我正在协助客户升级他们现有的旧版 Exchange 2010 服务器。但是,我发现从 Exchange 命令行管理程序获得的版本号与 Exchange 管理控制台不同。
该服务目前正在运行,并且电子邮件正在运行。
可以忽略它吗?安装的是哪个真实版本?
我有一个作为 Exchange smarthost 运行的 Postfix 邮件中继服务器,并在本地托管另一封邮件。
上周我观察到对这台服务器的攻击,有人正在使用它向不同的目的地发送大量电子邮件。
我不知道它是从哪里连接的,并且“发件人”地址也被屏蔽了。
以下是邮件日志:
Apr 16 06:29:10 mail.xxx.com postfix/qmgr[25497]: EC5A91D727: from=<>, size=3096, nrcpt=1 (queue active)
Apr 16 06:29:10 mail.xxx.com postfix/bounce[12183]: B37D31D6FA: sender non-delivery notification: EC5A91D727
Apr 16 06:29:10 mail.xxx.com postfix/qmgr[25497]: B37D31D6FA: removed
Apr 16 06:29:11 mail.xxx.com postfix/smtp[12164]: 1A9B71D801: to=<xxx@inver**.com>, relay=inver**.com[164.138.x.x]:25, delay=50, delays=39/0/6.7/5, dsn=2.0.0, status=sent (250 OK id=1lX6jh-000875-TC)
Apr 16 06:29:11 mail.xxx.com postfix/qmgr[25497]: 1A9B71D801: removed
Apr 16 06:29:11 mail.xxx.com postfix/smtp[11990]: 3BEAB1D9C3: to=<xxx@tms**.pl>, relay=tms**.pl[194.181.x.x]:25, delay=49, delays=37/0/6.7/5.4, dsn=2.0.0, status=sent (250 OK id=1lX6ji-000469-QT)
Apr 16 06:29:11 mail.xxx.com postfix/qmgr[25497]: 3BEAB1D9C3: removed
Apr 16 06:29:12 mail.xxx.com postfix/smtp[12954]: 418621D80D: to=<xxx@medi**.com.cn>, relay=mxw**.com[198.x.x.x]:25, delay=51, delays=38/0/8.5/4.5, dsn=5.0.0, status=bounced (host mxw.mxhichina.com[198.11.189.243] said: 551 virus infected mail rejected (in reply to end of DATA command))
Apr 16 06:29:12 mail.xxx.com postfix/cleanup[7936]: 6711A1D7B7: message-id=<[email protected]>
Apr 16 06:29:12 mail.xxx.com postfix/bounce[12184]: 418621D80D: sender non-delivery notification: 6711A1D7B7
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 418621D80D: removed
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 6711A1D7B7: from=<>, size=2554, nrcpt=1 (queue active)
Apr 16 06:29:12 mail.xxx.com postfix/smtp[11499]: 65E4C1D95F: to=<xxx@an**.com>, relay=aspmx.l.google.com[172.217.x.x]:25, delay=51, delays=38/0/6.3/6.7, dsn=5.7.0, status=bounced (host aspmx.l.google.com[172.217.194.27] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. z63si3810735ybh.300 - gsmtp (in reply to end of DATA command))
Apr 16 06:29:12 mail.xxx.com postfix/cleanup[10468]: 705F91D801: message-id=<[email protected]>
Apr 16 06:29:12 mail.xxx.com postfix/smtp[11996]: F05911DBCA: to=<xxx@maq**.ae>, relay=maq**.protection.outlook.com[104.47.x.x]:25, delay=36, delays=27/0/3.1/6, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=93338229282509, Hostname=DB8PR10MB2745.EURPRD10.PROD.OUTLOOK.COM] 933811 bytes in 3.322, 274.451 KB/sec Queued mail for delivery)
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: F05911DBCA: removed
Apr 16 06:29:12 mail.xxx.com postfix/bounce[12183]: 65E4C1D95F: sender non-delivery notification: 705F91D801
Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: 65E4C1D95F: removed
如何查看攻击源在哪里?有没有办法只限制可用于邮件中继的特定域范围?
我不是 Postfix 专业人士,所以任何建议/建议将不胜感激。
我在我的测试域中重命名了我唯一的 DC 的计算机名称。但是,似乎数据库没有完全更新。第一次重启后我遇到了0xc00002e2蓝屏。然后我尝试通过使用 ntdsutil -> Compact to 命令来修复它以重建 ntds.dit 文件。
服务器终于可以正常启动了。但是,我现在不能使用任何广告服务。这是 dcdiag 所说的:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: SEA\SDC
Starting test: Connectivity
......................... SDC passed test Connectivity
Doing primary tests
Testing server: SEA\SDC
Starting test: Advertising
Fatal Error:DsGetDcName (SDC) call failed, error 1717
The Locator could not find the server.
......................... SDC failed test Advertising
Starting test: FrsEvent
......................... SDC passed test FrsEvent
Starting test: DFSREvent
The event log DFS Replication on server sdc.sea.nr could not be queried, error 0x6ba
"The RPC server is unavailable."
......................... SDC failed test DFSREvent
Starting test: SysVolCheck
......................... SDC passed test SysVolCheck
Starting test: KccEvent
The event log Directory Service on server sdc.sea.nr could not be queried, error 0x6ba
"The RPC server is unavailable."
......................... SDC failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SDC passed test MachineAccount
Starting test: NCSecDesc
......................... SDC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SDC\netlogon)
[SDC] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... SDC failed test NetLogons
Starting test: ObjectsReplicated
......................... SDC passed test ObjectsReplicated
Starting test: Replications
......................... SDC passed test Replications
Starting test: RidManager
......................... SDC passed test RidManager
Starting test: Services
Could not open Remote ipc to [sdc.sea.nr]: error 0x43 "The network name cannot be found."
......................... SDC failed test Services
Starting test: SystemLog
The event log System on server sdc.sea.nr could not be queried, error 0x6ba "The RPC server is unavailabl
......................... SDC failed test SystemLog
Starting test: VerifyReferences
......................... SDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : sea
Starting test: CheckSDRefDom
......................... sea passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... sea passed test CrossRefValidation
Running enterprise tests on : sea.nr
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1717
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717
A KDC could not be located - All the KDCs are down.
......................... sea.nr failed test LocatorCheck
Starting test: Intersite
......................... sea.nr passed test Intersite
似乎服务器正在尝试连接到 sdc.sea.nr,这是我打算重命名的名称。但目前计算机名称仍显示旧名称,我无法在本地 DNS 服务器中添加 A 记录。我应该如何解决这个问题?