Changing APF log for TDP/UDP drops Published: Aug 27, 2004
  • Rating

    0/5

What this addition does is it adds valuable logging information to your exim_mainlog file so that you can determine where messages are coming from, whos sending the message and from what directory on your server the user NOBODY is originating from, if you

Updated: July 6, 2006

About Exim
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.
www.exim.org

Requirements
For this tutorial you will need root SSH access to your server. You will also need to be running Exim 4x MTA.
This works excellent with Cpanel machines!

What does this do?
What this addition does is it adds valuable logging information to your exim_mainlog file so that you can determine where messages are coming from, whos sending the message and from what directory on your server the user NOBODY is originating from, if your seeing mail leaving as nobody. In addition, it adds very useful information to exim_mainlog to help you decipher email coming and going.

Here is an example;

2003-06-27 14:06:18 cwd=/home/usersite/public_html/forums 3 args: /usr/sbin/sendmail -t -i
2003-06-27 14:06:18 19W0QE-0001Nr-1b nobody@yourserversname.com from env-from rewritten as ""usersite.com" <minx@usersite.com>" by rule 1

The message above tells me where the message came from, who sent it from my server, the user and the path it was called from. It also tells me how it was called and what it was renamed to before leaving my server.

The message below, tells me an incoming msg arrived with the subject line = "Naked Newsreaders? OH YEAH!". Very helpful in determining spam!!!!! You will see many other messages in exim_mainlog that you didnt see before. Great for debugging your msg logs and catching spammers!!

EG: 19W0bO-0001cY-Ej <= jessica@stripdownnews.com H=(one) [128.121.247.84]:52087 I=[64.246.38.122]:25 P=smtp S=2387 T="Naked Newsreaders? OH YEAH!" from jessica@stripdownnews.com

Lets Begin!
Note to MailScanner users:
you must also do this to exim_config, so repeat these steps for both: exim.conf and exim_outgoing.conf


Through Shell Directly - Cpanel users see bottom for special instructions


1. Open exim.conf
pico /etc/exim.conf

2) Find this;
Ctrl + W: hostlist auth_relay_hosts = *

#########################
Runtime configuration file for Exim #
#########################

3) After hostlist auth_relay_hosts = *

add the following

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn


4) The final result should look like this

hostlist auth_relay_hosts = *

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

#######################################
# Runtime configuration file for Exim #
#######################################


5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart

Now tail your log and watch the show!
tail -f /var/log/exim_mainlog

WARNING CPANEL USERS:
Cpanel/WHM updates will over-ride these changes. You can prevent Cpanel from deleting your changes by doing the following

chattr +i /etc/exim.conf


Cpanel Users - Easy Method

A much better solution is to make the changes through the root WHM interface.
1) Login and go to Service Configuration /  Exim Configuration Editor

Exim RBL WHM

2) Click the Switch to Advanced Mode button

3) Now you'll see the WHM Exim configuration editor. This is essentially like editing exim.conf but throught he online interface and it will remember your changes where as if you edit the file directly through shell it will not.

Exim RBL Editor

4) In the first window which is empty you'll need to insert the following.

log_selector=+all

5) Go to the bottom and Save the changes, they will be applied and Exim will restart.

6) Success! You have added additioinal logging to your Exim mail server for better tracking.

  • Rating

    0/5

Related Articles

Comments (11)

  • Gravatar - swampy
    swampy 14:08, September 6, 2004
    i tried this tut on apf 0.9.4 and i does not work i get errors when trying to restart apf good job i backed up files first.
  • Gravatar - pixel
    pixel 13:27, September 20, 2004
    Worked like a charm for me - thx!
  • Gravatar - ryan
    ryan 22:17, September 21, 2004
    great idea -- will review this for added internal feature.
  • Gravatar - vijay srivastava
    vijay srivastava 20:58, September 22, 2004
    how to remove APF from my server any uninstall procedure.
  • Gravatar - squalito
    squalito 14:12, September 29, 2004
    I do not have exactly the same lines in my conf.apf. <br />
    I have the last version : Apf.0.9.4-6<br />
    <br />
    I updated exisitng lines :<br />
    if [ "$DROP_LOG" == "1" ]; then<br />
    # Default TCP/UDP INPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_TCP DROP ** " --log-tcp-options --log-ip-options<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_UDP DROP ** " --log-ip-options<br />
    else<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_TCP DROP ** "<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_UDP DROP ** "<br />
    fi<br />
    fi<br />
    <br />
    if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then<br />
    # Default TCP/UDP OUTPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** " --log-tcp-options --log-ip-options<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** " --log-ip-options<br />
    else<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** "<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** "<br />
    fi<br />
    fi<br />
    <br />
    <br />
    by these lines<br />
    if [ "$DROP_LOG" == "1" ]; then<br />
    # Default TCP/UDP INPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-tcp-options --log-ip-options<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-ip-options<br />
    else<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    fi<br />
    fi<br />
    <br />
    if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then<br />
    # Default TCP/UDP OUTPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-tcp-options --log-ip-options<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-ip-options<br />
    else<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    fi<br />
    fi<br />
    <br />
    <br />
    and evrything is working fine<br />
    <br />
    Thanks for this article<br />
    Squalito<br />
  • Gravatar - rYno267
    rYno267 05:24, November 15, 2004
    When I do <br />
    "tail –f /var/log/iptables"<br />
    <br />
    I get this: "tail: .f: No such file or directory<br />
    ==> /var/log/iptables <==<br />
    "<br />
    <br />
    Any Ideas? thanks.
  • Gravatar - Madlaker
    Madlaker 20:24, December 4, 2004
    I get the same as Ryno above. I did a locate on iptables and there is no iptables under /var let alone /var/logs.<br />
    <br />
    Is there another step we have to preform?<br />
    <br />
    Any ideas would be appreciated.
  • Gravatar - Madlaker
    Madlaker 20:46, December 4, 2004
    Just an update..<br />
    <br />
    Ok, simple solution.<br />
    <br />
    when you restarted the firewall like me, you probably go an error that you missed like I did the first time.<br />
    <br />
    /etc/apf/apf: line 1: ifconfig: command not found<br />
    <br />
    This is because when we are in the su environment instead of su -.<br />
    <br />
    1)just type cd then the enter key<br />
    then su - then the enter key<br />
    <br />
    2)now type /etc/apf/apf –r and you shouldn't get that error.<br />
    <br />
    3) Now type tail –f /var/log/iptables and you should see all the drop packets showing up.<br />
    <br />
    If you get any more errors, be sure to look through all the instructions above.
  • Gravatar - Dennis
    Dennis 00:41, January 7, 2005
    I have .9.4 of APF and the lines you say to replace are different in that version. Fir example, here is the first of the two changes I made:<br />
    <br />
    if [ "$DROP_LOG" == "1" ]; then<br />
    # Default TCP/UDP INPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG -$<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG -$<br />
    else<br />
    <br />
    As you see, the "if then else" parts are missing:<br />
    <br />
    if [ "$EXLOG" == "1" ]; then<br />
    else<br />
    <br />
    I guessed that I should make the changes and leave these items in although you did not mention them.<br />
    <br />
    The second section I changed per your instructions are here:<br />
    <br />
    if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then<br />
    # Default TCP/UDP OUTPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** " --log-tcp-option$<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** " --log-ip-options<br />
    else<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** "<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** "<br />
    fi<br />
    <br />
    But I am getting errors, so I suspect something isn't right. <br />
    <br />
    I need some help on this for sure.<br />
    <br />
    Thanks
  • Gravatar - Izzee
    Izzee 12:39, November 21, 2005
    ------------------------------------------<br />
    DO NOT USE THIS TUTIRIAL FOR APF VERSIONS HIGHER THAN 0.9.3<br />
    ------------------------------------------<br />
    <br />
    Latest APF version 0.9.6-1<br />
    /etc/apf/firewall<br />
    Has different $DROP_LOG entries to the ones above.<br />
    Now called $LOG_DROP with completely different rules.<br />
    No point in this tutorial now as it is obsolete.<br />
    <br />
    RAMPRAGE - This tutorial needs updating as a matter of urgency!!
  • Gravatar - webhost
    webhost 20:26, January 15, 2006
    I been meaning to ask this in the past but never have untill now.<br />
    <br />
    I restarted the apf and I get this :<br />
    <br />
    [/etc/apf]# ./apf -r<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    <br />
    Any idea as to why I am getting this? I dont know about any host/network.<br />
    <br />
    Thanks for you help

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2020 WebHostGear.com