Unexpected SPF config bounced mail from my gateway

[dolphyn]

Warning to anyone who uses an external anti-spam gateway:

An SPF-related setting was added to my exim.conf on December 27 which improperly caused some mail from my gateway to be bounced until I learned of the problem today.

My gateway is whitelisted, but apparently the new SPF-related setting does NOT respect the whitelists.

Some mail relayed through my gateway was rejected with the error:
SPF: [gateway IP] is not allowed to send mail from [domain]

My CPanel Update configuration is
cPanel/WHM Updates: Manual Updates Only (STABLE tree)
cPanel Package Updates: Manual Updates Only
Security Package Updates: Automatic

Needless to say, it's kind of upsetting to have my Exim configuration updated (and broken) without any notification. Should I have been notified about this, and if so, how? Thanks.

[cPanelDon]

Warning to anyone who uses an external anti-spam gateway:

An SPF-related setting was added to my exim.conf on December 27 which improperly caused some mail from my gateway to be bounced until I learned of the problem today.

My gateway is whitelisted, but apparently the new SPF-related setting does NOT respect the whitelists.

Some mail relayed through my gateway was rejected with the error:
SPF: [gateway IP] is not allowed to send mail from [domain]

My CPanel Update configuration is
cPanel/WHM Updates: Manual Updates Only (STABLE tree)
cPanel Package Updates: Manual Updates Only
Security Package Updates: Automatic

Needless to say, it's kind of upsetting to have my Exim configuration updated (and broken) without any notification. Should I have been notified about this, and if so, how? Thanks.

The rejected e-mail issue is caused by the sender's domain name having a misconfigured SPF record as defined in the applicable DNS zone. If the custom mail gateway should be allowed to send mail then the DNS zones should be updated to correct the SPF records for the domain names involved.

SPF records may be enabled, disabled, and modified via the following area in cPanel:
cPanel: Main >> Mail >> E-mail Authentication
Documentation: Email Authentication

[dolphyn]

The rejected e-mail issue is caused by the sender's domain name having a misconfigured SPF record as defined in the applicable DNS zone. If the custom mail gateway should be allowed to send mail then the DNS zones should be updated to correct the SPF records for the domain names involved.

No, we cannot "correct" the SPF records of external domains that send mail to us, and we wouldn't expect external domains to know about our gateway when configuring their SPF records.

All of our incoming mail passes through our gateway on the way to the CPanel server, and the CPanel update caused our CPanel server to reject mail from our own gateway. I didn't know about the problem until customers complained about missing mail.

We've fixed the issue for now, but I'm still trying to understand how it is that an automatic update changed our Exim configuration when we have the automatic updates turned off. Thanks!

[cPanelDon]

No, we cannot "correct" the SPF records of external domains that send mail to us, and we wouldn't expect external domains to know about our gateway when configuring their SPF records.

All of our incoming mail passes through our gateway on the way to the CPanel server, and the CPanel update caused our CPanel server to reject mail from our own gateway. I didn't know about the problem until customers complained about missing mail.

We've fixed the issue for now, but I'm still trying to understand how it is that an automatic update changed our Exim configuration when we have the automatic updates turned off. Thanks!

I apologize as I believe I may have misunderstood the specific scenario involved. Please note there have not been any very recent updates to the STABLE build tree and the last one was on August 25 of 2009.

What is the indication that the setting was added automatically by cPanel/WHM?

Was an update performed of cPanel, Exim, or any related software interacting with Exim (e.g., ClamAVconnector plug-in or related third-party software)?

Was the Exim Configuration Editor accessed before or around the time the issue was noticed? I would check the cPanel access_log to obtain additional details:

Code:

/usr/local/cpanel/logs/access_log

Here is a command to help locate relevant access_log entries for the Exim Configuration Editor:

Code:

# egrep "saveexim.*HTTP" /usr/local/cpanel/logs/access_log

[dolphyn]

Hi Don,

Thanks for calling my attention to the CPanel access logs. That solves part of the mystery; my helper intended to enable the SPF setting on his separate server but he accidentally made the change on my server instead.

But, I think there is still a CPanel issue, because both the host name and the IP of my incoming gateway are listed in /etc/trustedmailhosts, which (by my reckoning) should override the SPF blacklist setting.

Thanks, and sorry for the tone of my earlier post. I was feeling a bit grumpy, didn't explain the situation very well, and I blamed the CPanel update because I didn't think we had touched the settings.

Happy New Year!

[cPanelDon]

Hi Don,

Thanks for calling my attention to the CPanel access logs. That solves part of the mystery; my helper intended to enable the SPF setting on his separate server but he accidentally made the change on my server instead.

But, I think there is still a CPanel issue, because both the host name and the IP of my incoming gateway are listed in /etc/trustedmailhosts, which (by my reckoning) should override the SPF blacklist setting.

Thanks, and sorry for the tone of my earlier post. I was feeling a bit grumpy, didn't explain the situation very well, and I blamed the CPanel update because I didn't think we had touched the settings.

Happy New Year!

You're welcome. When possible, please let us know the full cPanel version number (i.e., to confirm the full version of the installed STABLE build). I believe the issue might have been fixed in cPanel version 11.24.4 where the build number is at least "33362" or higher. If the symptom persists while using the latest version (per http://httpupdate.cpanel.net/#builds) I would consider submitting a support request so that we may assist with investigation. If submitting a support request, when available, please let me know the ticket ID number (e.g, via a PM) so I may follow-up internally.

Reference internal case ID number: #7898

P.S., Enjoy the new year and have a most excellent and relaxing holiday weekend!