZDLn-0005Mo-5z from nobody@ocean.wavepointmedia.com is fraud
2006-04-27 16:37:40 1FZEB9-0002KQ-VP from nobody@ocean.wavepointmedia.com is phishing

Date and time, the Exim message ID, the sender and the section of the filter, like phishing, fraud or spam. You can check the mail message by grepping the exim_mainlog for it like this

# grep 1FZEB9-0002KQ-VP /var/log/exim_mainlog

If you haven’t already you should enable a higher level of logging in your mail server which will be in our next tutorial.

August 8, 2011 Posted by | cPanel, Exim | , | Leave a comment

How to fix for Invalid SMTP response received from host

Issue:- I saw the warning “Invalid SMTP response received from host” in one of our server. Even after restarting the exim the warning was still showing up .

Fix:- After the investigation the issue I checked that connections to exim was very high around 100. So,I have set smtp_accept_max_per_host = 10 in exim.conf and I also increased smtp_accept_max = 100 to 150 which has resolved the issue .

The changes made in /etc/exim.conf file are:-

# vi /etc/exim.conf

=======================
smtp_accept_max_per_host = 10
smtp_accept_max = 150
=======================

August 6, 2011 Posted by | Exim | , | Leave a comment

Exim Error : T=remote_smtp defer (-53)

On Cpanel servers the exim smtp some time report below error in the exim logs :

T=remote_smtp defer (-53): retry time not reached for any host

If exim logs report this error then the most likely cause for this issue is corruption of exim databases, specially if it reports this error for each email. To resolve this issue following steps can be done using one of exim database tools ‘exim_tidydb’ :

# /usr/sbin/exim_tidydb -t 1d /var/spool/exim retry > /dev/null

# /usr/sbin/exim_tidydb -t 1d /var/spool/exim reject > /dev/null

# /usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp > /dev/null

After performing above steps, reinstall courier and exim using Cpanel scripts :

# /scripts/courierup — force

# /scripts/eximup –force

This should resolve the problem for you, if it continues to report the same error then deeper investigation would be required into the issue.

August 5, 2011 Posted by | Exim | | Leave a comment

Critical: exim security update due to vulnerability issue

To resolve exim vulnerability issue exim upgraded to latest version but its throwing following error message aftre restarting exim service.

# /etc/init.d/exim restart

Shutting down exim:                                        [  OK  ]
Shutting down spamd:                                       [FAILED]
Starting exim:                                             [  OK  ]
Starting exim alt spool: exim: -D is not available in this Exim binary [FAILED]

To resolve above error simply run following command from shell.

#/usr/mscpanel/msswitch.pl inout

August 4, 2011 Posted by | Exim | | Leave a comment

Berkeley DB error: fatal region error detected; run recovery (Exim)

You may get the following error in /var/log/exim_mainlog

Berkeley DB error: fatal region error detected; run recovery

The issue is due to the corrupted exim DB files. Fix is  simple. Goahead with the given steps:-

# /etc/init.d/exim stop

# rm -rfv /var/spool/exim/db/*

# /scripts/eximup –force

August 3, 2011 Posted by | Exim | | Leave a comment

How to add a new RBL to Exin in cPanel

More then a year ago, cPanel added a future to the Exim Configuration Editor for everyone to easily select from two RBLs (spamhaus.org and spamcop.net) that can be used to filter most of the SPAM that a server receives. While this has been great for most of us (enabling a RBL is a simple as selecting a check box in WHM and pressing the Save button), there are a few admins that would have liked to add additional RBLs to the list that Exim uses to filter SPAM emails. RBLs like dnsbl.njabl.org, list.dsbl.org, dul.dnsbl.sorbs.net, etc. are all considered useful by many, but not included by default.

The question is how can such a RBL be added to Exim ? Well it’s not that hard !

First you will have to login to your server using ssh. After a successful login:

Change directory to /usr/local/cpanel/etc/exim/acls/ACL_RBL_BLOCK

# cd /usr/local/cpanel/etc/exim/acls/ACL_RBL_BLOCK

Make a copy of of spamcop_rbl and name it with the new rbl name that will be used. For exemple

# cp spamcop_rbl njabl_rbl

Open the newly created file

# vi njabl_rbl

Change the two “dnslists” entries to the address of the new RBL. For example the new file should look something like this for dnsbl.njabl.org

# cd /usr/local/cpanel/etc/exim/acls/ACL_RBL_BLOCK

# cat njabl_rbl

——————————————————————–
deny message = JunkMail rejected – $sender_fullhost is in an RBL, see $dnslist_text
dnslists = dnsbl.njabl.org
hosts = +backupmx_hosts

warn
dnslists = dnsbl.njabl.org
set acl_m8 = 1
set acl_m9 = “JunkMail rejected – $sender_fullhost is in an RBL, see $dnslist_text”
[% ACL_RBL_WHITELIST %]

warn
condition = ${if eq {${acl_m8}}{1}{1}{0}}
ratelimit = 0 / 1h / strict / per_conn
log_message = “Increment Connection Ratelimit – $sender_fullhost because of RBL match”

drop
condition = ${if eq {${acl_m8}}{1}{1}{0}}
message = ${acl_m9}
——————————————————————–

Save the file, Run

# /scripts/buildeximconf

That’s it you should now have the RBL added to your Exim mail server. You can off curse add as many RBLs as you like but please keep in mind that too many of them will increase the chances of false positives and can increase the general load on the server.

August 2, 2011 Posted by | cPanel, Exim | , , | 1 Comment

535 Incorrect authentication data in EXIM & cPanel

Every 5 minutes this e-mail report Exim has restarted:

==========================================================
exim failed @ A restart was attempted automagically.Service Check Method: [tcp connect]

Failure Reason: TCP Transaction Log:
<< 220-serverX.xxx-xxxxxxxx.net ESMTP Exim 4.69 #12008 14:58:20 +0000
<<
<<
>> EHLO localhost
<< 250-serverx.xxx-xxxxxxxxxxx.net Hello localhost [127.0.0.1]
<<
<<
<<
<<
<<
>> AUTH PLAIN AUTH PLAIN AF9fY3BhbmVsX19zZXJ2aWNlX19hdXRoX19leGltX19IY3VsTEdXcFpDNU1XM1c2OVU4dmdGSUlyQllwcHpuSVJwQVll
YXhlVlh5VU1FRmx5Slg0YVlVV2JEbkJYcmpVAHBFTlh0eGtMdkNsRkJvZ3ROd0xZVVhTNlNWRlBHMUR6VEZBTG1na
UFzQTc4Y0FlMW5HaHI4VXBoa1R0N1FJa0U=
<< 535 Incorrect authentication data
exim: ** [535 Incorrect authentication data != 2]

Cmd Service Check Raw Output:
==========================================================

Here is the fix. go to /var/cpanel/serviceauth/ and remove the directory exim

# cd /var/cpanel/serviceauth/

# rm -rvf exim

Restart Cpanel.

# /etc/rc.d/init.d/cpanel restart

The folder exim will be recreated.  that should fix the issue.

August 1, 2011 Posted by | cPanel, Exim | , | Leave a comment

How to set E-mail size in exim

You can set the E-mail size limit from your WHM.

1. Login into WHM
2. Select “Exim Configuration Editor”  present unde ” Service Configuration” section.
3. Scroll down and  click on  “Advanced Editor” optoin.

You will see  the empty box (remember select first empty box) where you can type (right underneath where you see #!!# cPanel Exim 4 Config), enter in the following:

message_size_limit = 100M

4. Fourth scroll down to the bottom of that screen and click “Save” option.

Exim configuration will be rebuilt with the new option and your Exim will be restarted.

July 30, 2011 Posted by | Exim | , | Leave a comment

Spamd failed and does not restart (exim)

Issue:- You may get the spamd failed error on exim restart.

Fix:- When you disable spamd from  whm –> service manager, cPanel willl automatically creates a file “/etc/spamdisable”. If you enable  this feature  again the file /etc/spamdisable may not get deleted automatically.  In this case remove it manually and restart exim.

# rm -f /etc/spamdisable

# /scripts_restartsrv_exim

If the issue is still there, reinstall spamd on the server. Here is the steps:-

# wget http://www.hightechimpact.com/Apache/spamassassin/source/Mail-SpamAssassin-3.3.2.tar.gz

# cd Mail-SpamAssassin-3.3.2

# perl Makefile.PL

# make

# make install

The issue may also arise when the perl module “Mail::SpamAssassin”  is missing on the server. Install it manually.

# /scripts/perlinstaller  –force Mail::SpamAssassin

# /scripts/restartsrv_exim

Issue should be fixed now. You may also get the error message like this:-

“Starting spamd: [9128] error: spamd: spamd script is v3.001000, but using modules v3.001001 “

July 29, 2011 Posted by | Exim | | Leave a comment

Spamd causing high server loads (Exim)

When dealing with load issues, certain times you will see “spamd” in the top list. By default 5 spamd process will be started when exim starts. You can reduce/increase the spamd processes as follows.

1. open /etc/rc.d/init.d/exim

# vi /etc/rc.d/init.d/exim

2. search “spamd” or “maxchildren”

3. edit “–max-children=${maxchildren=5}”

Note:- Spamd consumes lot of memory and increasing it may increase memory usage and in turn increasing load. Reducing spamd too much also hangs exim (slow mail processing) and can cause load too. Use your judgment here.

July 28, 2011 Posted by | Exim | | Leave a comment

How to enable log selector in Exim

Add the following entry in advanced configuration editor in exim:-

=====================================================================
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
======================================================================

Restart exim after this :-

# /scripts/restartsrv_exim “OR”

# /etc/init.d/exim restart

Once this is done , you will be able to find the location of the script which is sending mails as nobody user. For this Just issue the following command:-

# tail -f /var/log/exim_mainlog | grep cwd

====================================================================
2011-08-26 23:03:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LnPlq-000810-Sl
2011-08-26 23:03:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LnPlq-000811-St
2011-08-26 23:03:46 cwd=/home/icicemac/public_html 3 args: /usr/sbin/sendmail -t -i
2011-08-26 23:03:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LnPlq-000813-T9
2011-08-26 23:05:48 cwd=/home/icicemac/public_html 3 args: /usr/sbin/sendmail -t -i
2011-08-26 23:05:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LnPno-00087I-CT
====================================================================

July 26, 2011 Posted by | Exim, Mail | , , | Leave a comment