In Progress CPANEL-40370 - Odd filter behaviour including 2 fail messages

Operating System & Version
Linux
cPanel & WHM Version
100.0 (build 12)

cfp1

Member
Jul 21, 2020
7
0
1
here
cPanel Access Level
Website Owner
I have the following setup in GLOBAL EMAIL FILTERS for an email that I have discontinued due to too much spam:

Filter name: WHATEVER
Rules: "TO" "contains" "[email protected]"
Actions: (i) Deliver to /mydomain/info/
(ii) Fail with message "SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here"

Now I would expect that
1) the message gets stored in the INBOX of info (while I transition to a new address I still want to be able to check what arrives) and
2) the sender receives the above SMTP error message that I specified.

The email is indeed deposited into the info IBOX and a fail message is sent but it looks rather odd:
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

"info"@mydomain.com
(generated from [email protected])
SMTP error from remote server for RCPT TO command, host:
mydomain.com reason: 550 No Such User Here
[email protected]
SMTP error from remote server for RCPT TO command, host:
mydomain.com reason: 550 No Such User Here

----

reporting-MTA: dns; mymailserver.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
So it seems that the fail message is included twice in the email, once when the email is stored in the info INBOX (note the "info"@mydomain" at the beginning of the first message, if I want the mail delivered it to "subfolder" instead of INBOX, this will change to "info+subfolder"@mydomain" ... how weird!), and a second time when the fail command executes. Obviously I only want 1 fail message to be included and ideally from the fail event and not from the "Deliver message to folder" event, even reveiling the folder name to the recipient (what a monumental security failure!).

I have tried to define two separate filters, i.e., filter1 deposits the email in "subfolder" and does nothing else and sits at the top of the filter list, and then filter2 sits right below and executes the "fail with message", but the result is exactly the same, so instead of filter1 executing first (quietly without sending any message) and then filter2 executing sending the fail message, it seems that both execute at the same time and produce the double fail message. This clearly is a bug. So my question is how can I get the expected behaviour?
Thanks


P.S.: BTW this text window seems to be broken because when I click on the "code" icon </> a window pops up entitled "forum list".
 
Last edited:

cfp1

Member
Jul 21, 2020
7
0
1
here
cPanel Access Level
Website Owner
I have the following setup in GLOBAL EMAIL FILTERS for an email that I have discontinued due to too much spam:

Filter name: WHATEVER
Rules: "TO" "contains" "[email protected]"
Actions: (i) Deliver to /mydomain/info/
(ii) Fail with message "SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here"

Now I would expect that
1) the message gets stored in the INBOX of info (while I transition to a new address I still want to be able to check what arrives) and
2) the sender receives the above SMTP error message that I specified.

The email is indeed deposited into the info IBOX and a fail message is sent but it looks rather odd:


So it seems that the fail message is included twice in the email, once when the email is stored in the info INBOX (note the "info"@mydomain" at the beginning of the first message, if I want the mail delivered it to "subfolder" instead of INBOX, this will change to "info+subfolder"@mydomain" ... how weird!), and a second time when the fail command executes. Obviously I only want 1 fail message to be included and ideally from the fail event and not from the "Deliver message to folder" event, even reveiling the folder name to the recipient (what a monumental security failure!).

I have tried to define two separate filters, i.e., filter1 deposits the email in "subfolder" and does nothing else and sits at the top of the filter list, and then filter2 sits right below and executes the "fail with message", but the result is exactly the same, so instead of filter1 executing first (quietly without sending any message) and then filter2 executing sending the fail message, it seems that both execute at the same time and produce the double fail message. This clearly is a bug. So my question is how can I get the expected behaviour?
Thanks


P.S.: BTW this text window seems to be broken because when I click on the "code" icon </> a window pops up entitled "forum list".
As a side note, I can get the expected behaviour (single fail message in email) if I create the above filter not in GLOBAL EMAIL FILTERS but in EMAIL FILTERS. I would still like to know why I get the unexpected and seemingly buggy behaviour in GLOBAL EMAIL FILTERS. Thanks.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,432
1,635
363
cPanel Access Level
Root Administrator
To setup this test, I created the following filter:

Screen Shot 2022-03-31 at 12.33.20 PM.png

I then sent a test message to the address and got this in the mail logs, indicating the filter was processed correctly (spaces in the log added for clarity):

Code:
2022-03-31 16:33:39 1nZxjs-006VLq-D0 H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 Warning: "SpamAssassin as amps detected message as NOT spam (-0.2)"
2022-03-31 16:33:39 1nZxjs-006VLq-D0 <= [email protected] H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=11477 [email protected].prod.outlook.com T="Testing the filtering system" for [email protected]

2022-03-31 16:33:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1nZxjs-006VLq-D0

2022-03-31 16:33:39 SMTP connection from mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 closed by QUIT

2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] <[email protected]> R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 => cptest+testfolder ("cptest+testfolder"@domain.com) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> BZkPD+PXRWLHqBcAxedwlg Saved"
2022-03-31 16:33:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1nZxjs-006VLq-D0
2022-03-31 16:33:39 1nZxjv-006VNT-8x <= <> R=1nZxjs-006VLq-D0 U=mailnull P=local S=13160 T="Mail delivery failed: returning message to sender" for [email protected]
2022-03-31 16:33:39 1nZxjs-006VLq-D0 Completed
From this, it indicates that Exim is sending the 550 error for both the main address and the folder address, which is why that is showing up twice. could you check your mail log and confirm if the same thing is happening on your end? I'd just like to confirm that is the case on your side as well before I make a case with our email team.
 

cfp1

Member
Jul 21, 2020
7
0
1
here
cPanel Access Level
Website Owner
To setup this test, I created the following filter:

View attachment 77093

I then sent a test message to the address and got this in the mail logs, indicating the filter was processed correctly (spaces in the log added for clarity):

Code:
2022-03-31 16:33:39 1nZxjs-006VLq-D0 H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 Warning: "SpamAssassin as amps detected message as NOT spam (-0.2)"
2022-03-31 16:33:39 1nZxjs-006VLq-D0 <= [email protected] H=mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=11477 [email protected].prod.outlook.com T="Testing the filtering system" for [email protected]

2022-03-31 16:33:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1nZxjs-006VLq-D0

2022-03-31 16:33:39 SMTP connection from mail-dm6nam10on2094.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com) [40.107.93.94]:58081 closed by QUIT

2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 ** [email protected] <[email protected]> R=central_filter: SMTP error from remote server for RCPT TO command, host: mydomain.com reason: 550 No Such User Here
2022-03-31 16:33:39 1nZxjs-006VLq-D0 => cptest+testfolder ("cptest+testfolder"@domain.com) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> BZkPD+PXRWLHqBcAxedwlg Saved"
2022-03-31 16:33:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1nZxjs-006VLq-D0
2022-03-31 16:33:39 1nZxjv-006VNT-8x <= <> R=1nZxjs-006VLq-D0 U=mailnull P=local S=13160 T="Mail delivery failed: returning message to sender" for [email protected]
2022-03-31 16:33:39 1nZxjs-006VLq-D0 Completed
From this, it indicates that Exim is sending the 550 error for both the main address and the folder address, which is why that is showing up twice. could you check your mail log and confirm if the same thing is happening on your end? I'd just like to confirm that is the case on your side as well before I make a case with our email team.
Sorry but I am a user not a hoster, so I do not have access to /var/log/exim_mainlog . Is there any other way I can check this?
 

cfp1

Member
Jul 21, 2020
7
0
1
here
cPanel Access Level
Website Owner
BTW, another thing I observed is that if I set up the filter in EMAIL FILTERS such that the mail is delivered to anything but the INBOX, I also get the two fail messages in the error email. In summary, it only works as expected if
  1. I set it up in EMAIL FILTERS (not GLOBAL EMAIL FILTERS) and
  2. I have the message delivered to the INBOX.