mail problem

Discussion in 'Installation/Configuration' started by ciprianflorea, Aug 17, 2010.

  1. ciprianflorea

    ciprianflorea New Member

    Hi,

    during the last days ive noticed a weird problem on my ispconfig3 box, im running lenny with the latest ispconfig3.

    when i create a new mail account for some reason it has root ownership...

    here is the output of ls -la /var/vmail/domain.tld

    drwx------ 10 vmail vmail 4096 2010-08-17 01:16 marketing
    drwx------ 9 root vmail 4096 2010-08-17 10:50 melek

    first one an old email account and the second one is a newly created one... ive checked all the config files and everything looks ok...

    the annoyin part is that when i create new mailbox i have to chown to vmail by hand...

    any idea ?

    thanks!
     
  2. Mark_NL

    Mark_NL New Member

    Log into your admin panel, go to System -> Server Config -> -Click on your server- -> Tab: Mail

    check the field: Mailuser Name

    it should read "vmail" (the same as "Mailuser Group")
     
  3. ciprianflorea

    ciprianflorea New Member

    its all set as it should be... but still the mailboxes are created by root :(
     
  4. Mark_NL

    Mark_NL New Member

    who's the owner of the dir /var/vmail ?

    [email protected]:~$ ls -al /var/vmail/
    total 44
    drwxr-xr-x 7 vmail vmail 4096 2010-06-17 09:02 .
    drwxr-xr-x 16 root root 4096 2010-06-17 12:27 ..
     
  5. ciprianflorea

    ciprianflorea New Member

    www1:~# ls -al /var/vmail
    total 52
    drwxr-xr-x 8 vmail vmail 4096 2010-04-21 12:02 .
    drwxr-xr-x 20 root root 4096 2010-08-03 17:13 ..
    -rw-r--r-- 1 vmail vmail 220 2008-05-12 22:02 .bash_logout
    -rw-r--r-- 1 vmail vmail 3116 2008-05-12 22:02 .bashrc
    drwx------ 46 vmail vmail 4096 2010-08-17 20:22 d1.tld
    drwx------ 4 vmail vmail 4096 2010-06-26 16:58 d2.tld
    drwx------ 11 vmail vmail 4096 2010-08-17 10:44 d3.tld
    -rw------- 1 vmail vmail 1382 2010-08-17 10:17 .mailfilter
    -rw-r--r-- 1 vmail vmail 1382 2010-08-17 10:17 .mailfilter~
    drwxr-xr-x 7 vmail vmail 4096 2010-04-22 13:13 mailfilters
    drwx------ 3 vmail vmail 4096 2009-11-29 03:31 d4.tld
    drwx------ 2 vmail vmail 4096 2010-02-22 14:18 d5.tld
    -rw-r--r-- 1 vmail vmail 675 2008-05-12 22:02 .profile
     
  6. Mark_NL

    Mark_NL New Member

    hmm, strange .. i think falko of till should have a look .. i've looked into the ispconfig code, and did found the code where the folders get chown-ed .. and it clearly says "chown vmail ..." .. so i'm out of idea's

    sry
     
  7. ciprianflorea

    ciprianflorea New Member

    Yes, this is very strange. My server was hacked a few days ago and since then i got this problem. I can say that the attacker did a state of the art hack there, he exploited a new phpmyadmin bug thru setup.php (i advice all the users to rename or delete that file) after that he installed a non commercial version of openssh which leaves the root password unchanged and sets up a backup password used for remote root login, unfortunattely for him my sharp eyes noticed that the private key was changed. Well, after that the problems came up... when a create new mailbox its gets owned by root and i get the connection dropped by imap server error when im trying to login via sqmail, and i have to change the mailbox permisions by hand... of course i did a little sh script which does this every 10 mins... but this a temporaru solution...

    Any ideas are welcomed!
     
  8. Mark_NL

    Mark_NL New Member

    reinstall openssh?
     
  9. ciprianflorea

    ciprianflorea New Member


    oh, did that already... it took 10 mins to get rid of the attacker :)) the system is secured :) the only problem i have right now is the one with permissions :)
     
  10. ciprianflorea

    ciprianflorea New Member

    any one? any idea?
     
  11. falko

    falko Super Moderator ISPConfig Developer

    Did you run chkrootkit or rkhunter? Maybe the hacker changed some binaries, e.g. the chown tool. That would explain why the owners are wrong.
     
  12. ciprianflorea

    ciprianflorea New Member

    Problem solved:

    www1:~#postfix check
    www1:~#postfix flush

    those commands will set the right files/folders permissions

    everything is back to normal now :)
     

Share This Page