SecurityMetrics has determined that we are not COMPLIANT with the PCI scan validation requirement for our server.
The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High
HOW DO i Upgrade to Exim latest version? I am on WHM/Cpanel 11 (centos 5) I never did this before.
Received: from ip.isp.com ([123.123.123.123]) by mx.myhost.net with esmtpa (Exim 4.69)
I'm trying to avoid the error
Received-SPF: softfail (google.com: domain of transitioning me@myhost.net does not designate 123.123.123.123 as permitted sender) client-ip=123.123.123.123;
Basically, any email thats sent through myhost.net should look like it was sent directly.
You MUST have ((PHP version >= 4.4.0 for having expat [you do], and the "expat" extension >= 2.0.0 loaded for having a decent version of expat [you do not]) [you do not]
I'm using PHP 4.4.4 on cpanel with centos 4.1
how do I properly upgrade or compile expat for the above error to go away?
I am having issues in receieving emails. For some reason, the rbl lists I had setup are causing the server to reject emails (retry - timeout). So, I need to take this rbl list completely. How can I do that? exim.conf is locked and using the advanced editor is no fun even though I tried it putting the dnslists without the rbl causing the problem.
I'm having an issue with email generated from a website contact form. The email is being sent from the website via php. The issue is that the email address that it is being sent to is a domain/website that is also on cpanel. It is trying to deliver it to a local account, but the email is acutally on a third party system outside of cpanel. Does anyone know anyway for exim to not try and deliver locally?
I seem to be experiencing some difficulty adding SPF records via "Edit DNS Zone". When adding these records and checking them with several SPF record checkers, it always reports a record such as the following:
“v=spf1
Which turns out to be invalid, and definitely not the record I had specified. The record I specified looks like the following:
"v=spf1 a mx ip4:XXX.XXX.XXX.XXX ~all"
XXX.XXX.XXX.XXX being a valid IP, of course.
Is there known issues when adding these types of records via WHM?
And to make it clear, I have added these records as TXT type, with and without the quotes.
Wondered if anyone out there would like to share their experience, if any, of setting up cpanel to work with domainkeys via exim.
Hopefully anyone reading this thread will know by now what domainkeys are and how it affects the delivering of email to most major email providers inboxes rather than spam/bulk folders.
antispam.yahoo.com/domainkeys
The domainkeys support for exim is now in the 'experimental' phase:
duncanthrax.net/exim-experimental/ (page allegedly updated on 30th Oct, 06)
However cpanel themselves seem to be dragging their feet a little with implementing it:
bugzilla.cpanel.net/show_bug.cgi?id=4099
This is understandable considering support for domainkeys is not yet part of the main exim core code, and thus is likely to change. From what I've been reading elsewhere, re-compiling and upgrading exim is not advisable with cpanel.
My knowledge of exim (and cpanel TBH) is limited however, and I was wondering what might be the implications of *ahem* hacking it a little in order to enable domainkeys.
SPF records alone just don't seem to cut it anymore.
How To Upgrade Apache 1.3.37 to 2.2.x on Cpanel Server?
Currently, Apache is recommending:
Quote:
Apache 1.3.37 is the current stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family release, upgrade to to the current 2.2 version as soon as possible.
1) Is it safe to upgrade from Apache 1.3.37 to 2.2.4 on a Cpanel machine. I am worried that Cpanel won't like it.
2) Is Php4 still acceptable to use with Apache 2.2?
3) Can someone suggest a tutorial or guide for an upgrade to 2.2?
I found a handful of howto's for dspam, but none of them catered for exim with virtual users. After hunting around, I eventually have it working on a cPanel server, with user authentication for mail users.
My setup: dspam version 3.6.8, using mysql driver. exim version 4. mysql 4.1 CentOS (2.6.9-023stab033.9-enterprise) cPanel / WHM - latest RELEASE version.
Download the source, configure and compile:
Code: # cd /usr/local/src # wget http://dspam.nuclearelephant.com/sou...m-3.6.8.tar.gz # tar -zxf dspam-3.6.8.tar.gz # cd dspam-3.6.8 Configure, replacing user/groups with your web-server user (web / apache / nobody), and use your mysql-include / library paths (will need mysql-devel on rh based systems).
Code: # ./configure --prefix=/opt/dspam-3.6.8 --with-local-delivery-agent=/usr/sbin/exim --with-storage-driver=mysql_drv --with-userdir=/var/spool/mail/dspam --with-userdir-owner=nobody --with-userdir-group=nobody --with-dspam-mode=none --with-dspam-owner=nobody --with-dspam-group=nobody --enable-whitelist --enable-spam-delivery --enable-alternative-bayesian --disable-dependency-tracking --enable-virtual-users --with-mysql-includes=/usr/include/mysql --with-mysql-libraries=/usr/lib/mysql/ --with-dspam-home=/opt/dspam-3.6.8/var/dspam # make && make install Set up mysql
Code: # mysqladmin -p create dspamdb # mysql -p >grant all privileges on dspamdb.* to dspamuser@localhost identified by dspampass; >flush privileges; >exit; Create tables:
Code: mysql -p dspamdb < /usr/local/src/dspam-3.6.8/src/tools.mysql_drv/mysql_objects_speed.sql mysql -p dspamdb < /usr/local/src/dspam-3.6.8/src/tools.mysql_drv/virtual_users.sql Link dspam in opt for easy versioning:
Code: ln -s dspam-3.6.8 /opt/dspam Copy the web interface files to a web directory:
This next step is required for pop3 authentication. Install perl module Apache::AuthPOP3 - which does apache pop3 authorisation:
Code: perl -MCPAN -e shell install Apache::AuthPOP3 Next, apache will need mod_perl installed - WHM -> Apache Update will allow you to enable the perl module (I am running it alongside php with no issues).
Then in /usr/local/apache/conf/httpd.conf:
Code: ScriptAlias /dspam/ /opt/dspam/cgi-bin/ Alias /dspam_files/ /opt/dspam/htdocs/ <Directory /opt/dspam/cgi-bin> Options None AllowOverride AuthConfig Order allow,deny Allow from all </Directory> Create .htaccess in /opt/dspam/cgi-bin as follows:
Code: AuthName "Dspam" AuthType Basic PerlAuthenHandler Apache::AuthPOP3 PerlSetVar MailHost localhost Require valid-user #PerlSetVar UserMap pop3user1=>realname1,pop3user2=>realname2 #Require user pop3user1 pop3user2 pop3user3 pop3user4 there are 2 commented parameters you can set when using POP3 auth - sure its pretty self-explanatory.
Set up admin user (the admin_user must be able to authenticate as a pop user):
Code: #echo "admin_user" >> /opt/dspam/cgi-bin/admins Create a queuesize script for web user - so dspam can determine how many messages in the queue.
Code: $CONFIG{'MAIL_QUEUE'} = "/usr/local/bin/eximqsize"; $CONFIG{'WEB_ROOT'} = "/dspam_files"; $CONFIG{'LOCAL_DOMAIN'} = "FQDN"; #your servers fully qualified domain name - e.g. host.yourdomain.com Next, set the default preferences for the system (you need /opt/dspam/bin in your path if you copy and paste this...):
Code: dspam_admin ch pref default trainingMode TEFT dspam_admin ch pref default spamAction quarantine dspam_admin ch pref default spamSubject "[SPAM]" dspam_admin ch pref default enableWhitelist on dspam_admin ch pref default showFactors off Permissions: I would suggest reading the README over dspam to get a full understanding of the permissions required for running of dspam. My permissions were:
Trust: root Trust: mail Trust: nobody / httpd #choose 1 - what ever your webserver runs as - `ps axu | grep httpd` to find out
#Use the same details as you did for the "grant all privileges on...." statement in mysql. MySQLServer /var/lib/mysql/mysql.sock MySQLPort MySQLUser dspamuser MySQLPass dspampass MySQLDb dspamdb MySQLCompress true
MySQLVirtualTable dspam_virtual_uids MySQLVirtualUIDField uid MySQLVirtualUsernameField username Almost there.... Confirm that mysql is configure to listen on a socket in /etc/my.cnf (or whereever your config file is):
Code: # cat /etc/my.cnf [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock Now the final step - exim configuration. This is the part that took the longest, hopefully it works for you. Just as I read in the howto's I used for this, please please please dont just copy and paste - you stand a good chance of breaking your mail server if you make changes without understanding. Be warned.
My config file is /etc/exim.conf. This should be edited using the WHM -> Exim Configuration Editor -> Advanced.
Code: #Routers - Add these in the box before virtual_user delivery / user delivery router). dspam_router: no_verify #uncomment the next line to disable dspam for virtual users. # check_local_user condition = "${if and { {!def:h_X-Spam-Flag:} {!def:h_X-FILTER-DSPAM:} {!eq {$sender_address_domain}{$domain}} {!eq {$received_protocol}{local}} {!eq {$received_protocol}{spam-scanned}} } }" headers_add = "X-FILTER-DSPAM: by $primary_hostname on $tod_full" driver = accept transport = dspam_spamcheck
## The next 2 routers allow you to forward spam / non-spam to dspam for training (e.g. spam-yourmail@yourdomain.net). # spam-username dspam_addspam_router: driver = accept local_part_prefix = spam- transport = dspam_addspam
##Transports - can be added anywhere: #this adds the spam-scanned protocol header, so when it is passed back to exim after being processed by dspam, it doesnt get stuck in a loop. dspam_spamcheck: driver = pipe command = "/usr/sbin/exim -oMr spam-scanned -bS" transport_filter = "/opt/dspam/bin/dspam --stdout --deliver=innocent,spam --user $local_part@$domain" use_bsmtp = true home_directory = "/tmp" current_directory = "/tmp" user = nobody group = mail log_output = true return_fail_output = true return_path_add = false message_prefix = message_suffix =
If you have set up authentication correctly as well, then you should be able to open [url] and log in - if you add your login details to the "admins" file, you can configure defaults, etc. It also allows ALL users (with 1 user being an email account) to log in, using www.yourclientsdomain.com/dspam/dspam.cgi
This will not work with suexec enabled!! This is because dspam needs specific permissions, and it is expecting user nobody to access it. If suexec is enabled, you will need to use the default host, and NOT virtual hosts (and even this may not work - testing still required).
Watch exim_mainlog after this - you should pick up what transports and routers are being used.
Dspam can really hammer a system - mysql, cpu and memory usage will go up a bit, especially on busy production servers. Monitor your servers performance.
Other settings: add /opt/dspam/man to MANPATH in /etc/man.config or move dspam man directory to an existing man directory.
[ADDED] This dspam.cgi hack will do a lookup in the cpanel config file to find the domain for any username without a domain, and append it on match (or leave just the username part if nothing is found). This requires unsecuring your system a bit - your http user will need to be able to read /etc/trueuserdomains (either chmod 644 or chown nobody):
Code: #add this just after $CURRENT_USER is set. if ($CURRENT_USER !~ /@.+./) { open(TUD, "</etc/trueuserdomains"); while(<TUD>) { my ($domain, $user) = split(/:/,$_); chomp($user); $user =~ s/^s*//g; if ($user eq $CURRENT_USER) { $CURRENT_USER = $CURRENT_USER . "@$domain"; } } close(TUD); }
That should do it
dspam will allow all messages through by default, and will require some training. With this config, users can train using email commands - all they need to do is forward any spam that hits their mailbox to spam-emailaddress@domain.com (their own email address with spam- prepended). Unfortunately this does not allow handling of false positives if you are using a "quarantine" policy instead of subject. the web interface comes in handy for this.
I am busy testing a combination of dspam with assp, which seems to be working well - I especially like the greylisting feature of assp and ProtectionBox... Will add to this howto when testing is finish.
We are having trouble with disk space on some of our shared hosting servers and we are wondering if anyone have a script to clean e-mails from exim not checked in the last 60 days ?
Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.
Quote:
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.
