Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel and backscatter / delayed bounces

Discussion in 'E-mail Discussion' started by LBJ, Jan 8, 2018.

  1. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    78
    Likes Received:
    2
    Trophy Points:
    158
    G'day All,

    Over the years, cPanel has patched backscatter and delayed bounce bugs each time they're reported, but the logic problems seem to keep coming back again silently with updates.

    Now that Exim is offloading some bounces to Dovecot, it's very easy for a cPanel box to be caused to spam and become listed on a backscatter or honeypot type of RBL.

    Currently, on stable 68.0.21, cPanel routinely sends delayed bounces for several not so edge-case situations.

    If the incoming email is spam with a spoofed From: header, then the cPanel box will be effectively spamming when it sends the bounce back to an innocent party.

    Just two examples of fairly common situations which result in delayed soft bounces, and which can be reproduced very easily, are...

    1. Sending an email too large for the remaining quota of a mailbox not yet over quota.

    2. Sending an email smaller than the remaining quota of a mailbox, but where the total hosting account is already over disk quota.

    In these situations, the incoming item is accepted at SMTP-time, and then subsequently bounced by Dovecot after a delay. That outgoing email has the headers of the cPanel box, and if deemed to be spam, the IP of the cPanel box is the one which will appear on any related RBL.

    On the other hand, where it works correctly is in situations where an email is sent to a mailbox which is *already* over quota. In that situation, an SMTP-time hard rejection is correctly communicated directly to the sending server. This leaves the responsibility for the sending server to notify the sending client of the failure. This is the correct handling of email rejections and should be used for all situations including the examples above.

    Setting the "Disk Quota Delivery Failure Response" to "Defer delivery temporarily" doesn't fix the incorrect handling demonstrated above. It can delay the backscatter for a period in hope of the message becoming deliverable, but ultimately, if the quota situation is not fixed before the defer period expires, the backscatter is still generated.

    Rather than raising a cPanel support ticket which doesn't seem to be the way to go on something like this, is there a contact address at cPanel where something like this can be raised for proper discussion?

    It's been a very long time since backscatter generating email systems have been regarded as acceptable.

    Best regards,

    LBJ
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Could you open a bug report so we can investigate this further? You can do so using the following URL:

    Submit A Bug Report

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    78
    Likes Received:
    2
    Trophy Points:
    158
    Thanks Michael - Have done...

    Request ID is: 9179295

    Soft, delayed, backscatter, LMTP bounces via Dovecot for near/over quota hosting accounts

    Environment:
    cPanel stable 68.0.21
    WHM > Service Configuration > Mailserver Configuration
    "Disk Quota Delivery Failure Response" set to "Reject the message permanently"

    There are 2 easily reproduced cases, and (at least) 1 edge-case.

    Easily Reproduced Cases:

    1. Create a hosting account which has exceeded its total disk quota, and has an email account which has not exceeded its specific quota. Send an email to the email address. I currently have a contrived test account you can check with immediately by emailing test@xxx.com.

    Example:
    domain.com - allowance 4MB - over quota at 4.1MB
    test@domain.com - allowance 3MB - under quota at 1MB
    send an email to test@domain.com
    receive an LMTP delayed bounce instead of a correct SMTP-time rejection

    2. Create a hosting account which has not exceeded its total disk quota, and has an email account which has not exceeded its specific quota. Send an email to the email address of a sufficient size to take the hosting account over quota, but not of a sufficient size to take the email account over its specific quota.

    Example:
    domain.com - allowance 4MB - under quota at 3.9MB
    test@domain.com - allowance 3MB - under quota at 1MB
    send an email of 1MB size to test@domain.com
    receive an LMTP delayed bounce instead of a correct SMTP-time rejection

    Edge-Case:

    3. This edge-case occurs only when a server has upgraded over many years and has never changed the setting of...

    WHM > Service Configuration > Mailserver Configuration
    "Disk Quota Delivery Failure Response" set to "Reject the message permanently"

    In this case, a soft LMTP bounce is raised even when both the hosting account quota is fine and the email account quota is fine, but an incoming email will take the email account over its specific quota without taking the entire hosting account over quota. This bug goes away permanently as soon as the "Disk Quota Delivery Failure Response" value is set to "Defer delivery temporarily" and saved, and then set back to "Reject the message permanently" and saved.

    Best regards,

    LBJ
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @LBJ,

    To update, internal case CPANEL-17924 was opened to address the issue where Dovecot cannot instruct Exim to reject a message due to the user being over the quota limit. This should address the scenarios you have described. The resolution is currently planned for inclusion with cPanel version 72 (I'll update this thread again if the case ends up backported to cPanel version 70).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    To update, the case was also backported to cPanel version 70:

    Fixed case CPANEL-17924: Update dovecot rules to be aware and enforce system quotas.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. LBJ

    LBJ Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    78
    Likes Received:
    2
    Trophy Points:
    158
    G'day cPanelMichael,

    Beautiful! Thank you.

    Best regards,

    LBJ
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice