Can I only allow mail from my SPAM filter server on a per-domain basis?

[ed.kalk]

I'm trying to use SPAM filter ISP on a dedicated server. It has been running for 36 hours and is only currently filtering 3 out of about 100 domains for testing.

It seems that some spammers are sending spam directly to my cpanel server and not using the mx records.

How do I only allow mail from my SPAM filter Server?
Can I do this on a per domain basis?

[mtindor]

I'm trying to use SPAM filter ISP on a dedicated server. It has been running for 36 hours and is only currently filtering 3 out of about 100 domains for testing.

It seems that some spammers are sending spam directly to my cpanel server and not using the mx records.

How do I only allow mail from my SPAM filter Server?
Can I do this on a per domain basis?

That's a bit tricky. In order to strictly prohibit mail from external servers to enter your server for a specific domain, you have to block TCP 25 (the smtp port). You can't block that because (a) you have some domains that are not using the filter and (b) you likely have customers accessing port 25 to send messages through your server. blocking port 25 isn't going to work.

To further complicate things, as you already determined, much spam is sent directly to the IP address that the domain resolves to. Technically you could reduce the likelihood of spam (for filtered domains) entering your server directly by removing the DNS "A" record for the domain itself. I.E., if the domain is mydomain.com, make sure thre is no "A" record in DNS for mydomain.com. However, this coudl break some Cpanel functionality. Even if it does not, at the very least it means that people who want to visit the mydomain.com website would be forced to use http://WWW.mydomain.com since mydomain.com would not resolve.

The only real way to completely prevent this from happening is to not have SMTP Port 25 listening on the machine that is the final mail server (your cpanel server)... but you likely can't do that.

Mike

[nickp666]

you could actually do this relatively simply with acls at rcpt stage, a short example (Untested) but something along these lines should work:

Create a file containing the domains your smarthost manages:

Code:

root@box# touch /etc/smarthostdomains

Then edit it and add the domains (one per line)

Then in the advanced exim config editor in the first box somewhere:

Code:

domainlist smarthost_domains = lsearch;/etc/smarthostdomains

Then in your acl_check_rcpt section:

Code:

deny message = You are not authorised to send to this domain
          log_message = Didnt come from our smarthost
          domains = +smarthost_domains
          condition = ${if match{$sender_host_name}{\Nyourdomain.com$\N}{no}{yes}}

Replacing yourdomain.com with the tld you use for your hostnames

[ed.kalk]

I'm a little unsure about where the acl_check_rcpt section would be...

also as far as the following code:
deny message = You are not authorised to send to this domain
log_message = Didnt come from our smarthost
domains = +smarthost_domains
condition = ${if match{$sender_host_name}{\Nyourdomain.com$\N}{no}{yes}}

the condition part means if the sender host is not bitwiselogic.com correct?

I was thinking it would look like this when I inserted the code:
deny message = You are not authorised to send to this domain
log_message = Didnt come from our smarthost
domains = +smarthost_domains
condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}

correct?

[nickp666]

sorry the rcpt acl section on a default cpanel setup is called: check_recipient: its in the second box of the ACL section of the advanced exim conf editor.

put the above acl undernieth:

Code:

accept  hosts = :
accept hosts = +skipsmtpcheck_hosts

You are correct about the condition part

[ed.kalk]

this is a copy of my acl check rcpt section

I tried to put the code in under "accept hosts = :" and it stoped taking mail all together with no bounce messages. after i removed the code, the mail did show up...

This is what i tried: (This is my full acl_check_rcpt section)

HTML Code:

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

  deny message = You are not authorised to send to this domain
          log_message = Didnt come from our smarthost
          domains = +smarthost_domains
          condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
                                                                                                                                           
  #sender verifications are required for all messages that are not sent to lists
                                                                                                                                           
  require verify = sender
  accept  domains = +local_domains
  endpass
  message = unknown user
  verify = recipient
  accept  domains = +relay_domains
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
  require verify = header_sender
  accept

[nickp666]

what does your exim_mainlog say?

also looks like you lost "accept hosts = +skipsmtpcheck_hosts" somewhere along the line

[ed.kalk]

what is exim main log?

As far as I know, I never had the "accept hosts = +skipsmtpcheck_hosts"

What does it do by the way?
Where should it go?

Do you think that is why it is not working?

I noticed that the no and yes were reversed on your code compared to the other entries in the acl code, does this matter?

[nickp666]

the exim main log is located at /var/log/exim_mainlog

The missing part goes under:
accept hosts = :

before you add it, what is your cPanel version and OS?

Without the entries from the exim_mainlog I wouldnt be able to guess what the problem is, it could just be a typo in my acl but without the log entries I have absolutely no idea

the yes and no clause is supposed to be around the other way, as the condition is 'does not match'

[ed.kalk]

WHM 10.8.0 cPanel 10.9.0-C10
Trustix i686 - WHM X v3.1.0

The main log is really long and I don't know of a way to easily post what it says here in the forum. is there some way to e-mail it to you?

[nickp666]

that explains why you dont have that line, cPanel 10 doesnt have that feature,

are there any lines in /var/log/exim_paniclog?

In theory that should contain the errors and should be a lot shorter

[cPanelDavidG]

WHM 10.8.0 cPanel 10.9.0-C10
Trustix i686 - WHM X v3.1.0
...

Wow, I haven't seen someone running Trustix in a very long time.

Note, your license will cease functioning on July 1, 2008 if you do not upgrade to cPanel 11 before then. There is no charge for this upgrade. See the following page for more information:

http://blog.cpanel.net/?p=53

[ed.kalk]

I'm guessing that this is what you are looking for

2008-06-24 10:05:17 failed to open /etc/smarthostdomains for linear search: Permission denied (euid=47 egid=12)

[nickp666]

what is the result of:

Code:

ls -l /etc/smarthostdomains

I dont know how trustixs permissions work as ive never run it, but we should be able to get away with changing the permissions on the file to make this work (didnt need to on a RHEL box)

[ed.kalk]

-rw------- 1 root root 82 Jun 24 10:59 /etc/smarthostdomains