The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can I only allow mail from my SPAM filter server on a per-domain basis?

Discussion in 'E-mail Discussions' started by ed.kalk, Jun 19, 2008.

  1. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    :confused:

    I'm trying to use SPAM filter ISP on a dedicated server. It has been running for 36 hours and is only currently filtering 3 out of about 100 domains for testing.

    It seems that some spammers are sending spam directly to my cpanel server and not using the mx records.

    How do I only allow mail from my SPAM filter Server?
    Can I do this on a per domain basis?
     
    #1 ed.kalk, Jun 19, 2008
    Last edited: Jun 19, 2008
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That's a bit tricky. In order to strictly prohibit mail from external servers to enter your server for a specific domain, you have to block TCP 25 (the smtp port). You can't block that because (a) you have some domains that are not using the filter and (b) you likely have customers accessing port 25 to send messages through your server. blocking port 25 isn't going to work.

    To further complicate things, as you already determined, much spam is sent directly to the IP address that the domain resolves to. Technically you could reduce the likelihood of spam (for filtered domains) entering your server directly by removing the DNS "A" record for the domain itself. I.E., if the domain is mydomain.com, make sure thre is no "A" record in DNS for mydomain.com. However, this coudl break some Cpanel functionality. Even if it does not, at the very least it means that people who want to visit the mydomain.com website would be forced to use http://WWW.mydomain.com since mydomain.com would not resolve.

    The only real way to completely prevent this from happening is to not have SMTP Port 25 listening on the machine that is the final mail server (your cpanel server)... but you likely can't do that.

    Mike
     
  3. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    you could actually do this relatively simply with acls at rcpt stage, a short example (Untested) but something along these lines should work:

    Create a file containing the domains your smarthost manages:
    Code:
    root@box# touch /etc/smarthostdomains
    
    Then edit it and add the domains (one per line)

    Then in the advanced exim config editor in the first box somewhere:
    Code:
    domainlist smarthost_domains = lsearch;/etc/smarthostdomains
    
    Then in your acl_check_rcpt section:

    Code:
    deny message = You are not authorised to send to this domain
              log_message = Didnt come from our smarthost
              domains = +smarthost_domains
              condition = ${if match{$sender_host_name}{\Nyourdomain.com$\N}{no}{yes}}
    
    Replacing yourdomain.com with the tld you use for your hostnames
     
    #3 nickp666, Jun 20, 2008
    Last edited: Jun 20, 2008
  4. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    where is the acl_check_rcpt section?

    I'm a little unsure about where the acl_check_rcpt section would be...

    also as far as the following code:
    deny message = You are not authorised to send to this domain
    log_message = Didnt come from our smarthost
    domains = +smarthost_domains
    condition = ${if match{$sender_host_name}{\Nyourdomain.com$\N}{no}{yes}}

    the condition part means if the sender host is not bitwiselogic.com correct?

    I was thinking it would look like this when I inserted the code:
    deny message = You are not authorised to send to this domain
    log_message = Didnt come from our smarthost
    domains = +smarthost_domains
    condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}

    correct?
     
  5. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    sorry the rcpt acl section on a default cpanel setup is called: check_recipient: its in the second box of the ACL section of the advanced exim conf editor.

    put the above acl undernieth:
    Code:
    accept  hosts = :
    accept hosts = +skipsmtpcheck_hosts
    
    You are correct about the condition part
     
  6. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    Not sure whare to put the code for acl_check_rcpt

    this is a copy of my acl check rcpt section

    I tried to put the code in under "accept hosts = :" and it stoped taking mail all together with no bounce messages. after i removed the code, the mail did show up...

    This is what i tried: (This is my full acl_check_rcpt section)

    HTML:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
      deny message = You are not authorised to send to this domain
              log_message = Didnt come from our smarthost
              domains = +smarthost_domains
              condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
                                                                                                                                               
      #sender verifications are required for all messages that are not sent to lists
                                                                                                                                               
      require verify = sender
      accept  domains = +local_domains
      endpass
      message = unknown user
      verify = recipient
      accept  domains = +relay_domains
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
            hosts = +relay_hosts
      accept  hosts = +relay_hosts
                                                                                    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
            condition = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts = +auth_relay_hosts
              endpass
              message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
              authenticated = *
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
      require verify = header_sender
      accept
     
    #6 ed.kalk, Jun 24, 2008
    Last edited: Jun 24, 2008
  7. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    what does your exim_mainlog say?

    also looks like you lost "accept hosts = +skipsmtpcheck_hosts" somewhere along the line
     
  8. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    what is exim main log?

    As far as I know, I never had the "accept hosts = +skipsmtpcheck_hosts"

    What does it do by the way?
    Where should it go?

    Do you think that is why it is not working?

    I noticed that the no and yes were reversed on your code compared to the other entries in the acl code, does this matter?
     
  9. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    the exim main log is located at /var/log/exim_mainlog

    The missing part goes under:
    accept hosts = :

    before you add it, what is your cPanel version and OS?

    Without the entries from the exim_mainlog I wouldnt be able to guess what the problem is, it could just be a typo in my acl but without the log entries I have absolutely no idea

    the yes and no clause is supposed to be around the other way, as the condition is 'does not match'
     
  10. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    WHM 10.8.0 cPanel 10.9.0-C10
    Trustix i686 - WHM X v3.1.0

    The main log is really long and I don't know of a way to easily post what it says here in the forum. is there some way to e-mail it to you?
     
  11. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    that explains why you dont have that line, cPanel 10 doesnt have that feature,

    are there any lines in /var/log/exim_paniclog?

    In theory that should contain the errors and should be a lot shorter
     
  12. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Wow, I haven't seen someone running Trustix in a very long time.

    Note, your license will cease functioning on July 1, 2008 if you do not upgrade to cPanel 11 before then. There is no charge for this upgrade. See the following page for more information:

    http://blog.cpanel.net/?p=53
     
  13. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    I'm guessing that this is what you are looking for

    2008-06-24 10:05:17 failed to open /etc/smarthostdomains for linear search: Permission denied (euid=47 egid=12)
     
  14. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    what is the result of:
    Code:
    ls -l /etc/smarthostdomains

    I dont know how trustixs permissions work as ive never run it, but we should be able to get away with changing the permissions on the file to make this work (didnt need to on a RHEL box)
     
  15. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    -rw------- 1 root root 82 Jun 24 10:59 /etc/smarthostdomains
     
  16. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    ok try:
    Code:
    chown root:mail /etc/smarthostdomains
    
    Add the ACL again, and watch the logs
     
  17. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    -rw------- 1 root mail 82 Jun 24 10:59 /etc/smarthostdomains

    ok now the permissions are changed
     
  18. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    as I said before when i added the code under "accept hosts = :"

    all mail stopped working

    should I put it in that same place now or try putting it near the end like this?

    HTML:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
                                                                                                                                               
      #sender verifications are required for all messages that are not sent to lists
                                                                                                                                               
      require verify = sender
      accept  domains = +local_domains
      endpass
      message = unknown user
      verify = recipient
      accept  domains = +relay_domains
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
            hosts = +relay_hosts
      accept  hosts = +relay_hosts
                                                                                    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
            condition = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts = +auth_relay_hosts
              endpass
              message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
              authenticated = *
    
      deny message = You are not authorised to send to this domain
              log_message = Didnt come from our smarthost
              domains = +smarthost_domains
              condition = ${if match{$sender_host_name}{\Nbitwiselogic.com$\N}{no}{yes}}
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
      require verify = header_sender
      accept
     
  19. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    the issue is with the permissions of the /etc/smarthostdomains file, once we've got those right it will work, presently exim cannot read this file, therefore is panicing, try copying the permissions of /etc/secondarymx as I know for a fact exim can read that (Trustix must handle its permissions differently than RHEL)

    The first post of your check_recipient section is fine, its just the file permissions on the domainlist that are stopping it from working
     
  20. ed.kalk

    ed.kalk Well-Known Member

    Joined:
    Jun 19, 2008
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Minneapolis, MN
    you are right, this is what happened when i just tried it

    2008-06-24 14:44:11 failed to open /etc/smarthostdomains for linear search: Permission denied (euid=47 egid=12)

    how do I copy permissions?
     
Loading...

Share This Page