Mon serveur YunoHost
Matériel: Raspberry Pi à la maison /
Version de YunoHost: 4.0.8.2
J’ai accès à mon serveur : En SSH | Par la webadmin
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non
Mail piraté ?
Bonjour,
Un soucis avec les mails du serveur Yunohost. Je suis derrière une freebox. Cela fait un moment que l’adresse est blacklistée car le reverse dns de free ne marche pas bien. Depuis peu, des personnes ont reçu des mails de spam avec l’adresse mail du serveur que je n’ai pas envoyé.
Je viens de changer tous les mots de passe du serveur dans un premier temps pour peut-être sécurisé un éventuel piratage.
Je suis en cours de demander un VPN chez ARN pour utiliser Client_VPN par la suite et déblacklister lers mails… Mais en attendant, j’espère ne pas avoir été piraté…
voici des messages de Diagnosis sur les problèmes de DNS pour le mail
- Current reverse DNS: XX-XX-XX-XX.subs.proxad.net
Expected value: mydomain.tld
- You should first try to configure the reverse DNS with mydomain.tld in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).
- Some providers won't let you configure your reverse DNS (or their feature might be broken...). If you are experiencing issues because of this, consider the following solutions:
- Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
- A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
- Or it's possible to switch to a different provider
status: ERROR
summary: The reverse DNS is not correctly configured in IPv4. Some emails may fail to get delivered or may get flagged as spam.
3:
details:
- You should first try to configure the reverse DNS with mydomain.tld in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).
- Some providers won't let you configure your reverse DNS (or their feature might be broken...). If your reverse DNS is correctly configured for IPv4, you can try disabling the use of IPv6 when sending emails by running 'yunohost settings set smtp.allow_ipv6 -v off'. Note: this last solution means that you won't be able to send or receive emails from the few IPv6-only servers out there.
status: ERROR
summary: No reverse DNS is defined in IPv6. Some emails may fail to get delivered or may get flagged as spam.
4:
details:
- The blacklist reason is: "https://matrix.spfbl.net/XX.XX.XX.XX"
- After identifying why you are listed and fixed it, feel free to ask for your IP or domaine to be removed on https://spfbl.net/en/dnsbl/
status: ERROR
summary: Your IP or domain XX.XX.XX.XX is blacklisted on SPFBL.net RBL
5:
status: WARNING
summary: Too many pending emails in mail queue (107 emails)
$ sudo cat /var/log/mail.err
Nov 23 13:40:31 mydomain dovecot: lda(user@mydomain.tld)<21471><lb6cAb+tu1/fUwAAVYPLjw>: Error: sieve: msgid=unspecified: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 23 13:40:31 mydomain dovecot: lda(user@mydomain.tld)<21471><lb6cAb+tu1/fUwAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 23 16:16:38 mydomain dovecot: lda(user@mydomain.tld)<22964><CxOnHVbSu1+0WQAAVYPLjw>: Error: sieve: msgid=<message-10617836-636305828-166100-10040@mail5.wcm-msb.tld>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 23 16:16:38 mydomain dovecot: lda(user@mydomain.tld)<22964><CxOnHVbSu1+0WQAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 24 15:37:57 mydomain dovecot: lda(user@mydomain.tld)<5325><iJaKAcUavV/NFAAAVYPLjw>: Error: sieve: msgid=<1606228674.ge4toobngmzc2nbqgaztcna@e.infos-actushopping.tld>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 24 15:37:57 mydomain dovecot: lda(user@mydomain.tld)<5325><iJaKAcUavV/NFAAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 25 11:23:05 mydomain dovecot: lda(user@mydomain.tld)<24501><mRW3Lokwvl+1XwAAVYPLjw>: Error: sieve: msgid=<3003A379DE744E8BABC66BA4676B681E@LenovoPC>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 25 11:23:05 mydomain dovecot: lda(user@mydomain.tld)<24501><mRW3Lokwvl+1XwAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 26 00:55:08 mydomain dovecot: lda(user@mydomain.tld)<1906><EbY3LNzuvl9yBwAAVYPLjw>: Error: sieve: msgid=<em3d4af818-07fa-4a76-8d50-342968e02a50@alans>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 26 00:55:08 mydomain dovecot: lda(user@mydomain.tld)<1906><EbY3LNzuvl9yBwAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Je ne sais pas où chercher pour savoir si le serveur a pu être piraté… Peut-être fau-t-il chercher avec fail2ban ??
Je précise aussi que tout ceci concerne le serveur d’un ami et que je suis son administrateur…
Voici les messages reçus qui l’inquiète:
Depuis presque une semaine, je reçois plus d’une cinquantaine de messages comme ci-dessous. Et plusieurs personnes m’ont contacté pour me dire qu’elles avaient reçu un message étrange de ma part. Cela peut il avoir un lien avec mon serveur ?
This is the mail system at host domain.tld. I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system 7653223147@txt.att.net: host mx3b.txt.att.net[166.216.152.132] said: 550 5.1.1 7653223147@txt.att.net recipient does not exist here. (in reply to RCPT TO command) 7753796439@txt.att.net: host mx3b.txt.att.net[166.216.152.132] said: 550 5.1.1 7753796439@txt.att.net recipient does not exist here. (in reply to RCPT TO command)
Reporting-MTA: dns; domain.tld X-Postfix-Queue-ID: 5977620D1 X-Postfix-Sender: rfc822; user@domain.tld Arrival-Date: Thu, 26 Nov 2020 02:40:45 +0100 (CET) Final-Recipient: rfc822; 7653223147@txt.att.net Original-Recipient: rfc822;7653223147@txt.att.net Action: failed Status: 5.1.1 Remote-MTA: dns; mx3b.txt.att.net Diagnostic-Code: smtp; 550 5.1.1 7653223147@txt.att.net recipient does not exist here. Final-Recipient: rfc822; 7753796439@txt.att.net Original-Recipient: rfc822;7753796439@txt.att.net Action: failed Status: 5.1.1 Remote-MTA: dns; mx3b.txt.att.net Diagnostic-Code: smtp; 550 5.1.1 7753796439@txt.att.net recipient does not exist here.
.eml
De :
ocgscntrc user@domain.tld
Date :26/11/2020 à 02:40
Pour :
5137877158@vtext.com, 7143143933@usamobility.net, 7147673656@txt.att.net, 4708910182@vtext.com, 7757624722@txt.att.net, 2162193013@vtext.com, 5133353177@vtext.com, 5134979206@vtext.com, 5135435663@vtext.com, 9494669179@txt.att.net, 7753796439@txt.att.net, 5626828553@tmomail.net, 9802419040@vtext.com, 9725338903@txt.att.net, 7653223147@txt.att.net, 4074519653@txt.att.net, 8043896105@vtext.com, 8165203639@vtext.com, 5857640588@txt.att.net, 4027190733@vtext.com
You have received an important announcement regarding your Facebook acc.: http://rann-ghjyjpyoz.integra-sols.hr