NeilWang's questions

Primeiro, não estou usando IPv6 no meu servidor, e o IPv6 está sendo desabilitado.

Entretanto, se eu executar firewall-cmd --list-all-policies, posso ver que há uma política padrão chamada allow-host-ipv6.

O que ele realmente faz? Também não tenho ideia de onde vem essa política. Tenho quase certeza de que o /etc/firewalld/policies/diretório está vazio. Como posso me livrar dele?

# firewall-cmd --list-all-policies
allow-host-ipv6 (active)
  priority: -15000
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: HOST
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv6" icmp-type name="neighbour-advertisement" accept
        rule family="ipv6" icmp-type name="neighbour-solicitation" accept
        rule family="ipv6" icmp-type name="router-advertisement" accept
        rule family="ipv6" icmp-type name="redirect" accept

Estou ajudando um cliente a atualizar seu servidor Exchange 2010 herdado existente. No entanto, descobri que o número de versão obtido do Shell de Gerenciamento do Exchange é diferente do Console de Gerenciamento do Exchange.

O serviço está em execução no momento e o e-mail está funcionando.

É seguro ignorar? Qual é a versão real instalada?

Eu tenho um servidor de retransmissão de e-mail Postfix executando como host inteligente do Exchange, além de hospedar outro e-mail localmente.

Na semana passada observei um ataque neste servidor, alguém o está usando para enviar e-mails massivos para diferentes destinos.

Não consigo descobrir de onde ele está conectado e o endereço "de" também está mascarado.

Abaixo estão os logs de e-mail:

Apr 16 06:29:10 mail.xxx.com postfix/qmgr[25497]: EC5A91D727: from=<>, size=3096, nrcpt=1 (queue active)
Apr 16 06:29:10 mail.xxx.com postfix/bounce[12183]: B37D31D6FA: sender non-delivery notification: EC5A91D727
Apr 16 06:29:10 mail.xxx.com postfix/qmgr[25497]: B37D31D6FA: removed
Apr 16 06:29:11 mail.xxx.com postfix/smtp[12164]: 1A9B71D801: to=<xxx@inver**.com>, relay=inver**.com[164.138.x.x]:25, delay=50, delays=39/0/6.7/5, dsn=2.0.0, status=sent (250 OK id=1lX6jh-000875-TC)
Apr 16 06:29:11 mail.xxx.com postfix/qmgr[25497]: 1A9B71D801: removed
Apr 16 06:29:11 mail.xxx.com postfix/smtp[11990]: 3BEAB1D9C3: to=<xxx@tms**.pl>, relay=tms**.pl[194.181.x.x]:25, delay=49, delays=37/0/6.7/5.4, dsn=2.0.0, status=sent (250 OK id=1lX6ji-000469-QT)
Apr 16 06:29:11 mail.xxx.com postfix/qmgr[25497]: 3BEAB1D9C3: removed
Apr 16 06:29:12 mail.xxx.com postfix/smtp[12954]: 418621D80D: to=<xxx@medi**.com.cn>, relay=mxw**.com[198.x.x.x]:25, delay=51, delays=38/0/8.5/4.5, dsn=5.0.0, status=bounced (host mxw.mxhichina.com[198.11.189.243] said: 551 virus infected mail rejected (in reply to end of DATA command))
Apr 16 06:29:12 mail.xxx.com postfix/cleanup[7936]: 6711A1D7B7: message-id=<[email protected]>
Apr 16 06:29:12 mail.xxx.com postfix/bounce[12184]: 418621D80D: sender non-delivery notification: 6711A1D7B7
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 418621D80D: removed
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 6711A1D7B7: from=<>, size=2554, nrcpt=1 (queue active)
Apr 16 06:29:12 mail.xxx.com postfix/smtp[11499]: 65E4C1D95F: to=<xxx@an**.com>, relay=aspmx.l.google.com[172.217.x.x]:25, delay=51, delays=38/0/6.3/6.7, dsn=5.7.0, status=bounced (host aspmx.l.google.com[172.217.194.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0  https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. z63si3810735ybh.300 - gsmtp (in reply to end of DATA command))
Apr 16 06:29:12 mail.xxx.com postfix/cleanup[10468]: 705F91D801: message-id=<[email protected]>
Apr 16 06:29:12 mail.xxx.com postfix/smtp[11996]: F05911DBCA: to=<xxx@maq**.ae>, relay=maq**.protection.outlook.com[104.47.x.x]:25, delay=36, delays=27/0/3.1/6, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=93338229282509, Hostname=DB8PR10MB2745.EURPRD10.PROD.OUTLOOK.COM] 933811 bytes in 3.322, 274.451 KB/sec Queued mail for delivery)
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: F05911DBCA: removed
Apr 16 06:29:12 mail.xxx.com postfix/bounce[12183]: 65E4C1D95F: sender non-delivery notification: 705F91D801
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 65E4C1D95F: removed

Como verificar onde está a origem do ataque? Existe uma maneira de limitar apenas um intervalo específico de domínios que podem ser usados ​​para retransmissão de e-mail?

Eu não sou um profissional do Postfix, então quaisquer sugestões/conselhos seriam bem-vindos.

Renomeei o nome do computador do meu único DC no meu domínio de teste. No entanto, parece que o banco de dados não está completamente atualizado. Eu encontrei a tela azul 0xc00002e2 após a primeira reinicialização. Em seguida, tentei corrigi-lo usando os comandos ntdsutil -> Compact to para reconstruir o arquivo ntds.dit.

O servidor finalmente conseguiu inicializar normalmente. Mas, não posso usar nenhum serviço AD agora. Aqui está o que o dcdiag está dizendo:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = dc1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SEA\SDC
      Starting test: Connectivity
         ......................... SDC passed test Connectivity

Doing primary tests

   Testing server: SEA\SDC
      Starting test: Advertising
         Fatal Error:DsGetDcName (SDC) call failed, error 1717
         The Locator could not find the server.
         ......................... SDC failed test Advertising
      Starting test: FrsEvent
         ......................... SDC passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server sdc.sea.nr could not be queried, error 0x6ba
         "The RPC server is unavailable."
         ......................... SDC failed test DFSREvent
      Starting test: SysVolCheck
         ......................... SDC passed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server sdc.sea.nr could not be queried, error 0x6ba
         "The RPC server is unavailable."
         ......................... SDC failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SDC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SDC passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SDC\netlogon)
         [SDC] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... SDC failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... SDC passed test Replications
      Starting test: RidManager
         ......................... SDC passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [sdc.sea.nr]: error 0x43 "The network name cannot be found."
         ......................... SDC failed test Services
      Starting test: SystemLog
         The event log System on server sdc.sea.nr could not be queried, error 0x6ba "The RPC server is unavailabl
         ......................... SDC failed test SystemLog
      Starting test: VerifyReferences
         ......................... SDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : sea
      Starting test: CheckSDRefDom
         ......................... sea passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... sea passed test CrossRefValidation

   Running enterprise tests on : sea.nr
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1717
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717
         A KDC could not be located - All the KDCs are down.
         ......................... sea.nr failed test LocatorCheck
      Starting test: Intersite
         ......................... sea.nr passed test Intersite

Parece que o servidor estava tentando se conectar ao sdc.sea.nr, que é o nome que eu pretendia renomear. Mas atualmente o nome do computador ainda está mostrando o antigo e não consegui adicionar um registro A no servidor DNS local. Como devo corrigir isso?