[case 50859] POP before SMTP no longer working since the weekend.

santrix

Well-Known Member
Nov 30, 2008
225
2
68
Hi,

I have today received a number of tickets from customers complaining they are getting errors when trying to send SMTP, to the tune of

Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

I have had to disable "Require RFC-compliant HELO" from the Exim config for the time being. Did something change in the last update to the Release tree of WHM?

Steve
 

santrix

Well-Known Member
Nov 30, 2008
225
2
68
re: [case 50859] Require RFC-compliant HELO - Causing Problems

Something must have changed recently. The clients experiencing the issue did not have their SMTP clients set to authenticate upon connecting, and must have previously been relying upon pop before smtp.

I'm still not sure what exactly cPanel have changed to cause this behaviour?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
re: [case 50859] Require RFC-compliant HELO - Causing Problems

Are the clients who are experiencing this all using Outlook as their email client?
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
re: [case 50859] Require RFC-compliant HELO - Causing Problems

Something must have changed recently. The clients experiencing the issue did not have their SMTP clients set to authenticate upon connecting, and must have previously been relying upon pop before smtp.

I'm still not sure what exactly cPanel have changed to cause this behaviour?

If they are in /etc/relayhosts it should not be hitting the HELO checks

Code:
acl_mail:
    # ignore authenticated hosts
    accept authenticated = *

# ignore pop before smtp 
    accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
    accept hosts = +relay_hosts

#BEGIN ACL_MAIL_BLOCK

deny
    condition = ${if eq{$sender_helo_name}{}}
    message   = HELO required before MAIL
...
Are you seeing this happen if they are in /etc/relayhosts?
 

Gareth-AWD

Well-Known Member
Jul 3, 2008
195
13
68
London, UK
cPanel Access Level
Root Administrator
Re: [case 50859] Require RFC-compliant HELO - Causing Problems

I'm also getting this issue and turning this off does the trick.

It's only a temporary messure. Can Cpanel shed any light on this?
 

docbreed

Well-Known Member
Jul 18, 2005
57
0
156
Re: [case 50859] Require RFC-compliant HELO - Causing Problems

We've had the same deal happen over the last two days.

Users now have to require smtp authentication, where as in the past they didn't. It started with alot of 4.1.1.1 errors and when turning off the Require RFC-compliant HELO [?] option we had alot of issues with:

currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.

WHM 11.30.0 (build 32)
exim-4.69-29_cpanel_maildir

We need a temporary fix to inform clients they need to now change their client apps, devices, phones to require smtp authentication.

Forgot to mention that i had to disable the rbl checks too because my clients where failing rbl too.
Very frustrating :(
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Re: [case 50859] Require RFC-compliant HELO - Causing Problems

Case 50859 (backport 50908 for 11.30.1.0 version) handles this issue which is that tailwatch is not updating relayhosts after log rotation causing POP3 before SMTP to not function (so antirelayd isn't working properly basically).

As a temporary measure until that version has been released to your existing tier, you could edit /etc/logrotate.d/syslog file temporarily to change from the following:

Code:
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
To this instead:

Code:
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
    /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
        /scripts/restartsrv_tailwatchd
    endscript
}
This would add /scripts/restartsrv_tailwatchd to restart properly and tail the proper log file.

You can view the changelog to see when 50908 is pushed into production at http://go.cpanel.net/changelog and see the existing versions for each tier at http://httpupdate.cpanel.net location.

To check your current cPanel version, you can run the following command:

Code:
cat /usr/local/cpanel/version ;echo
 

fizz

Well-Known Member
Jan 25, 2002
202
0
316
POP before SMTP no longer working since the weekend.

It appears an update over the weekend broke POP before SMTP. I attempted to apply a fix from this thread, but it had no effect on fixing this problem.

The fix was to restart tailwatchd on the logrotate.d/syslog file.

Any clues on what I can check to get this resolved?

Verified tailwatchd is running.
 
Last edited:

fizz

Well-Known Member
Jan 25, 2002
202
0
316
Me and one other guy are the only ones with access to WHM. So nothing was changed in that regard. It happened at the same time people started to get the invalid HELO rfc messages.

No, I havent reset to defaults yet as I wanted to check with the forum first.
 

Gareth-AWD

Well-Known Member
Jul 3, 2008
195
13
68
London, UK
cPanel Access Level
Root Administrator
There's something seriously wrong here. Despite the invalid HELO which was fixed for some clients, we do still get an error.

When can we expect a fix on this in the RELEASE tree. I'm seriously considering dropping back to STABLE in future.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Please submit a ticket at this point using WHM > Support Center > Contact cPanel or using the link in my signature so we can investigate why this is happening still.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
Re: [case 50859] Require RFC-compliant HELO - Causing Problems

Assuming that the inotify watch is being lost on the maillog due to syslogd rotating the log, you could work around the problem by disabling inotify support in tailwatchd (it will revert to the slower pre 11.28 behavior) by running the following:

touch /var/cpanel/conserve_memory
/scripts/restartsrv_tailwatchd
Likewise the case referenced in this thread was fixed on the 24th, and is awaiting QA approval to be published (shouldn't be long now).

Another option is to switch to the EDGE tier (11.30.1.1) which has this patch. Assuming there are no unforeseen problems with 11.30.1.1 it should progress to CURRENT and then RELEASE by the end of the week.
 

mikelegg

Well-Known Member
Mar 29, 2005
330
3
166
We've had this problem since the weekend and have been advising customers to authenticate to send mail.

Now they can't send mail even when they explicitly authenticate.

While disabling "Require RFC-compliant HELO" allows mail to be sent, the first message I sent was refused by the recipient with the error " 503 Valid RCPT command must precede DATA"

Modifying /etc/logrotate.d/syslog as per this thread seems to fix it.

WHM 11.30.0 (build 32) Release
 
Last edited: