Can I only allow mail from my SPAM filter server on a per-domain basis?
I'm trying to use SPAM filter ISP on a dedicated server. It has been running for 36 hours and is only currently filtering 3 out of about 100 domains for testing.
It seems that some spammers are sending spam directly to my cpanel server and not using the mx records.
How do I only allow mail from my SPAM filter Server?
Can I do this on a per domain basis?
Last edited by ed.kalk; 06-19-2008 at 03:10 PM. Reason: better title
That's a bit tricky. In order to strictly prohibit mail from external servers to enter your server for a specific domain, you have to block TCP 25 (the smtp port). You can't block that because (a) you have some domains that are not using the filter and (b) you likely have customers accessing port 25 to send messages through your server. blocking port 25 isn't going to work.Originally Posted by ed.kalk
I'm trying to use SPAM filter ISP on a dedicated server. It has been running for 36 hours and is only currently filtering 3 out of about 100 domains for testing.
It seems that some spammers are sending spam directly to my cpanel server and not using the mx records.
How do I only allow mail from my SPAM filter Server?
Can I do this on a per domain basis?
To further complicate things, as you already determined, much spam is sent directly to the IP address that the domain resolves to. Technically you could reduce the likelihood of spam (for filtered domains) entering your server directly by removing the DNS "A" record for the domain itself. I.E., if the domain is mydomain.com, make sure thre is no "A" record in DNS for mydomain.com. However, this coudl break some Cpanel functionality. Even if it does not, at the very least it means that people who want to visit the mydomain.com website would be forced to use http://WWW.mydomain.com since mydomain.com would not resolve.
The only real way to completely prevent this from happening is to not have SMTP Port 25 listening on the machine that is the final mail server (your cpanel server)... but you likely can't do that.
Mike
you could actually do this relatively simply with acls at rcpt stage, a short example (Untested) but something along these lines should work:
Create a file containing the domains your smarthost manages:
Then edit it and add the domains (one per line)Code:root@box# touch /etc/smarthostdomains
Then in the advanced exim config editor in the first box somewhere:
Then in your acl_check_rcpt section:Code:domainlist smarthost_domains = lsearch;/etc/smarthostdomains
Replacing yourdomain.com with the tld you use for your hostnamesCode:deny message = You are not authorised to send to this domain log_message = Didnt come from our smarthost domains = +smarthost_domains condition = ${if match{$sender_host_name}{\Nyourdomain.com$\N}{no}{yes}}
Last edited by nickp666; 06-20-2008 at 04:14 AM. Reason: Added domainlist entry and set it like a tutorial instead of a rough Idea
where is the acl_check_rcpt section?
I'm a little unsure about where the acl_check_rcpt section would be...
also as far as the following code:
deny message = You are not authorised to send to this domain
log_message = Didnt come from our smarthost
domains = +smarthost_domains
condition = ${if match{$sender_host_name}{\Nyourdomain.com$\N}{no}{yes}}
the condition part means if the sender host is not bitwiselogic.com correct?
I was thinking it would look like this when I inserted the code:
deny message = You are not authorised to send to this domain
log_message = Didnt come from our smarthost
domains = +smarthost_domains
condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}
correct?
sorry the rcpt acl section on a default cpanel setup is called: check_recipient: its in the second box of the ACL section of the advanced exim conf editor.
put the above acl undernieth:
You are correct about the condition partCode:accept hosts = : accept hosts = +skipsmtpcheck_hosts
Not sure whare to put the code for acl_check_rcpt
this is a copy of my acl check rcpt section
I tried to put the code in under "accept hosts = :" and it stoped taking mail all together with no bounce messages. after i removed the code, the mail did show up...
This is what i tried: (This is my full acl_check_rcpt section)
[HTML]#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
deny message = You are not authorised to send to this domain
log_message = Didnt come from our smarthost
domains = +smarthost_domains
condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}
#if it gets here it isn't mailman
#sender verifications are required for all messages that are not sent to lists
require verify = sender
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_domains
warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts
warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}
accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept[/HTML]
Last edited by ed.kalk; 06-24-2008 at 01:53 PM.
what does your exim_mainlog say?
also looks like you lost "accept hosts = +skipsmtpcheck_hosts" somewhere along the line
what is exim main log?
As far as I know, I never had the "accept hosts = +skipsmtpcheck_hosts"
What does it do by the way?
Where should it go?
Do you think that is why it is not working?
I noticed that the no and yes were reversed on your code compared to the other entries in the acl code, does this matter?
the exim main log is located at /var/log/exim_mainlog
The missing part goes under:
accept hosts = :
before you add it, what is your cPanel version and OS?
Without the entries from the exim_mainlog I wouldnt be able to guess what the problem is, it could just be a typo in my acl but without the log entries I have absolutely no idea
the yes and no clause is supposed to be around the other way, as the condition is 'does not match'
WHM 10.8.0 cPanel 10.9.0-C10
Trustix i686 - WHM X v3.1.0
The main log is really long and I don't know of a way to easily post what it says here in the forum. is there some way to e-mail it to you?
that explains why you dont have that line, cPanel 10 doesnt have that feature,
are there any lines in /var/log/exim_paniclog?
In theory that should contain the errors and should be a lot shorter
Wow, I haven't seen someone running Trustix in a very long time.
Note, your license will cease functioning on July 1, 2008 if you do not upgrade to cPanel 11 before then. There is no charge for this upgrade. See the following page for more information:
http://blog.cpanel.net/?p=53
I'm guessing that this is what you are looking for
2008-06-24 10:05:17 failed to open /etc/smarthostdomains for linear search: Permission denied (euid=47 egid=12)
what is the result of:
Code:ls -l /etc/smarthostdomains
I dont know how trustixs permissions work as ive never run it, but we should be able to get away with changing the permissions on the file to make this work (didnt need to on a RHEL box)
-rw------- 1 root root 82 Jun 24 10:59 /etc/smarthostdomains
LinkBack URL
About LinkBacks
Reply With Quote