cPanel email filtering works for email in, but not for email out

[Vasudeva]

After having looked on the web and on this forum for similar cases, and not having found a solution, I am writing this hoping for some help or indication on how to fix this issue.

For the test domain ckg.in, I activated two rules:

1) if any Recipient does not contain "@ckg.in", Fail with message "rejected"
2) if From does not contain "@ckg.in", Fail with message "rejected"

Basically, only messages sent from that domain, or addressing an account on that domain are not rejected.

The Filter Test box have both rules works as expected.

If a message is sent to "test1@ckg.in" from an account not @ckg.in, that message never reach the mailbox, although no "Fail" message is ever received. That is (almost) all right.

But if a message is sent from "test1@ckg.in" to any account, for example, test@example.net, the message is delivered, against the first rule.

This is the content of /etc/vfilters/chk.in:

Code:

# Exim filter                                                                                                                     
                                                                                                                                  
# Auto Generated by cPanel.  Do not manually edit this file as your changes will be overwritten.  If you must edit this filter, ed
                                                                                                                                  
if not first_delivery and error_message then finish endif                                                                         
                                                                                                                                  
#Recipients-are-not-ckg.in                                                                                                        
if                                                                                                                                
 foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress does not contain "@ckg.in" )                                                  
then                                                                                                                              
 fail "Message rejected."                                                                                                                       
endif                                                                                                                             
                                                                                                                                  
#From-is-not-ckg.in                                                                                                               
if                                                                                                                                
 $header_from: does not contain "@ckg.in"                                                                                         
then                                                                                                                              
 fail "Message rejected."                                                                                                         
endif

This is the related content of /var/log/exim_mainlog

(test@example.net is in place of the real address I used)

Code:

> tail -f /var/log/exim_mainlog

2011-06-08 13:48:09 H=localhost (208.86.00.00) [127.0.0.1] Warning: Sender rate 2.6 / 1h
2011-06-08 13:48:09 1QUMrR-00016N-Na <= test1@ckg.in H=localhost (208.86.00.00) [127.0.0.1] P=esmtpa A=dovecot_login:test1@ckg.in S=544 id=9a4a702d8b4a79d72c5be92b7756b457@ckg.in T="test"
2011-06-08 13:48:09 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1QUMrR-00016N-Na
2011-06-08 13:49:42 1QUMrR-00016N-Na => test@example.net R=lookuphost T=remote_smtp H=mail.server.org [208.116.00.00] X=TLSv1:DES-CBC3-SHA:168
2011-06-08 13:49:42 1QUMrR-00016N-Na Completed

How can the filter be fixed so that no messages are delivered if they do not contain "@ckg.in" in the Recipients?

[cPanelTristan]

The only method I know how to do this would be a global router, but that would unfortunately only allow permitted senders to send emails from the machine and anyone else would only be able to send locally.

In WHM > Exim Configuration Editor > Advanced section, you will have a routers section that looks like this:

######################################################################
# ROUTERS CONFIGURATION #
# Specifies how remote addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A remote address is passed to each in turn until it is accepted. #
######################################################################

# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.

#
# Demo Safety Router
#

democheck:
driver = redirect
require_files = "+/etc/demouids"
condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
allow_fail
data = :fail: demo accounts are not permitted to relay email

In the box below that part, you could put the following:

Code:

   check_outgoing:
     driver = redirect
     domains = ! +local_domains
     senders = ! : ! lsearch;/etc/permitsend
     allow_fail
     data = :fail: you are not allowed to send outside

Then click the "Save" button. At that point, you would then create /etc/permitsend file:

Code:

touch /etc/permitsend
echo "admin@mydomain.com" >> /etc/permitsend

This would add admin@mydomain.com to /etc/permitsend file and let that one account send to anyone. All other email accounts on every domain on the machine would be restricted to only send locally.

Of note, /etc/permitsend file will only accept full email addresses, so you cannot simply put domain names in the file. That is why this will only work on a machine where you are restricting outgoing email access for all domains. If you do not want any accounts to be able to send outside the server, simply don't put any email account into the /etc/permitsend file.

I did test this on my machine. I added 1 domain to the server, then I added two accounts to that domain (admin@mydomain.com and tristan@mydomain.com), then I put admin@mydomain.com into the /etc/permitsend file but did not put tristan@mydomain.com into that file. I was able to send via webmail from admin@mydomain.com to my cPanel account off the server, but I was not able to send from my tristan@mydomain.com account to any email account off the server (I could send to admin@mydomain.com from tristan@mydomain.com though).

[Vasudeva]

Hello Tristan,

Thank you so much for your thorough explanation.

If that is the only way to do it, that is how we are going to do it.

Perhaps we can make a script to injects the allowed accounts in /etc/permitsend.

I tried again, and this time, when I tried to send to test@mydomain.com from an offserver account, I even got the proper message I set in cPanel:

Code:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 test@mydomain.com
   Message Rejected.

Still, if I send from test@mydomain.com to that offserver account, the email is regularly delivered, instead of rejected.

It is interesting how cPanel's "Account level filtering" feature works quite well for other situations, but not in this particular case.

I wonder why is that. Would that be a limitation in Exim?

Would it help if I use some rules with procmail or maildrop? Would that compromise cPanel stability?

Thank you so much again for your kind and thorough help. Really appreciated.

[cPanelTristan]

It is a limitation in exim for outgoing messages, which is why the only way I could find so far upon investigating at the exim site was to use the method I detailed in my post.

As for procmail or maildrop, you can always use a smart host router in exim to forward emails going out to another machine, then use that machine to filter the emails. This would only impact emails going out remotely and not locally to other domains on the machine.

[Vasudeva]

Thank you so much for your time and thorough help.

Your advice about Exim and /etc/permitsend is excellent.

Thank you!

[Vasudeva]

It is a limitation in exim for outgoing messages, which is why the only way I could find so far upon investigating at the exim site was to use the method I detailed in my post.

As for procmail or maildrop, you can always use a smart host router in exim to forward emails going out to another machine, then use that machine to filter the emails. This would only impact emails going out remotely and not locally to other domains on the machine.

I added those directives in the Exim block section, and added the allowed senders in /etc/permitsend.

Everything works as it should, but unfortunately allowed senders can send to other domains on the same machine as well, thus invalidating that rule we need to enforce.

To summarize the requested behaviour: a given domain needs to be used only with an internal messaging system policy: no emails can be sent to, nor received from, any other domains, hosted on the same server or elsewhere. Emails regarding that domain are accepted only if sent to, or received from, that particular domain itself.

A thought passed my mind to use spamassassin to assign a very high spam score to messages we do not want to have accepted, but I am not sure if that rule would work against regular mail processing for other domains that need to function as usual.

I would be very grateful, and willing to compensate properly, for a working solution.

[cPanelTristan]

I would highly suggest posting on the exim mailing list at exim.org location. You won't even have to pay to ask for assistance there. They are the experts for special configurations like this and, unlike most coding mailing lists, they are relatively nice to newcomers provided the exact specifics are provided in the initial message on what is needed and what has been tried.

[Vasudeva]

I will, and I will report back here, so that my findings may be useful to others with similar needs.

Thank you so much for all your advice!

[kaspersuits]

Hey, i was looking for same information, thanks for the advice and input friends.
Thanks for saving my time.

[Vasudeva]

Hello,

As per Tristan's advice, I inquired at the Exim list.

This is the thread: Replicating an internal messaging system policy with Exim

https://lists.exim.org/lurker/thread...63ea98.en.html

The bottom line is, they suggested some parts of a solution without using filters, but routers, but it was not working for me, since I am unable to follow the implicit parts of the recipe.

I guess an experienced Exim administrator would see through that advice right away, but I could not fathom the more esoteric parts.

But we found out that the solution advised by Tristan does work, as long as one put proper filters not only on the domain that needs to behave like an internal messaging system, but also on all the other domains on the server (which is not too bad to do).

Ultimately, we did not like to use a file to be checked upon every mail sent, and we turned to use Communigate Pro, only for that domain that needs to follow an internal messaging system policy.

Communigate Pro can be used without license for testing purposes, and it is extremely easy to set up for that purpose as well. Also, as long as default ports for POP, SMTP, IMAP are not used, it can pacifically coexists with Exim.

[cPanelTristan]

Thank you for providing details on the thread opened on the exim mailing list. I am hoping that you might get a reply eventually about the transport to use. I am going to try to see if I could get a working method now that a local router example has been provided there. If I personally end up with any further details on how to get this accomplished locally rather than just remotely, I will update this thread as well.

[c4nr]

I was curious if there have been any updates to this issue. My problem is very similar. We are moving away from MSMail WGPO. We have email accounts setup for the more senior employees, they can email whoever they like. I created a subdomain of lan.ourbusiness.com. They should only be able to email with *@lan.ourbusiness.com and *@ourbusiness.com.
I have the rules setup in a way that should work, but they do not.