WHM Exim Does Not Refuse Emails During SMTP With :fail:
Feb 7, 2008
running WHM at Fedora 6... WHM 11.11.0 cPanel 11.16.0-R18546
I have a problem with spoofing spammers.. my queue is plenty of non-delivered emails from externals SMTP, sended to NON-existents address on my server...
The question is the destination domain (mydomain.com b.example) has already its ":fail: No Such User Here" alias.
SMF records applied, but not the most external SMTP servers checks them nowadays...
Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.
Well, in my case it justs receives message and then frozen it!
210P Received: from [203.162.168.16] (port=1839 helo=luatvietnam.vn)
by myserver.mine.com with smtp (Exim 4.68)
id 1JMoh4-0004UG-Pz
for dlsex-ireddols@mydomain.com; Wed, 06 Feb 2008 19:08:23 +0100
069P Received: (qmail 6913 invoked for bounce); 5 Feb 2008 09:04:11 -0500
032 Date: 5 Feb 2008 09:04:11 -0500
032F From: postmaster@luatvietnam.vn
039T To: dlsex-ireddols@mydomain.com
024 Subject: failure notice
WHEN TRYING TO DELIVER FROM QUEUE:
Message 1JMoh4-0004UG-Pz is no longer frozen
LOG: MAIN
cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1JMoh4-0004UG-Pz
delivering 1JMoh4-0004UG-Pz
LOG: MAIN
** dlsex-ireddols@mydomain.com F=<> R=virtual_aliases: No Such User Here
LOG: MAIN
Frozen (delivery error message)
AT LOGS (first time):
2008-02-06 19:08:17 SMTP connection from [203.162.168.16]:1839 I=[85.112.9.44]:25 (TCP/IP connection count = 9)
2008-02-06 19:08:20 no host name found for IP address 203.162.168.16
2008-02-06 19:08:22 H=(luatvietnam.vn) [203.162.168.16]:1839 I=[85.x.x.x]:25 Warning: Sender rate 0.0 / 1h
2008-02-06 19:08:23 1JMoh4-0004UG-Pz <= <> H=(luatvietnam.vn) [203.162.168.16]:1839 I=[85.x.x.x]:25 P=smtp S=2405 T="failure notice" from <> for dlsex-ireddols@mydomain.com
2008-02-06 19:08:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1JMoh4-0004UG-Pz
2008-02-06 19:08:23 1JMoh4-0004UG-Pz ** dlsex-ireddols@mydomain.com F=<> R=virtual_aliases: No Such User Here
2008-02-06 19:08:23 1JMoh4-0004UG-Pz Frozen (delivery error message)
2008-02-06 19:08:24 SMTP connection from (luatvietnam.vn) [203.162.168.16]:1839 I=[85.x.x.x]:25 closed by QUIT
I am programming a bulk email sending for a client. I need a hosting company who can allow me to use Require 'Mail.php' to send about 5000 emails continuosly without fail.
I've recently purchased a cPanel VPS from a company i found on this forum. However, i am not experiencing some problems with the sending of e-mails from the server via Outlook Express. Unfortunately, i'm have no real knowledge of EXIM and i was hoping someone would help me with this. Basically, when i setup the domain and then setup a email account, i could only receive emails and not send (as i was getting an error within Outlook) this was due to the fact that the domain name was not listed in /etc/localdomains, so when i added it to that file it seemed to have done the job. Now, when i send emails locally EG: example1@domain to example2@domain i t will indeed send correctly, however if i want to send it to an external domain it stays in the queue (which i can view in WHM). When i force send it, it gives me the message "Connection refused", can anyone shed some light on this situation?
One of my users is receiving way too many Mailer Daemon messages and his mailbox is full. I've had this problem from time to time and I am trying to figure out how to block mailer daemon messages for a specific domain so that they do not even get on the mailing queue...much like when you set a default address to ":fail:". So I came up with this:
refuse_md1: deny message = The original message did not come from this site. condition = ${if eq{$sender_address}{}{yes}{no}} condition = ${if eq{$local_part}{userdomain.com}{yes}{no}} log_message = Refused a bounce message for userdomain.com
However, this doesn't help. The emails are still going to the mailing queue and when I look at the Exim log I see the usual error message saying that the email was blocked because the account has run out of space.
I use Exim + Dovecot for my mail server. We can get mails through pop3 protocol without a problem, but when we try to send mails, exim does not permit relay. My passwords are stored in a mysql database for dovecot. Is it possible for exim to do authentication based on that? If it will be easier, i can create a text file with md5 passwords on it for my users.
I really hope I'm just going batty with sleep deprivation, because this is making no sense to me. Before I clobber my poor provider with management requests, I want to see if this is typical behavior or not. I am able to send messages through my SMTP server from my laptop without using any authentication at all. It doesn't matter whether I'm using a client (tested Mail.app and Mozilla Thunderbird) or whether I'm going in via telnet. A typical session might look like this (addresses obfuscated):
asdfasdfasdf:~ ###$ telnet mail.fakedomainname.com 25 Trying ##.##.##.## ... Connected to mail.fakedomainname.com. Escape character is '^]'. 220 fakedomainname.com ESMTP Exim 4.67 Wed, 30 Jan 2008 00:56:03 -0800 HELO [192.168.2.1] 250 fakedomainname.com Hello reverse.verizon.net [##.##.##.##] MAIL FROM:<nonexistentuser@fakedomainname.com> 250 OK RCPT TO:<myvalidaddress@gmail.com> 250 Accepted DATA 354 Enter message, ending with "." on a line by itself
This should not work . 250 OK id=1JK8kZ-0004Xx-7O quit 221 fakedomainname.com closing connection Connection closed by foreign host. asdfasdfasdf:~ username$
I was expecting to see a "550 authentication required" message after it saw that "RCPT TO" wasn't a locally-hosted domain. I did confirm that the message was properly delivered to the intended Gmail address. So far, it looks like an open relay. But when I use a third-party environment, such as the open relay checker at abuse.net, I am correctly seeing "550" messages at the appropriate places.
In other words, when anyone else does it, they get "550". When it do it from my laptop (from any client or telnet session), I'm clear to send. Just to add a little zest to the situation, when I did this same test 36 hours ago, I *was* getting "550" errors.
This doesn't seem right to me. However, my mail admin skill level is approximately zero, so I'm willing to accept that this is normal behavior and that I am overlooking the obvious.
I have a customer that wants to send emails using Exim and SMTP (using outlook), withouth authentication. Now.. the big question is ... how can I configure the Exim server to work withouth any authentication?
I know the risks of this withouth any authentication, but is my customer's server and he want to work in this way.
He is also asking if he is able to send emails withouth authentication using SMTP for certain IP addresses.. is that possible? Can be done for only 1 domain, or for the entire server?
I have Cpanel, with the "Prevent Nobody from sending emails" in the WHM>Tweak Settings enabled.
I want to force sendmail to use SMPT auth.. so that all mails sent are sent via SMPT and an authenticated POP user. I guess this will help in limiting the "The maximum each domain can send out per hour" setting.
I've looked through my exim logs a number of times and I see emails being sent out with "from:" fields with email addresses of other domains. Usually they are spam related and fraudulent.
How can exim be setup to only send out emails that have localdomains in their from fields?
E.g. if I have account bob.com on my server then the owner of bob.com can only send out emails "xxxx@bob.com" no matter what else he tries to do that's all exim will send out.
How can you get exim to do this? I have been using filtering to block commonly spammed domains like aol.com hotmail.com etc - any emails sent out with these in their from fields are filtered and blocked - but rather building up a larger and larger filter of commonly abused domains - why not just block everything except domains on your server.
1) What would you guys say is average in terms of the # of emails in the Mail Queue?
2) What steps can be taken to tighten it up? If I start with a clean slate, it only takes about a week or less for my mail queue to reach 1000 or more. Most of it seems like junk mail.
I have noticed on my two dedicated servers logs that some emails just dissapear after being frozen for days in queue and there is no notice or warning sent to the sender.
Please check your logs and tell me if I am wrong, just check for non-zero on your exim_mainlog
grep non-zero /var/log/exim_mainlog
and then grep your messageId
grep 1K17WW-0002so-Sn /var/log/exim_mainlog 2008-05-24 17:34:23 1K17WW-0002so-Sn == vicoello@xxxxx.com R=lookuphost T=remote_smtp defer (-1): smtp transport process returned non-zero status 0x000e: terminated by signal 14 2008-05-24 17:34:23 1K17WW-0002so-Sn Frozen 2008-05-25 18:02:27 1K17WW-0002so-Sn Message is frozen ... 2008-05-26 22:08:47 1K17WW-0002so-Sn Message is frozen .... 2008-05-27 15:00:31 1K17WW-0002so-Sn Message is frozen ? Dissapeared
Plesk Panel, 11.0.9, #61, Windows 2008 R2 SP1, x64
PROBLEM: With reports configured to send out to an email address local on the Windows server configured through PLESK, if local relay isn't enabled at 127.0.0.1 on the SmarterMail server, the reports are never delivered.
- server is [domainx].com - email to receive reports from PLESK is plesk444@[domainx].com -this email address is able to send and receive internally or externally to and from any client w/ SMTP auth enabled.
If SmarterMail is configured with SMTP Authentication Bypass for 127.0.0.1, we get the scheduled report emails as we should. Without the SMTP Authentication Bypass enabled, none of the clients or administrators get any reports or notifications at all.
QUESTION: How can I configure PLESK Panel 11 itself to use that SMTP Authentication to send those reports out? --is there a configuration file or registry value I can add or modify?
I'm trying to figure out a method to stop some of the email spam that we get, and I have something figured out, but I need help on implementing it.
Basically, we get a lot of spam emails from addresses claiming to be from our domain (EX: From: someguy@mysite.com). The email is actually not from our domain, nor does the address actually exist, but the From address is being forged to look like it is our domain.
Basically to fix this, i want to block all email where the From address is claiming to be from our domain, with a nonexistent email address. I'm pretty sure that this is configurable in Exim, but I haven't found any tutorial on it, and I'm not familiar enough with Exim to do it very easily. Anyway if anyone knows of a tutorial or how this could be accomplished, please let me know.
Just to Add: The reason that these emails are a problem is that the spam software we are running recognizes these emails as being from our domain which it trusts, so they pass most spam filters.
my Exim mail outgoing queue is getting stuck and i cannot receive emails. Under WHM i have 50 odd emails, some 7 days old.
A small dump from /var/log/exim-mainlog is below:
2007-11-19 04:40:45 H=(H®) [202.57.142.156] sender verify defer for <jqyuehutmqluz@epilot.com>: could not connect to mail02.interchangeusa.com [63.251.210.81]: Connection timed out 2007-11-19 04:40:45 H=(H®) [202.57.142.156] F=<jqyuehutmqluz@epilot.com> temporarily rejected RCPT <morleyc@myemail.net>: Could not complete sender verify callout 2007-11-19 04:40:45 unexpected disconnection while reading SMTP command from (H®) [202.57.142.156] 2007-11-19 04:40:51 no IP address found for host 202.57.142.156.sta.isp-thailand.com (during SMTP connection from [202.57.142.156]) 2007-11-19 04:40:57 no IP address found for host 202.57.142.156.sta.isp-thailand.com (during SMTP connection from [202.57.142.156]) 2007-11-19 04:41:01 no IP address found for host 202.57.142.156.sta.isp-thailand.com (during SMTP connection from [202.57.142.156]) 2007-11-19 04:41:04 no IP address found for host 202.57.142.156.sta.isp-thailand.com (during SMTP connection from [202.57.142.156]) 2007-11-19 04:41:43 no host name found for IP address 77.94.106.13 2007-11-19 04:41:49 1ItxNu-0007E6-4s mail.global.frontbridge.com [207.46.51.86] Connection timed out 2007-11-19 04:41:49 1ItxNu-0007E6-4s == hmt@someaddress.com <HMT@someaddress.com> R=lookuphost T=remote_smtp defer (110): Connection timed out 2007-11-19 04:41:49 1ItxNu-0007E6-4s == jog@someaddress.com <JOG@someaddress.com> R=lookuphost T=remote_smtp defer (110): Connection timed out 2007-11-19 04:41:49 1ItxNu-0007E6-4s == mrl@someaddress.com <MRL@someaddress.com> R=lookuphost T=remote_smtp defer (110): Connection timed out 2007-11-19 04:42:29 H=(client-200.121.46.74.speedy.net.pe) [200.121.46.74] sender verify defer for <tecat@yahoo.de>: Could not complete sender verify callout 2007-11-19 04:42:29 H=(client-200.121.46.74.speedy.net.pe) [200.121.46.74] F=<tecat@yahoo.de> temporarily rejected RCPT <morleyc@myemail.net>: Could not complete sender verify callout 2007-11-19 04:42:29 unexpected disconnection while reading SMTP command from (client-200.121.46.74.speedy.net.pe) [200.121.46.74]
Everything was fine until about 7 days ago, i dont know why the config didnt change but since then its been dropping received emails and queueing on sends.