Re: [PLUG] What Is Sending Email?
Figured out the grep thing. Found my answer in /etc/aliases. Thanks to all. Michael On Mon, Mar 22, 2021 at 11:30 PM Jason Bergstrom wrote: > It's always worth while checking /etc/aliases and /etc/mail/aliases > as that is the normal location any MTA would redirect mail directed > to root/postmaster. > > I do run Exim on servers, but know Debian has been overly focused > on modularization/macros that complicate simple administration. > > To directly expand exim directives you can get the values with: > exim -bP > > It is also possible that someone has placed their own values under > /etc/exim4/exim4.conf.template or even a file under that directory that > would be overwritten by an update. > > Jason, > ber...@begie.net > > On Mon, Mar 22, 2021 at 11:28:27PM -0400, Tomas Kuchta wrote: > > On Mon, Mar 22, 2021, 22:58 Michael Barnes > wrote: > > > > > On Mon, Mar 22, 2021 at 3:17 PM TomasK > > > wrote: > > > > > > > If you cannot find the variable by: grep -r E4BCD_ config_dir > > > > .. you can always add a few lines to send yourself email containing > the > > > > variables at the next execution. > > > > Once you know the email address - it should be trivial to find it in > > > > files. > > > > > > > > Hope it helps, Tomas > > > > > > > > > > > > > > > I do know the email address it is trying to send to. I'm not very > smart in > > > finding strings in random files. I can't find any reference to that > address > > > anywhere. > > > . > > > > > > Did you try and failed recursive grep on the config directory - as > > suggested above? > > > > If unsure, learn more by: man grep > > > > Tomas > > > > > > > ___ > > PLUG: https://pdxlinux.org > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > ___ > PLUG: https://pdxlinux.org > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
It's always worth while checking /etc/aliases and /etc/mail/aliases as that is the normal location any MTA would redirect mail directed to root/postmaster. I do run Exim on servers, but know Debian has been overly focused on modularization/macros that complicate simple administration. To directly expand exim directives you can get the values with: exim -bP It is also possible that someone has placed their own values under /etc/exim4/exim4.conf.template or even a file under that directory that would be overwritten by an update. Jason, ber...@begie.net On Mon, Mar 22, 2021 at 11:28:27PM -0400, Tomas Kuchta wrote: > On Mon, Mar 22, 2021, 22:58 Michael Barnes wrote: > > > On Mon, Mar 22, 2021 at 3:17 PM TomasK > > wrote: > > > > > If you cannot find the variable by: grep -r E4BCD_ config_dir > > > .. you can always add a few lines to send yourself email containing the > > > variables at the next execution. > > > Once you know the email address - it should be trivial to find it in > > > files. > > > > > > Hope it helps, Tomas > > > > > > > > > > > I do know the email address it is trying to send to. I'm not very smart in > > finding strings in random files. I can't find any reference to that address > > anywhere. > > . > > > Did you try and failed recursive grep on the config directory - as > suggested above? > > If unsure, learn more by: man grep > > Tomas > > > > ___ > PLUG: https://pdxlinux.org > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
On Mon, Mar 22, 2021, 22:58 Michael Barnes wrote: > On Mon, Mar 22, 2021 at 3:17 PM TomasK > wrote: > > > If you cannot find the variable by: grep -r E4BCD_ config_dir > > .. you can always add a few lines to send yourself email containing the > > variables at the next execution. > > Once you know the email address - it should be trivial to find it in > > files. > > > > Hope it helps, Tomas > > > > > > > I do know the email address it is trying to send to. I'm not very smart in > finding strings in random files. I can't find any reference to that address > anywhere. > . Did you try and failed recursive grep on the config directory - as suggested above? If unsure, learn more by: man grep Tomas > ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
On Mon, Mar 22, 2021 at 3:17 PM TomasK wrote: > If you cannot find the variable by: grep -r E4BCD_ config_dir > .. you can always add a few lines to send yourself email containing the > variables at the next execution. > Once you know the email address - it should be trivial to find it in > files. > > Hope it helps, Tomas > > > I do know the email address it is trying to send to. I'm not very smart in finding strings in random files. I can't find any reference to that address anywhere. Michael ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
If you cannot find the variable by: grep -r E4BCD_ config_dir .. you can always add a few lines to send yourself email containing the variables at the next execution. Once you know the email address - it should be trivial to find it in files. Hope it helps, Tomas On Mon, 2021-03-22 at 11:14 -0700, Michael Barnes wrote: > Okay, I found /etc/cron.daily/exim4-base which seems to be the script > that > is running each morning. I'm not really that smart in reading these > scripts. I find the mail command and the subject line. What I don't > seem to > find is the TO: line. I do see references of $E4BCD_DAILY_REPORT_TO > which > may be the TO: string, but I can't find that variable defined. I find > these > declarations at the beginning of the script: > > E4BCD_DAILY_REPORT_TO="" > E4BCD_DAILY_REPORT_OPTIONS="" > E4BCD_WATCH_PANICLOG="yes" > # Number of lines of paniclog quoted in warning email. > E4BCD_PANICLOG_LINES="10" > E4BCD_PANICLOG_NOISE="" > > but those are empty strings. > > I did move the exim4-base script out of the cron.daily folder which, > I > hope, should stop the outgoing emails. I do need to get this > mailserver > working again. Is exim4 still a good choice? Anybody recommend a good > tutorial on it? I haven't worked with mailservers since about 2005 so > I'm a > bit rusty and need to get caught up on current practices. > > Thanks, > Michael > > > > > On Thu, Mar 18, 2021 at 5:04 PM James Bertelson > wrote: > > > Cron.daily runs at 0625 on Ubuntu. I’d check /etc/cron.daily for > > scripts. > > > > Sent from a mobile device > > > > > On Mar 18, 2021, at 7:54 PM, Michael Barnes > > m> > > > > wrote: > > > > > > As part of my new gig, I inherited an email server. It is an > > > Intel NUC > > > running Linux. I have almost no information on it, other than its > > > login > > > info. Looking at various logs, I find a folder /var/log/Exim4 > > > with mail > > > logs in it. It has a series of log files titled mainlog with > > > owner of > > > Debian-exim and group of adm. > > > > > > In looking at the log, it has an entry every morning at 0625 that > > > seems > > > > to > > > be sending an email to an unknown person. I have obscured the > > > identity > > > > data. > > > > > > 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com > > > U=root > > > P=local S=707 > > > 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org < > > > r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H= > > > in1-smtp.messagingengine.com [66.111.4.73] > > > X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes > > > DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*. > > > > messagingengine.com" > > > K C="250 2.0.0 Queued as 89A962AC350" > > > 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed > > > > > > Any ideas on exactly what is happening here? I certainly don't > > > want this > > > thing sending someone emails every day that I do not know about. > > > > > > Thanks, > > > Michael > > > ___ > > > PLUG: https://pdxlinux.org > > > PLUG mailing list > > > PLUG@pdxlinux.org > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > ___ > > PLUG: https://pdxlinux.org > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > ___ > PLUG: https://pdxlinux.org > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
On Mon, 22 Mar 2021, Michael Barnes wrote: I did move the exim4-base script out of the cron.daily folder which, I hope, should stop the outgoing emails. I do need to get this mailserver working again. Is exim4 still a good choice? Anybody recommend a good tutorial on it? I haven't worked with mailservers since about 2005 so I'm a bit rusty and need to get caught up on current practices. Michael, I see exim used by a number of folks when I look at the message headers but haven't used it myself. If you don't find satisfactory information consider switching to postfix. It's not difficult to set up and has excellent support on the mail list. HTH, Rich ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
Okay, I found /etc/cron.daily/exim4-base which seems to be the script that is running each morning. I'm not really that smart in reading these scripts. I find the mail command and the subject line. What I don't seem to find is the TO: line. I do see references of $E4BCD_DAILY_REPORT_TO which may be the TO: string, but I can't find that variable defined. I find these declarations at the beginning of the script: E4BCD_DAILY_REPORT_TO="" E4BCD_DAILY_REPORT_OPTIONS="" E4BCD_WATCH_PANICLOG="yes" # Number of lines of paniclog quoted in warning email. E4BCD_PANICLOG_LINES="10" E4BCD_PANICLOG_NOISE="" but those are empty strings. I did move the exim4-base script out of the cron.daily folder which, I hope, should stop the outgoing emails. I do need to get this mailserver working again. Is exim4 still a good choice? Anybody recommend a good tutorial on it? I haven't worked with mailservers since about 2005 so I'm a bit rusty and need to get caught up on current practices. Thanks, Michael On Thu, Mar 18, 2021 at 5:04 PM James Bertelson wrote: > Cron.daily runs at 0625 on Ubuntu. I’d check /etc/cron.daily for scripts. > > Sent from a mobile device > > > On Mar 18, 2021, at 7:54 PM, Michael Barnes > wrote: > > > > As part of my new gig, I inherited an email server. It is an Intel NUC > > running Linux. I have almost no information on it, other than its login > > info. Looking at various logs, I find a folder /var/log/Exim4 with mail > > logs in it. It has a series of log files titled mainlog with owner of > > Debian-exim and group of adm. > > > > In looking at the log, it has an entry every morning at 0625 that seems > to > > be sending an email to an unknown person. I have obscured the identity > data. > > > > 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root > > P=local S=707 > > 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org < > > r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H= > > in1-smtp.messagingengine.com [66.111.4.73] > > X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes > > DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*. > messagingengine.com" > > K C="250 2.0.0 Queued as 89A962AC350" > > 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed > > > > Any ideas on exactly what is happening here? I certainly don't want this > > thing sending someone emails every day that I do not know about. > > > > Thanks, > > Michael > > ___ > > PLUG: https://pdxlinux.org > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > ___ > PLUG: https://pdxlinux.org > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
Hi Michael - I hope all is going well with your NUC. Great question about inheriting hardware, and to all an excellent reminder / caveat/ best practices opportunity for talking security, system hardening, being mindful of resources, and general good Linux / Unix housekeeping... **If this were me**, I would typically take the following steps below - My apologies on the exact commands if they are not 100% accurate, I have not tested them on my raspberry pi 4 8gb. =^] 1. Before enabling Wi-Fi on inherited computers or servers, or plugging in a lan cable, be sure that the device is basically sandboxed and offline. 2. I believe you can run `netstat -a` to see if any ports are LISTENING state, (Windows has a great flag to this command, -bno, which tells you which binary or program or app is the source of listening on certain ports! I'm positive Linux has something similar...) ..but perhaps for a quick peek you could plug a LAN cable in and run the above command > with its STDOUT sent out into a file, to analyze after again putting the system offline. 3. As one responder on this list mentioned, it is good to check all the cron jobs that are geared up to go; for the ones as root you could run crontab -e, but I believe there is a directory as a repository for all the perhaps installed packages' usernames that might have cron jobs, where you can see them in one central place; pretty certain that's a thing! If they exist, perhaps chmod them ..or better, mv them to a subdirectory called /old/, or /cron_jobs_off/. 4. Thank you for staying with me this far lol - These two (2) commands are probably your very good friend, when poking around an unknown system and doing a little reconnaissance: 4a1. $ sudo apt list --installed > packages_list.txt##OR 4a2. $ sudo dpkg-query -f '${binary:Package}\n' -W > packages_list.txt ##OR LASTLY, 4a3. $ sudo dpkg-query -l > packages_list.txt 5. See which services are active, enabled (run at startup), or especially are currently running! # systemctl list-units --type=service --state=active OR # systemctl --type=service --state=active # systemctl list-units --type=service --state=running OR # systemctl --type=service --state=running 6. Lastly but maybe the quickest easiest fix = Great to install a simple uncomplicated firewall and only over time incrementally open ports gradually **as needed** and known and identified as necessary, etc. Maybe this should be Step#1 above! $ sudo apt install ufw gufw Cheers, I hope this is helpful and I do happily welcome from the list any corrections and or added measures! Peter L in San Diego CA, Active in kplug and sdbug, and recently nycbug! == Date: Thu, 18 Mar 2021 16:53:04 -0700 From: Michael Barnes To: "Portland Linux/Unix Group" Subject: [PLUG] What Is Sending Email? As part of my new gig, I inherited an email server. It is an Intel NUC running Linux. I have almost no information on it, other than its login info. Looking at various logs, I find a folder /var/log/Exim4 with mail logs in it. It has a series of log files titled mainlog with owner of Debian-exim and group of adm. In looking at the log, it has an entry every morning at 0625 that seems to be sending an email to an unknown person. I have obscured the identity data. 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root P=local S=707 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org < r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H= in1-smtp.messagingengine.com [66.111.4.73] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com " K C="250 2.0.0 Queued as 89A962AC350" 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed Any ideas on exactly what is happening here? I certainly don't want this thing sending someone emails every day that I do not know about. Thanks, Michael ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] What Is Sending Email?
Cron.daily runs at 0625 on Ubuntu. I’d check /etc/cron.daily for scripts. Sent from a mobile device > On Mar 18, 2021, at 7:54 PM, Michael Barnes wrote: > > As part of my new gig, I inherited an email server. It is an Intel NUC > running Linux. I have almost no information on it, other than its login > info. Looking at various logs, I find a folder /var/log/Exim4 with mail > logs in it. It has a series of log files titled mainlog with owner of > Debian-exim and group of adm. > > In looking at the log, it has an entry every morning at 0625 that seems to > be sending an email to an unknown person. I have obscured the identity data. > > 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root > P=local S=707 > 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org < > r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H= > in1-smtp.messagingengine.com [66.111.4.73] > X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes > DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com" > K C="250 2.0.0 Queued as 89A962AC350" > 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed > > Any ideas on exactly what is happening here? I certainly don't want this > thing sending someone emails every day that I do not know about. > > Thanks, > Michael > ___ > PLUG: https://pdxlinux.org > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
[PLUG] What Is Sending Email?
As part of my new gig, I inherited an email server. It is an Intel NUC running Linux. I have almost no information on it, other than its login info. Looking at various logs, I find a folder /var/log/Exim4 with mail logs in it. It has a series of log files titled mainlog with owner of Debian-exim and group of adm. In looking at the log, it has an entry every morning at 0625 that seems to be sending an email to an unknown person. I have obscured the identity data. 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root P=local S=707 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org < r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H= in1-smtp.messagingengine.com [66.111.4.73] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com" K C="250 2.0.0 Queued as 89A962AC350" 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed Any ideas on exactly what is happening here? I certainly don't want this thing sending someone emails every day that I do not know about. Thanks, Michael ___ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug