with :fail:, some bounce messages still being sent

[Samuraid]

Hello CPanel-ers,

I am having an issue with Exim sending bounce e-mail messages.

The problem:
When anyone sends mail to a non-existent address, Exim is still generating a bounce email. (the queue is filled with them)

I expect this is because they are sending the mail in the correct fashion:
Spammer -> Our external MX servers (whitelisted) -> CPanel box

However, I thought :fail: would prevent ANY bounces from being sent, regardless of the circumstances.

Here is the setup:
- The CPanel server is the outgoing mail server, which sends mail directly out to recipients
- All incoming mail is sent to an external MX server for filtering and then the mail is forwarded to the CPanel server for each users' mailbox.
- Users POP3 directly into the CPanel box to receive their mail.

Here are a few of the important config settings:
- All non-existent e-mail addresses are set to :fail:, both at the global level in WHM and on the specific account we have running on the server.
- The external MX servers are added to "Whitelist: Trusted Mail Hosts/Ip Blocks"
- I added a special ACL setting in Exim that denies any other external servers from trying to send mail directly to the CPanel server (spammers try that all the time). They get a 550 error if they try.

Does anyone have any ideas on how to stop the bounce emails?

[Samuraid]

In case anyone else runs into something like this in the future...


I solved this issue by moving this configuration statement:

Code:

#recipient verifications are required for all messages that are not sent to the local machine
  #this was done at multiple users requests
  require verify = recipient
    message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid.  Details: $acl_verify_message"

and placing it ABOVE the [% ACL_WHITELIST_BLOCK %] and other whitelist verifications.

The server now seems to be correctly sending 550 errors on bad addresses instead of trying to send bounces.

[Lestat]

Without having access to the mail server(s) involved, here are a few things to try:

1. See http://www.root0.net/script/spamcheck_ip.html and http://www.root0.net/script/index.html (Find out spammer IPs link).

This may be helpful in tracking abusive IP's which can then be blocked in the firewall.

2. If you have not already blocked TCP port 113 incoming, then please do so.

3. You may already know these, but some helpful netstat commands (which can be modified as you desire):

# Provide a list of IP's connecting to port 25 along with how many connections
netstat -ntu | grep ':25' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort

# Check for possible syn floods against port 25
netstat -an | grep SYN | grep :25 | sort

# Overall count of port 25 connections
netstat -nap | grep :25 | wc -l

# Provide a list of connection IP's by count
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

maybe chirpy can right something us for us on this matter...