Re: [PLUG] What Is Sending Email?

[Michael Barnes]

Figured out the grep thing. Found my answer in /etc/aliases.

Thanks to all.

Michael


On Mon, Mar 22, 2021 at 11:30 PM Jason Bergstrom  wrote:

> It's always worth while checking /etc/aliases and /etc/mail/aliases
> as that is the normal location any MTA would redirect mail directed
> to root/postmaster.
>
> I do run Exim on servers, but know Debian has been overly focused
> on modularization/macros that complicate simple administration.
>
> To directly expand exim directives you can get the values with:
> exim -bP
>
> It is also possible that someone has placed their own values under
> /etc/exim4/exim4.conf.template or even a file under that directory that
> would be overwritten by an update.
>
> Jason,
> ber...@begie.net
>
> On Mon, Mar 22, 2021 at 11:28:27PM -0400, Tomas Kuchta wrote:
> > On Mon, Mar 22, 2021, 22:58 Michael Barnes 
> wrote:
> >
> > > On Mon, Mar 22, 2021 at 3:17 PM TomasK 
> > > wrote:
> > >
> > > > If you cannot find the variable by: grep -r E4BCD_ config_dir
> > > > .. you can always add a few lines to send yourself email containing
> the
> > > > variables at the next execution.
> > > > Once you know the email address - it should be trivial to find it in
> > > > files.
> > > >
> > > > Hope it helps, Tomas
> > > >
> > > >
> > > >
> > > I do know the email address it is trying to send to. I'm not very
> smart in
> > > finding strings in random files. I can't find any reference to that
> address
> > > anywhere.
> > > .
> >
> >
> > Did you try and failed recursive grep on the config directory - as
> > suggested above?
> >
> > If unsure, learn more by: man grep
> >
> > Tomas
> >
> > >
> > ___
> > PLUG: https://pdxlinux.org
> > PLUG mailing list
> > PLUG@pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> ___
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[Jason Bergstrom]

It's always worth while checking /etc/aliases and /etc/mail/aliases
as that is the normal location any MTA would redirect mail directed
to root/postmaster.

I do run Exim on servers, but know Debian has been overly focused
on modularization/macros that complicate simple administration.

To directly expand exim directives you can get the values with:
exim -bP

It is also possible that someone has placed their own values under
/etc/exim4/exim4.conf.template or even a file under that directory that
would be overwritten by an update.

Jason,
ber...@begie.net

On Mon, Mar 22, 2021 at 11:28:27PM -0400, Tomas Kuchta wrote:
> On Mon, Mar 22, 2021, 22:58 Michael Barnes  wrote:
> 
> > On Mon, Mar 22, 2021 at 3:17 PM TomasK 
> > wrote:
> >
> > > If you cannot find the variable by: grep -r E4BCD_ config_dir
> > > .. you can always add a few lines to send yourself email containing the
> > > variables at the next execution.
> > > Once you know the email address - it should be trivial to find it in
> > > files.
> > >
> > > Hope it helps, Tomas
> > >
> > >
> > >
> > I do know the email address it is trying to send to. I'm not very smart in
> > finding strings in random files. I can't find any reference to that address
> > anywhere.
> > .
> 
> 
> Did you try and failed recursive grep on the config directory - as
> suggested above?
> 
> If unsure, learn more by: man grep
> 
> Tomas
> 
> >
> ___
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[Tomas Kuchta]

On Mon, Mar 22, 2021, 22:58 Michael Barnes  wrote:

> On Mon, Mar 22, 2021 at 3:17 PM TomasK 
> wrote:
>
> > If you cannot find the variable by: grep -r E4BCD_ config_dir
> > .. you can always add a few lines to send yourself email containing the
> > variables at the next execution.
> > Once you know the email address - it should be trivial to find it in
> > files.
> >
> > Hope it helps, Tomas
> >
> >
> >
> I do know the email address it is trying to send to. I'm not very smart in
> finding strings in random files. I can't find any reference to that address
> anywhere.
> .


Did you try and failed recursive grep on the config directory - as
suggested above?

If unsure, learn more by: man grep

Tomas

>
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[Michael Barnes]

On Mon, Mar 22, 2021 at 3:17 PM TomasK  wrote:

> If you cannot find the variable by: grep -r E4BCD_ config_dir
> .. you can always add a few lines to send yourself email containing the
> variables at the next execution.
> Once you know the email address - it should be trivial to find it in
> files.
>
> Hope it helps, Tomas
>
>
>
I do know the email address it is trying to send to. I'm not very smart in
finding strings in random files. I can't find any reference to that address
anywhere.

Michael
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[TomasK]

If you cannot find the variable by: grep -r E4BCD_ config_dir
.. you can always add a few lines to send yourself email containing the
variables at the next execution.
Once you know the email address - it should be trivial to find it in
files.

Hope it helps, Tomas

On Mon, 2021-03-22 at 11:14 -0700, Michael Barnes wrote:
> Okay, I found /etc/cron.daily/exim4-base which seems to be the script
> that
> is running each morning. I'm not really that smart in reading these
> scripts. I find the mail command and the subject line. What I don't
> seem to
> find is the TO: line. I do see references of $E4BCD_DAILY_REPORT_TO
> which
> may be the TO: string, but I can't find that variable defined. I find
> these
> declarations at the beginning of the script:
> 
> E4BCD_DAILY_REPORT_TO=""
> E4BCD_DAILY_REPORT_OPTIONS=""
> E4BCD_WATCH_PANICLOG="yes"
> # Number of lines of paniclog quoted in warning email.
> E4BCD_PANICLOG_LINES="10"
> E4BCD_PANICLOG_NOISE=""
> 
> but those are empty strings.
> 
> I did move the exim4-base script out of the cron.daily folder which,
> I
> hope, should stop the outgoing emails. I do need to get this
> mailserver
> working again. Is exim4 still a good choice? Anybody recommend a good
> tutorial on it? I haven't worked with mailservers since about 2005 so
> I'm a
> bit rusty and need to get caught up on current practices.
> 
> Thanks,
> Michael
> 
> 
> 
> 
> On Thu, Mar 18, 2021 at 5:04 PM James Bertelson 
> wrote:
> 
> > Cron.daily runs at 0625 on Ubuntu. I’d check /etc/cron.daily for
> > scripts.
> > 
> > Sent from a mobile device
> > 
> > > On Mar 18, 2021, at 7:54 PM, Michael Barnes  > > m>
> > 
> > wrote:
> > > 
> > > As part of my new gig, I inherited an email server. It is an
> > > Intel NUC
> > > running Linux. I have almost no information on it, other than its
> > > login
> > > info. Looking at various logs, I find a folder /var/log/Exim4
> > > with mail
> > > logs in it. It has a series of log files titled mainlog with
> > > owner of
> > > Debian-exim and group of adm.
> > > 
> > > In looking at the log, it has an entry every morning at 0625 that
> > > seems
> > 
> > to
> > > be sending an email to an unknown person. I have obscured the
> > > identity
> > 
> > data.
> > > 
> > > 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com
> > > U=root
> > > P=local S=707
> > > 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org <
> > > r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H=
> > > in1-smtp.messagingengine.com [66.111.4.73]
> > > X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes
> > > DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.
> > 
> > messagingengine.com"
> > > K C="250 2.0.0 Queued as 89A962AC350"
> > > 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed
> > > 
> > > Any ideas on exactly what is happening here? I certainly don't
> > > want this
> > > thing sending someone emails every day that I do not know about.
> > > 
> > > Thanks,
> > > Michael
> > > ___
> > > PLUG: https://pdxlinux.org
> > > PLUG mailing list
> > > PLUG@pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > 
> > ___
> > PLUG: https://pdxlinux.org
> > PLUG mailing list
> > PLUG@pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> > 
> 
> ___
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[Rich Shepard]

On Mon, 22 Mar 2021, Michael Barnes wrote:


I did move the exim4-base script out of the cron.daily folder which, I
hope, should stop the outgoing emails. I do need to get this mailserver
working again. Is exim4 still a good choice? Anybody recommend a good
tutorial on it? I haven't worked with mailservers since about 2005 so I'm
a bit rusty and need to get caught up on current practices.


Michael,

I see exim used by a number of folks when I look at the message headers but
haven't used it myself. If you don't find satisfactory information consider
switching to postfix. It's not difficult to set up and has excellent support
on the mail list.

HTH,

Rich
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[Michael Barnes]

Okay, I found /etc/cron.daily/exim4-base which seems to be the script that
is running each morning. I'm not really that smart in reading these
scripts. I find the mail command and the subject line. What I don't seem to
find is the TO: line. I do see references of $E4BCD_DAILY_REPORT_TO which
may be the TO: string, but I can't find that variable defined. I find these
declarations at the beginning of the script:

E4BCD_DAILY_REPORT_TO=""
E4BCD_DAILY_REPORT_OPTIONS=""
E4BCD_WATCH_PANICLOG="yes"
# Number of lines of paniclog quoted in warning email.
E4BCD_PANICLOG_LINES="10"
E4BCD_PANICLOG_NOISE=""

but those are empty strings.

I did move the exim4-base script out of the cron.daily folder which, I
hope, should stop the outgoing emails. I do need to get this mailserver
working again. Is exim4 still a good choice? Anybody recommend a good
tutorial on it? I haven't worked with mailservers since about 2005 so I'm a
bit rusty and need to get caught up on current practices.

Thanks,
Michael




On Thu, Mar 18, 2021 at 5:04 PM James Bertelson  wrote:

> Cron.daily runs at 0625 on Ubuntu. I’d check /etc/cron.daily for scripts.
>
> Sent from a mobile device
>
> > On Mar 18, 2021, at 7:54 PM, Michael Barnes 
> wrote:
> >
> > As part of my new gig, I inherited an email server. It is an Intel NUC
> > running Linux. I have almost no information on it, other than its login
> > info. Looking at various logs, I find a folder /var/log/Exim4 with mail
> > logs in it. It has a series of log files titled mainlog with owner of
> > Debian-exim and group of adm.
> >
> > In looking at the log, it has an entry every morning at 0625 that seems
> to
> > be sending an email to an unknown person. I have obscured the identity
> data.
> >
> > 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root
> > P=local S=707
> > 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org <
> > r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H=
> > in1-smtp.messagingengine.com [66.111.4.73]
> > X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes
> > DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.
> messagingengine.com"
> > K C="250 2.0.0 Queued as 89A962AC350"
> > 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed
> >
> > Any ideas on exactly what is happening here? I certainly don't want this
> > thing sending someone emails every day that I do not know about.
> >
> > Thanks,
> > Michael
> > ___
> > PLUG: https://pdxlinux.org
> > PLUG mailing list
> > PLUG@pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
>
> ___
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[Peter Leftwich (pe...@itwiz1.com)]

Hi Michael - I hope all is going well with your NUC.

Great question about inheriting hardware, and to all an excellent reminder
/ caveat/ best practices opportunity for talking security, system
hardening, being mindful of resources, and general good Linux / Unix
housekeeping...

**If this were me**, I would typically take the following steps below - My
apologies on the exact commands if they are not 100% accurate, I have not
tested them on my raspberry pi 4 8gb. =^]

1. Before enabling Wi-Fi on inherited computers or servers, or plugging in
a lan cable, be sure that the device is basically sandboxed and offline.

2. I believe you can run `netstat -a` to see if any ports are LISTENING
state, (Windows has a great flag to this command, -bno, which tells you
which binary or program or app is the source of listening on certain ports!
I'm positive Linux has something similar...) ..but perhaps for a quick peek
you could plug a LAN cable in and run the above command > with its STDOUT
sent out into a file, to analyze after again putting the system offline.

3. As one responder on this list mentioned, it is good to check all the
cron jobs that are geared up to go; for the ones as root you could run
crontab -e, but I believe there is a directory as a repository for all the
perhaps installed packages' usernames that might have cron jobs, where you
can see them in one central place; pretty certain that's a thing! If they
exist, perhaps chmod them ..or better, mv them to a subdirectory called
/old/, or  /cron_jobs_off/.

4. Thank you for staying with me this far lol - These two (2) commands are
probably your very good friend, when poking around an unknown system and
doing a little reconnaissance:

4a1. $ sudo apt list --installed > packages_list.txt##OR
4a2. $ sudo dpkg-query -f '${binary:Package}\n' -W > packages_list.txt
##OR LASTLY,
4a3. $ sudo dpkg-query -l > packages_list.txt

5. See which services are active, enabled (run at startup), or especially
are currently running!

# systemctl list-units --type=service --state=active
OR
# systemctl --type=service --state=active

# systemctl list-units --type=service --state=running
OR
# systemctl --type=service --state=running

6. Lastly but maybe the quickest easiest fix = Great to install a simple
uncomplicated firewall and only over time incrementally open ports
gradually **as needed** and known and identified as necessary, etc. Maybe
this should be Step#1 above!
$ sudo apt install ufw gufw

Cheers, I hope this is helpful and I do happily welcome from the list any
corrections and or added measures!

Peter L in San Diego CA,

Active in kplug and sdbug, and recently nycbug!


==
Date: Thu, 18 Mar 2021 16:53:04 -0700
From: Michael Barnes 
To: "Portland Linux/Unix Group" 
Subject: [PLUG] What Is Sending Email?

As part of my new gig, I inherited an email server. It is an Intel NUC
running Linux. I have almost no information on it, other than its login
info. Looking at various logs, I find a folder /var/log/Exim4 with mail
logs in it. It has a series of log files titled mainlog with owner of
Debian-exim and group of adm.

In looking at the log, it has an entry every morning at 0625 that seems to
be sending an email to an unknown person. I have obscured the identity data.

2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root
P=local S=707
2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org <
r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H=
in1-smtp.messagingengine.com [66.111.4.73]
X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes
DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com
"
K C="250 2.0.0 Queued as 89A962AC350"
2021-03-18 06:25:06 1lMse6-0001wL-1W Completed

Any ideas on exactly what is happening here? I certainly don't want this
thing sending someone emails every day that I do not know about.

Thanks,
Michael
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] What Is Sending Email?

[James Bertelson]

Cron.daily runs at 0625 on Ubuntu. I’d check /etc/cron.daily for scripts. 

Sent from a mobile device

> On Mar 18, 2021, at 7:54 PM, Michael Barnes  wrote:
> 
> As part of my new gig, I inherited an email server. It is an Intel NUC
> running Linux. I have almost no information on it, other than its login
> info. Looking at various logs, I find a folder /var/log/Exim4 with mail
> logs in it. It has a series of log files titled mainlog with owner of
> Debian-exim and group of adm.
> 
> In looking at the log, it has an entry every morning at 0625 that seems to
> be sending an email to an unknown person. I have obscured the identity data.
> 
> 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root
> P=local S=707
> 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org <
> r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H=
> in1-smtp.messagingengine.com [66.111.4.73]
> X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes
> DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com"
> K C="250 2.0.0 Queued as 89A962AC350"
> 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed
> 
> Any ideas on exactly what is happening here? I certainly don't want this
> thing sending someone emails every day that I do not know about.
> 
> Thanks,
> Michael
> ___
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] What Is Sending Email?

[Michael Barnes]

As part of my new gig, I inherited an email server. It is an Intel NUC
running Linux. I have almost no information on it, other than its login
info. Looking at various logs, I find a folder /var/log/Exim4 with mail
logs in it. It has a series of log files titled mainlog with owner of
Debian-exim and group of adm.

In looking at the log, it has an entry every morning at 0625 that seems to
be sending an email to an unknown person. I have obscured the identity data.

2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root
P=local S=707
2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org <
r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H=
in1-smtp.messagingengine.com [66.111.4.73]
X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes
DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com"
K C="250 2.0.0 Queued as 89A962AC350"
2021-03-18 06:25:06 1lMse6-0001wL-1W Completed

Any ideas on exactly what is happening here? I certainly don't want this
thing sending someone emails every day that I do not know about.

Thanks,
Michael
___
PLUG: https://pdxlinux.org
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug