I cannot find where this is coming from:

it seems my server is using a faked local hostname when sending mails, something like mail.cheaphappycigarettes.com ...

i have no idea where this comes from my hostname is ns.mydomain.com
and that's the exact value that i have in my plesk server preferences.

if i do

# netstat -ta | grep "smtp"

i see 2 different kinds of lines:

tcp 0 0 ns.mydomain.com:smtp sea2kl20004.lightrealm:1289 TIME_WAIT
tcp 0 0 mail.cheaphappycigaret:smtp 37.182.180.60.broad.wz:3879 ESTABLISHED

so some connections do know my real hostname, and some (in fact most) use that fake domain, and those mails get sent out successfully.

mail.cheaphappycigarettes.com does not resolve, not even on my server.

i also searched many config files on the system, but i still have no idea how this was done...

has anybody any idea how this is possible?

any help would be highly appreciated!

cheers,
joempie

What is your servers ip white list set to? What is your mode of authintication set to for smtp?

whitelist is 127.0.0.1 / 32
authentication is both pop and smtp

the strange thing is that my server seems to identify itself with the faked name. even all my normal incoming mails appear to have been relayed through that fake domain according to the envelope headers (where it should say my real domain)

Thats is very strange!!

run rkhunter, you might have been compromised.

Thats what i say!

no rootkits found.... all green, except for a directory /etc/.java , which contains 2 empty files, so that can hardly be a problem either...

check all domains for formmail.pl or some other mailer that could be exploited. I typically use TFMail. Look at the domain logs.

done that. no formmail or cgiemail scripts...

Assuming for a second that it's not a hacking or rogue script problem, a few things to check to see if something in the configuration is hung from a previous install or something. And this is assuming you're on a Dedicated machine and not a VPS.

1. Have you run the hostname command on the server to make sure it answers correctly?

2. Have you checked /var/qmail/control/me to make sure it lists only the correct hostname?

3. Have you done a PTR lookup of your IP(s) to make sure something old isn't in the EV1 DNS? You can do this at DNS Stuff. The PTR lookup is in the top righthand box. Note that to do a reverse lookup the address needs to be in .in-addr.arpa format. So if the IP address you're looking for was 12.123.234.3 you would plug 3.234.123.12.in-addr.arpa in the form box.

4. Lastly, realize that Qmail and pretty much every other mail server uses Reverse Lookups to get the information you're seeing. This can be troublesome when utilizing Name Based Hosting, because there is the potential for multiple domains to trace back to the same IP number. It can become more troublesome if all of the domains on a certain IP number have their own PTR record in their DNS.

If the domain in question were one on your server that was sharing the IP with other domains it's sometimes possible to remove the PTR record of all domains save one on that IP number and Qmail should use it. Of course this means the mail header would be correct for one domain and incorrect for all others on that particular IP number, but if it happened to be the main IP number with a domain set up to only be the hostname it's better than nothing.

Nighthawk release a reconfigurator tool that's here on the forums somewhere to make sure the hostname, /control/me, etc all match your server's hostname. But there is one place it cannot change. In fact, this same place is something you can't see or change from within the Plesk control panel. It's in the PSA database.

This isn't really a plesk bug. It tries make some assumptions and to do the right thing, which can of course lead to such problems. Basically this is what happens...

When Plesk is first installed it creates a PTR record in the PSA database that will always write the first record in the reverse zone file to refer back to the server's name at install time. Which makes complete sense. The problems comes in when the server was built with either a "generic" name (eg plesk.rackshack.net that EV1 uses for all installs) or some other domain, which sounds like may be the case with your server. Even when you later set up the server under a real domain and fix all of the hostname issues this (now faulty) information appears in the PSA database so gets written to the reverse zone.

How can you tell if this is possible the problem?

Via ssh go to /var/named/run-root/var where the zone files are kept. Do an ls to look for a file that is the first three octets of your server's IP number range in the reverse in-addr.arpa format. Pico or Nano the file to read it.

Does the offending information appear in this file? If so, it means the original Plesk install has stuck the info into your PSA database.

How to fix it? Well, this is not for the faint of heart and it won't do you any good trying to change it in this file because Plesk will simply change it back. The fix requires directly editing the PSA database, and Plesk doesn't give you a way to do this. Like I said, not for the faint of heart.

You would need to install phpMyAdmin and log into the PSA database. (Make sure to put it in a very safe place and I don't recommend leaving the install there after things are fixed! Far too risky.)

Typically, the first install data is going to be in record ID 2 in the psa database table dns_recs. If what you see there isn't correct, change it. Personally I would recommend using the server's full hostname, assuming you've got a PTR set up for it with the EV1 Reverse Pointer tool.

Squire, thank you so much for your input! That's extremely constructive. I still have to try some of it out, but at least there are some things in your post that i would/could never have thought of myself.

cheers,
joempie

If you need instructions on how to add the psa database to myphpadmin let me know, I've got a copy of the write up.

It would probably be appreciated by lots of people if you don't mind making it available Franklyn. If for no other reason that every EV1 Plesk install I've seen comes with the fake plesk.rackshack.net as a PTR in there.

As long as everyone understands up front that they need to be very careful when fooling around in the PSA database. You can really foobar a server if you do something wrong in that one!

Bingo! It seems that PTR lookup for a couple of my IPs result in weird domain names, among the the happy cigarettes domain...

Anything I can do to fix this myself or should I just open an EV1 trouble ticket for that?

Many thanks again for your great help!

Best regards,
Jeompie

Ok, you've been warned, here is the info to add the PSA database:

Since a couple of folks would like to know, here is what I did:

1.) Plesk uses MySQL to store all of its settings in a database called "psa". In order to change how things work in Plesk when the GUI doesn't directly support certain operations, you can insert rows in some of the tables within the "psa" database.

PLEASE BE VERY, VERY, VERY CAREFUL when messing about with the "psa" database. Inserting, changing, or deleting the wrong thing can seriously damage, or even break, your Plesk installation.

So before doing anything else - MAKE A BACKUP OF YOUR EXISTING PSA DATABASE!


2.) The easiest way to play around with the "psa" database is to use the "DB WebAdmin" tool that is packaged with Plesk to update the database. (This tool is actually the open source phpMyAdmin tool.)

The only problem is that Plesk will only let you use the phpMyAdmin tool on databases that you create through Plesk. I guess the idea here is to keep people from attempting what I'm going to show you how to do.

Since the "psa" database is created during the installation of Plesk, in order to make it available to phpMyAdmin, you'll need to use the command-line interface to MySQL to insert a row in a table within the "psa" database.

To do this you will need to have shell access to your system - if you don't have this, you will have a difficult time doing the rest of things in these instructions. Log into your web server, and su to root.

(An important note is in order here - we run Plesk 7 on a server that we own, but since we want to understand what our customer's experience is like using our service, we run the web site for our hosting company on Plesk as if it was another customer account. The goal here to associate the "psa" database with the user account that has the web site for our hosting company on it.)

Plesk uses a numeric "domain id" to associate resources with specific domains. The ids are assigned in the order that the domains are assigned to the system. So for our web hosting company site, since it was the first site added to the system, it has a domain_id of "1".

The "data_bases" table in the "psa" database contains a list of databases that are associated with each domain account.

So from the Unix shell, start up MySQL like this:
"mysql --database psa --user admin --password"

MySQL will then prompt you for a password -- enter the admin password for your Plesk installation. This should allow you to then issue database commands against the "psa" database.

So to allow a domain account to access the "psa" database via phpMyAdmin - assuming the "domain id" is equal to "1", use the following statement:

INSERT INTO data_bases (name,type,dom_id) VALUES ('psa','mysql','1');

For those who may not know, to get a list of all of the domains set up within Plesk and their associated ids, use the following MySQL command:

SELECT * FROM domains;

[Look for the domain name in question in the 'name' column, and then note down the number in the 'id' column. This is the value you want to use for dom_id in the data_bases table.]

3.) Exit from MySQL and log out of the shell on you web server. At this point, when you log back into Plesk using the user account that has access to the domain where you added access to the psa database you should now be able to click on the "Databases" icon (at the domain level) and then the "DbWebAdmin" icon to fire up phpMyAdmin to work with the PSA database.


4.) DNS records for each domain are kept in the 'dns_recs' table in the psa database. Once again, for any domain for which you wish to add a TXT record to with an SPF record, you will need to know the domain id (which can be had by browsing through the domains table).

Insert a record with a TYPE of "TXT" and the SPF data into the VAL column. To force the changes to be written out to the actual DNS files, you can then click on the DNS icon in Plesk and add and delete a bogus host record using Plesk.


Once again . . . MAKE SURE YOU HAVE A BACKUP OF YOUR PSA DATABASE BEFORE ATTEMPTING ANY OF THIS!


Noah Kaufman
NWD Hosting



Report this post to a moderator | IP: Logged

2nd July 2004 04:55 PM



nwdhosting
Junior Member

Registered: Mar 2004
Location: Cambridge, MA, USA
Posts: 10

One more thing . . .

The trick that I talked about in my previous post for adding the PSA database to the data_bases table also works for other things too.

So we use both ModernBill and HelpCenterLive in our operations, and I've added those MySQL databases to our domain account in Plesk as well.

This way we can use phpMyAdmin to look at what's in those databases, and on the rare occassions when things get completely messed up, go in and manually change values in the tables.

Noah Kaufman
NWD Hosting

I'm assuming here that the EV1 IP's answered as authoritative for those PTR queries, right? You should see which IP's are answering. Typically I see the ns1.ev1.net and ns2.ev1.net with A records when I do one of these reverse lookups on my own server.

You can try going into the admin tools inside the EV1 members area. I believe it's under DNS Configuration > Reverse Pointers. See if you can change the pointers for each of the affected IP's there and get it to accept the change. It may or may not work, since it sounds like there's a conflict of some type.

If you can change it, do so. Then give it an hour or so for EV1's DNS servers to update and run the DNSStuff test again. It's a realtime tool, so it should reflect any change it sees.

If you're still seeing the wonky domains pointing to your server IPs you need to simply open a trouble ticket with EV1 to have them take a look at their DNS servers to make corrections manually.

Thanks Franklyn. I'm sure others will appreciate the detail.

Personally, I don't tweak the Plesk phpMyAdmin thingee. I just upload a copy of the open source software to a password protected directory if/when I need to get into the PSA database, then delete it when I'm done. But I'm do not normally need to get in there more than once, just to change the dns_recs PTR pointer. It sounds like you do need to get in there more often.

As said before, everybody be very, very careful if you start fiddling with the PSA database. And make sure you make a backup before you do anything else. It's really easy to hose a server while in there, and there's no getting it back easily if you haven't made a backup.

I use a software package called Navicat to access all DB's on my server, works nicely and for the $100 price tag makes my life nice and easy, have it configured to work with SSH.