Search found 900 matches
- Wed May 08, 2019 5:35 pm
- Forum: Administrators
- Topic: [Resolved]DNS cache seems corrupt
- Replies: 10
- Views: 8819
Re: DNS cache seems corrupt
Interesting... I don't know if you noticed but this is what I see here: % dig -t txt aetna.com ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt aetna.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10312...
- Wed May 08, 2019 3:15 pm
- Forum: Administrators
- Topic: [Resolved]DNS cache seems corrupt
- Replies: 10
- Views: 8819
Re: DNS cache seems corrupt
Authentication-Results: mail.mydomain.com (amavisd-new); dkim=neutral reason="invalid (public key: DNS query timeout for Mar2018._domainkey.aetna.com at /opt/zimbra/common/lib/perl5/Mail/DKIM/DNS.pm line 156, <GEN16> line 2304.)" header.d=aetna.com header.b=SZqPtx4l; dkim=fail (1024-bit k...
- Wed May 08, 2019 12:23 am
- Forum: Administrators
- Topic: How to expand letsencrypt for additional hostnames?
- Replies: 1
- Views: 714
Re: How to expand letsencrypt for additional hostnames?
Depending how you created it to begin with and which acme client --- perhaps this? https://stackoverflow.com/questions/38302401/letsencrypt-add-domain-to-existing-certificate It is trivial to re-issue and use the --force option with most acme clients also. BTW, if you use DNS validation, you can tes...
- Mon May 06, 2019 3:55 pm
- Forum: Administrators
- Topic: Spam problem
- Replies: 6
- Views: 4984
Re: Spam problem
Not any more but it does handle most cases... There is a variation of spoofing that is signed by the spammer so my initial rule failed that case. I do something extra now and use the Return-Path which is the envelope from address. You are correct that you add a string of domains. I keep it as 2 rule...
- Mon May 06, 2019 3:33 pm
- Forum: Administrators
- Topic: how to whitelist a domain no matter what?
- Replies: 6
- Views: 14921
Re: how to whitelist a domain no matter what?
Amavis is responsible for managing SA, clamav, its own rules and also managing the DMARC checks. I view it as the judge/coordinator is how I conceptually think of it. For example... this header you can not match with SA. Drove me crazy debugging this in production because during testing of my rules ...
- Mon May 06, 2019 2:45 pm
- Forum: Administrators
- Topic: how to whitelist a domain no matter what?
- Replies: 6
- Views: 14921
Re: how to whitelist a domain no matter what?
Use either amavis (amavisd.conf.in) or SA... I tend to do most of our stuff with SA. Either should prevent your domain from being classified as junk for your users. https://wiki.apache.org/spamassassin/ManualWhitelist Simple addition to: /opt/zimbra/data/spamassassin/localrules/sauser.cf and zmamavi...
- Fri May 03, 2019 8:04 pm
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631721
Re: CVE-2019-9670 being actively exploited
Could you not also change the /var/spool/cron/crontabs/zimbra file to 400? You would need to change it if you made changes to zimbra of course, but that is not a real problem. Clever. Unfortunately, /usr/bin/crontab is setuid root. Use chattr so even root can't edit the file until you change it bac...
- Thu May 02, 2019 8:46 pm
- Forum: Administrators
- Topic: Script to investigate nginx.access.log and attackers
- Replies: 3
- Views: 5256
Re: Script to investigate nginx.access.log and attackers
Added a search and worked on more rules for scoring. The search works across the ip space and if any match is found will display that ip and all the requests it has made to your server. This is intentional as we already have stdout and grep... check_attacks.pl |grep something so was looking for what...
- Thu May 02, 2019 3:31 pm
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631721
Re: CVE-2019-9670 being actively exploited
maxxer you have done a terrific job on your blog posting and this thread. I have recently added a few honeypots and the attack initiates within 24 hours so you have to be really lucky not to be discovered. The initial attacking ip's continue to increase so it is going to be a game of whack-a-mole to...
- Wed May 01, 2019 5:55 pm
- Forum: Administrators
- Topic: Script to investigate nginx.access.log and attackers
- Replies: 3
- Views: 5256
Re: Script to investigate nginx.access.log and attackers
I am investigating various reputation lists to further my understanding of current attacks on our zimbra mailboxd services... Eventually, all this will be part of a feedback loop with modsecurity 3 and used in the scoring and identification of the type of bot with check_attacks.pl. Quick and dirty b...