LF_EXIMSYNTAX and LF_IMAPD ignoring blocks

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

LF_EXIMSYNTAX and LF_IMAPD ignoring blocks

Post by Sergio »

In the server I have set:
RESTRICT_SYSLOG = 3
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = OFF

LF_EXIMSYNTAX = 10
LF_EXIMSYNTAX_PERM = 3600

LF_IMAPD = 10
LF_IMAPD_PERM = 1

But even with that set, /var/log/messages shows, please note that I don't have those IP white listed:

EXIM SYNTAX, ignored:
Jun 13 12:23:07 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:25:18 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:26:19 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:27:20 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:27:20 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:29:01 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:31:38 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:32:38 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:33:39 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:33:39 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:34:49 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:37:06 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:38:12 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:39:12 serverX lfd[393306]: Exim syntax errors from 123.123.123.123 - ignored
* SPOOFED IP

IMAPD, ignored:
Jun 13 12:11:23 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:11:28 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:11:28 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:12:33 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:12:43 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:17:32 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:17:47 server2 lfd[811449]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:22:37 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:22:52 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:33:39 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:33:49 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:34:49 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:35:00 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:51:19 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
Jun 13 12:51:30 server2 lfd[393306]: Failed IMAP login from 123.123.123.123 - ignored
* SPOOFED IPs

This has been working before.

Regards,
Sergio
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: LF_EXIMSYNTAX and LF_IMAPD ignoring blocks

Post by ForumAdmin »

That is only going to happen if the IP address appears in either:

1. a local ignore
2. a global ignore
3. CC_IGNORE
4. csf.rignore as a domain
5. the IP is a local IP

either explicitly or as part of a CIDR.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: LF_EXIMSYNTAX and LF_IMAPD ignoring blocks

Post by Sergio »

ForumAdmin wrote:That is only going to happen if the IP address appears in either:
1. a local ignore:
No it is not in a local ignore.

2. a global ignore:
No it is not in a global ignore.

3. CC_IGNORE:
Is empty.

4. csf.rignore as a domain:
Only google.com is on csf.rignore.

5. the IP is a local IP:
No, it is not a local IP.

6. either explicitly or as part of a CIDR:
In the server the only CIDR allowed are gmail IPs and the offending IPs are not from gmail.

Here is what CSF shows when searching for the IP:

Searching for 123.123.123.123...
Chain num pkts bytes target prot opt in out source destination
No matches found for 123.123.123.123 in iptables

IPSET: Set:cc_xx Match:123.123.123.123 Setting:CC_ALLOW_PORTS Country: XX

ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for 123.123.123.123 in ip6tables

...Done.

Under CC_ALLOW_PORTS_TCP/UDP only ports 20 and 21 are set and none of them are for Exim nor IMAP.

Something else that I should check?
Post Reply