SOLVED CPANEL-40370 - Odd filter behaviour including 2 fail messages

[cfp1]

I have the following setup in GLOBAL EMAIL FILTERS for an email that I have discontinued due to too much spam:

Filter name: WHATEVER
Rules: "TO" "contains" "[email protected]"
Actions: (i) Deliver to /mydomain/info/
(ii) Fail with message "SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here"

Now I would expect that
1) the message gets stored in the INBOX of info (while I transition to a new address I still want to be able to check what arrives) and
2) the sender receives the above SMTP error message that I specified.

The email is indeed deposited into the info IBOX and a fail message is sent but it looks rather odd:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

"info"@mydomain.com
(generated from [email protected])
SMTP error from remote server for RCPT TO command, host:
mydomain.com reason: 550 No Such User Here
[email protected]
SMTP error from remote server for RCPT TO command, host:
mydomain.com reason: 550 No Such User Here

----

reporting-MTA: dns; mymailserver.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

So it seems that the fail message is included twice in the email, once when the email is stored in the info INBOX (note the "info"@mydomain" at the beginning of the first message, if I want the mail delivered it to "subfolder" instead of INBOX, this will change to "info+subfolder"@mydomain" ... how weird!), and a second time when the fail command executes. Obviously I only want 1 fail message to be included and ideally from the fail event and not from the "Deliver message to folder" event, even reveiling the folder name to the recipient (what a monumental security failure!).

I have tried to define two separate filters, i.e., filter1 deposits the email in "subfolder" and does nothing else and sits at the top of the filter list, and then filter2 sits right below and executes the "fail with message", but the result is exactly the same, so instead of filter1 executing first (quietly without sending any message) and then filter2 executing sending the fail message, it seems that both execute at the same time and produce the double fail message. This clearly is a bug. So my question is how can I get the expected behaviour?
Thanks


P.S.: BTW this text window seems to be broken because when I click on the "code" icon </> a window pops up entitled "forum list".

 

[cfp1]

I have the following setup in GLOBAL EMAIL FILTERS for an email that I have discontinued due to too much spam:

Filter name: WHATEVER
Rules: "TO" "contains" "[email protected]"
Actions: (i) Deliver to /mydomain/info/
(ii) Fail with message "SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here"

Now I would expect that
1) the message gets stored in the INBOX of info (while I transition to a new address I still want to be able to check what arrives) and
2) the sender receives the above SMTP error message that I specified.

The email is indeed deposited into the info IBOX and a fail message is sent but it looks rather odd:


So it seems that the fail message is included twice in the email, once when the email is stored in the info INBOX (note the "info"@mydomain" at the beginning of the first message, if I want the mail delivered it to "subfolder" instead of INBOX, this will change to "info+subfolder"@mydomain" ... how weird!), and a second time when the fail command executes. Obviously I only want 1 fail message to be included and ideally from the fail event and not from the "Deliver message to folder" event, even reveiling the folder name to the recipient (what a monumental security failure!).

I have tried to define two separate filters, i.e., filter1 deposits the email in "subfolder" and does nothing else and sits at the top of the filter list, and then filter2 sits right below and executes the "fail with message", but the result is exactly the same, so instead of filter1 executing first (quietly without sending any message) and then filter2 executing sending the fail message, it seems that both execute at the same time and produce the double fail message. This clearly is a bug. So my question is how can I get the expected behaviour?
Thanks


P.S.: BTW this text window seems to be broken because when I click on the "code" icon </> a window pops up entitled "forum list".

As a side note, I can get the expected behaviour (single fail message in email) if I create the above filter not in GLOBAL EMAIL FILTERS but in EMAIL FILTERS. I would still like to know why I get the unexpected and seemingly buggy behaviour in GLOBAL EMAIL FILTERS. Thanks.

 

[cPRex]

Hey there! We've reported the code block issue to Xenforo as that's something we're aware of.

Let me play with the filters on my end and I'll get back with you in a bit.

 

[cPRex]

To setup this test, I created the following filter:



I then sent a test message to the address and got this in the mail logs, indicating the filter was processed correctly (spaces in the log added for clarity):

2022-03-31 16:33:39 1nZxjs-006VLq-D0 H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 Warning: "SpamAssassin as amps detected message as NOT spam (-0.2)"
2022-03-31 16:33:39 1nZxjs-006VLq-D0 <= [email protected] H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=11477 id=BY5PR14MB37838877F4B8BFCFD9F30BD593E19@BY5PR14MB3783.namprd14.prod.outlook.com T="Testing the filtering system" for [email protected]

2022-03-31 16:33:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1nZxjs-006VLq-D0

2022-03-31 16:33:39 SMTP connection from mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 closed by QUIT

2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] <[email protected]> R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 => cptest+testfolder ("cptest+testfolder"@domain.com) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> BZkPD+PXRWLHqBcAxedwlg Saved"
2022-03-31 16:33:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1nZxjs-006VLq-D0
2022-03-31 16:33:39 1nZxjv-006VNT-8x <= <> R=1nZxjs-006VLq-D0 U=mailnull P=local S=13160 T="Mail delivery failed: returning message to sender" for rex[email protected]
2022-03-31 16:33:39 1nZxjs-006VLq-D0 Completed

From this, it indicates that Exim is sending the 550 error for both the main address and the folder address, which is why that is showing up twice. could you check your mail log and confirm if the same thing is happening on your end? I'd just like to confirm that is the case on your side as well before I make a case with our email team.

 

[cfp1]

To setup this test, I created the following filter:

View attachment 77093

I then sent a test message to the address and got this in the mail logs, indicating the filter was processed correctly (spaces in the log added for clarity):

2022-03-31 16:33:39 1nZxjs-006VLq-D0 H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 Warning: "SpamAssassin as amps detected message as NOT spam (-0.2)"
2022-03-31 16:33:39 1nZxjs-006VLq-D0 <= [email protected] H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=11477 id=BY5PR14MB37838877F4B8BFCFD9F30BD593E19@BY5PR14MB3783.namprd14.prod.outlook.com T="Testing the filtering system" for [email protected]

2022-03-31 16:33:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1nZxjs-006VLq-D0

2022-03-31 16:33:39 SMTP connection from mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 closed by QUIT

2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] <[email protected]> R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 => cptest+testfolder ("cptest+testfolder"@domain.com) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> BZkPD+PXRWLHqBcAxedwlg Saved"
2022-03-31 16:33:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1nZxjs-006VLq-D0
2022-03-31 16:33:39 1nZxjv-006VNT-8x <= <> R=1nZxjs-006VLq-D0 U=mailnull P=local S=13160 T="Mail delivery failed: returning message to sender" for rex[email protected]
2022-03-31 16:33:39 1nZxjs-006VLq-D0 Completed

From this, it indicates that Exim is sending the 550 error for both the main address and the folder address, which is why that is showing up twice. could you check your mail log and confirm if the same thing is happening on your end? I'd just like to confirm that is the case on your side as well before I make a case with our email team.

Sorry but I am a user not a hoster, so I do not have access to /var/log/exim_mainlog . Is there any other way I can check this?

 

[cPRex]

Ah, that's alright. I'll do some more testing on my end with the Filters instead of Global Filters to confirm, and then make a case. I'll post an update soon.

 

[cPRex]

Just to confirm, in your example, the "[email protected]" does have its own email account already created, correct?

 

[cfp1]

Just to confirm, in your example, the "[email protected]" does have its own email account already created, correct?

Yes that's correct.

 

[cfp1]

BTW, another thing I observed is that if I set up the filter in EMAIL FILTERS such that the mail is delivered to anything but the INBOX, I also get the two fail messages in the error email. In summary, it only works as expected if

1. I set it up in EMAIL FILTERS (not GLOBAL EMAIL FILTERS) and
2. I have the message delivered to the INBOX.

 

[cPRex]

Thanks for the additional details. I'll do some more research on this and get a case filed, but at this point that work likely won't be finished until tomorrow.

 

[cPRex]

I was able to confirm the difference between the Global filters and the local filters, and I've created case CPANEL-40370 for our team to look into this. I'll be sure to post here once I receive an update.

 

[cPRex]

Update: Our developers have thoroughly investigated the issue, and I would like to share the conclusions they have reached.

After extensive testing, we have discovered that the reported issue has only been encountered once, as mentioned in this Forums post. Our team evaluated the potential solution of modifying the filter behavior to address the problem more comprehensively. However, doing so could inadvertently disrupt other filters that have been in place and working for a significant period.

Considering the potential impact on existing filters, and the fact the expected outcome can be achieved with the local filters system, the team has made the decision to maintain the current filter behavior for the time being.

We understand that this may not be the desired outcome, and I know there's been quite a delay since this thread was created, but I did want to post the solution our team came to so you'd be updated.