myVesta

Posted: **Wed Jul 01, 2020 1:34 pm**

Hi dpeca,

I got some errors in my email marketing application.

It says like this:

++ Starting Swift_SmtpTransport << 220 smart.domain.com ESMTP Exim 4.92 Wed, 01 Jul 2020 08:18:02 +0200 >> EHLO domain.com << 250-smart.domain.com Hello localhost [127.0.0.1] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP >> AUTH LOGIN << 334 VXNlcm5hbWU6 >> bWFya0BpY2xvdWRpby5jb20= << 334 UGFzc3dvcmQ6 >> MTAzOTgwMTQ= << 235 Authentication succeeded ++ Swift_SmtpTransport started >> MAIL FROM:<[email protected]> << 250 OK >> RCPT TO:<[email protected]> << 550-Email account is sending too much emails [limitlog]: 550 deny / email / [email protected] / 40.1 / 1h !! Expected response code 250/251/252 but got code "550", with message "550-Email account is sending too much emails [limitlog]: 550 deny / email / [email protected] / 40.1 / 1h " (code: 550) >> RSET << 250 Reset OK

I'm pretty sure I don't send too much emails as I limit the email to be send out into 1 email max per minute and occasionally I got this problem.

What could be the problem? Is it Exim problem?
How to troubleshoot?

TIA
bfcrew

Posted: **Wed Jul 01, 2020 1:47 pm**

Open /etc/exim4/exim4.conf.template

add comment to this line: https://github.com/myvesta/vesta/blob/m ... mplate#L60
and to this whole block: https://github.com/myvesta/vesta/blob/m ... te#L64-L71

then run:

Code: Select all

service exim4 restart

... or just put higher number insted of 40.

Also check logs:
- /var/log/exim4/mainlog
- /var/log/php-mail.log
... and you will see that site really sent more than 40 mails within 60 minutes.

Posted: **Wed Jul 01, 2020 2:06 pm**

Add comment is by adding "#" in front correct?

When I opened /var/log/exim4/mainlog there's a lot of incorrect authentication data from someone like these:

Code: Select all

2020-07-01 00:00:16 no host name found for IP address 185.143.75.81
2020-07-01 00:00:20 dovecot_login authenticator failed for (User) [46.38.150.72]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:00:24 dovecot_login authenticator failed for (User) [185.143.75.81]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:00:48 no host name found for IP address 46.38.150.132
2020-07-01 00:00:53 dovecot_login authenticator failed for (User) [46.38.150.132]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:01:11 no host name found for IP address 46.38.150.72
2020-07-01 00:01:18 dovecot_login authenticator failed for (User) [46.38.150.72]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:02:10 no host name found for IP address 46.38.150.72
2020-07-01 00:02:17 dovecot_login authenticator failed for (User) [46.38.150.72]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:02:17 no host name found for IP address 46.38.150.132
2020-07-01 00:02:23 dovecot_login authenticator failed for (User) [46.38.150.132]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:03:09 no host name found for IP address 46.38.150.72
2020-07-01 00:03:16 dovecot_login authenticator failed for (User) [46.38.150.72]: 535 Incorrect authentication data (set_id=inktoner_inkjetcartridges@icloud$
2020-07-01 00:03:45 no host name found for IP address 46.38.150.132
2020-07-01 00:03:52 dovecot_login authenticator failed for (User) [46.38.150.132]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:04:07 no host name found for IP address 46.38.150.72
2020-07-01 00:04:14 dovecot_login authenticator failed for (User) [46.38.150.72]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:04:15 SMTP command timeout on connection from (User) [185.143.75.153]
2020-07-01 00:05:14 no host name found for IP address 46.38.150.132
2020-07-01 00:05:21 dovecot_login authenticator failed for (User) [46.38.150.132]: 535 Incorrect authentication data ([email protected])
2020-07-01 00:05:24 SMTP command timeout on connection from (User) [185.143.75.81]
2020-07-01 02:21:01 H=localhost (domain.com) [127.0.0.1] Warning: Sender rate [limitlog]: log / email / [email protected] / 39.9 / 1h

Is it someone trying to login to hack the SMTP login? How to prevent this?

While when opened /var/log/php-mail.log it just empty, nothing written there.

Posted: **Wed Jul 01, 2020 2:26 pm**

Sorry, I gave you wrong lines to comment, it's for sending mails using mail() php functoion.

These are correct lines to comment: https://github.com/myvesta/vesta/blob/m ... #L105-L109

Yes, just put # on the beginning of lines.

After that run

Code: Select all

service exim4 restart

Posted: **Wed Jul 01, 2020 2:29 pm**

bfcrew wrote: ↑Wed Jul 01, 2020 2:06 pm When I opened /var/log/exim4/mainlog there's a lot of incorrect authentication data from someone like these:
Is it someone trying to login to hack the SMTP login? How to prevent this?

Yes, but it's normal, bots are doing it all the time on all servers.
fail2ban service will block them after 3 wrong authentications, just check if fail2ban service is active.

Posted: **Wed Jul 01, 2020 2:31 pm**

bfcrew wrote: ↑Wed Jul 01, 2020 2:06 pm

Code: Select all

2020-07-01 02:21:01 H=localhost (domain.com) [127.0.0.1] Warning: Sender rate [limitlog]: log / email / [email protected] / 39.9 / 1h

Try to find a lines where counter was under 39, and copy here 5 lines after that line.

Posted: **Wed Jul 01, 2020 2:40 pm**

dpeca wrote: ↑Wed Jul 01, 2020 2:29 pm
bfcrew wrote: ↑Wed Jul 01, 2020 2:06 pm When I opened /var/log/exim4/mainlog there's a lot of incorrect authentication data from someone like these:
Is it someone trying to login to hack the SMTP login? How to prevent this?
Yes, but it's normal, bots are doing it all the time on all servers.
fail2ban service will block them after 3 wrong authentications, just check if fail2ban service is active.

Yes, fail2ban is active

dpeca wrote: ↑Wed Jul 01, 2020 2:31 pm
bfcrew wrote: ↑Wed Jul 01, 2020 2:06 pm
Code: Select all
2020-07-01 02:21:01 H=localhost (domain.com) [127.0.0.1] Warning: Sender rate [limitlog]: log / email / [email protected] / 39.9 / 1h
Try to find a lines where counter was under 39, and copy here 5 lines after that line.

It just something like these:

Code: Select all

2020-07-01 02:08:02 H=localhost (domain.com) [127.0.0.1] Warning: Sender rate [limitlog]: log / email / [email protected] / 39.5 / 1h
2020-07-01 02:08:02 1jqQIE-00065I-2H <= [email protected] H=localhost (domain.com) [127.0.0.1] P=esmtpa A=dovecot_login:[email protected] S=3174 id=9060$
2020-07-01 02:08:02 1jqQIE-00065I-2H => [email protected] R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [108.177.119.26] X=TLS1.3:ECDHE$
2020-07-01 02:08:02 1jqQIE-00065I-2H Completed
2020-07-01 02:09:00 SMTP command timeout on connection from (User) [185.143.73.162]
2020-07-01 02:09:01 no host name found for IP address 46.38.150.72
2020-07-01 02:09:02 H=localhost (domain.com) [127.0.0.1] Warning: Sender rate [limitlog]: log / email / [email protected] / 39.9 / 1h
2020-07-01 02:09:02 1jqQJC-00068A-1z <= [email protected] H=localhost (domain.com) [127.0.0.1] P=esmtpa A=dovecot_login:[email protected] S=3134 id=a7e8$
2020-07-01 02:09:03 1jqQJC-00068A-1z => [email protected] R=dnslookup T=remote_smtp H=mx00.mail.com [74.208.5.20] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:25$
2020-07-01 02:09:03 1jqQJC-00068A-1z Completed

Posted: **Wed Jul 01, 2020 3:22 pm**

Then you really sent 40 mails within 1 hour.

Eventually you can comment just deny block - https://github.com/myvesta/vesta/blob/m ... #L105-L106
and leave warn log _message so you can see how many mails were sent.

Posted: **Wed Jul 01, 2020 3:33 pm**

dpeca wrote: ↑Wed Jul 01, 2020 3:22 pm Then you really sent 40 mails within 1 hour.

Eventually you can comment just deny block - https://github.com/myvesta/vesta/blob/m ... #L105-L106
and leave warn log _message so you can see how many mails were sent.

OK done.

How to see how many mails were sent? Just by looking the exim4 main log?

Basically in principle how many emails could be send max in a server in an hour?

Thankfully I just warming up this server, so not that many emails were sent in an hour (only max 1 email per minute). Imagine if it was running without limitation.

Posted: **Wed Jul 01, 2020 3:56 pm**

bfcrew wrote: ↑Wed Jul 01, 2020 3:33 pm How to see how many mails were sent? Just by looking the exim4 main log?

Yes.
You can run:
tail -f /var/log/exim4/mainlog | grep 'limitlog'
or
grep 'limitlog' /var/log/exim4/mainlog

bfcrew wrote: ↑Wed Jul 01, 2020 3:33 pm Basically in principle how many emails could be send max in a server in an hour?

That depends from your CPU speed and network speed.
Never tested.

bfcrew wrote: ↑Wed Jul 01, 2020 3:33 pm Thankfully I just warming up this server, so not that many emails were sent in an hour (only max 1 email per minute). Imagine if it was running without limitation.

Especially when PHP malware send it

Thanks, it's one great feature of myVesta fork.

myVesta

Swift_SmtpTransport Error

Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error

Re: Swift_SmtpTransport Error