[wellylug] anti-rootkit programs: WAS Re: Mutt & exim4 freeze outgoing mail ..
Jethro Carr
jethro.carr at jethrocarr.com
Fri Jan 26 16:48:16 NZDT 2007
On Fri, 2007-01-26 at 16:40 +1300, Adam Bogacki wrote:
> >> Hmm .. My ISP rang to tell me that mail is arriving
> >> From: 'root at paradise.net.nz' again, since the latest
> >>'dpkg-reconfigure exim4-config' (correctly done as root).
> >>
> >> /etc/exim4/update-exim4.conf.conf .. looks OK.
> >>
> >> I'm bit stumped at the moment.
> >>
> >> Any ideas ?
> >
> >Um, I have slightly different setup here. My Exim is in its own Domain
> >and I get my mail from my ISP via fetchmail, so I don't use their Domain.
> >
> >I don't believe that exim, by default, does anything with the sender's
> >address. I believe that you will have to look at mutt for that. In my
> >mail client, Thunderbird, I set the address. If I use, eg, the 'mail'
> >command it defaults to root@<mydomain>.
>
> >I had a quick look at the 'mutt' man page. I *think* you can set it as
> >an environment variable or perhaps in the .muttrc.
>
> >There are some mutt users around. Maybe they can tell us for sure.
>
> The Paradise Webmaster sent me a sample of the offending emails. They originated
> with recently installed anti-rootkit programs 'logcheck', 'rkhunter', and
> 'tripwire'. I knew they would be emailing my 'root' account, but not via the ISP.
> Probably a config issue - most 'apt-get' Debian stuff just works, but this is
> Ubuntu's Edgy Eft. I uninstalled 'logcheck' and checked 'man rkhunter'
> but saw no reference as to why this may occur.
>
> Why would Ubuntu's default config suggest that 'root' lives at 'paradise.net.nz'
> rather than 'Tux', my system ? If not an Ubuntu issue, where should I best start looking ?
I haven't used exim, so I can't comment on what configuration problem it
might be.
But, what is sounds like, is that your server thinks it is part of the
paradise network, and is forwarding emails to the master server.
What output does the command 'hostname' give?
--
Jethro Carr
www.jethrocarr.com
www.jethrocarr.com/index.php?page=cv/cv.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20070126/77fa12f5/attachment.pgp
More information about the wellylug
mailing list