The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel email filtering works for email in, but not for email out

Discussion in 'E-mail Discussions' started by Vasudeva, Jun 8, 2011.

  1. Vasudeva

    Vasudeva Member

    Joined:
    Jun 8, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    After having looked on the web and on this forum for similar cases, and not having found a solution, I am writing this hoping for some help or indication on how to fix this issue.

    For the test domain ckg.in, I activated two rules:

    1) if any Recipient does not contain "@ckg.in", Fail with message "rejected"
    2) if From does not contain "@ckg.in", Fail with message "rejected"

    Basically, only messages sent from that domain, or addressing an account on that domain are not rejected.

    The Filter Test box have both rules works as expected.

    If a message is sent to "test1@ckg.in" from an account not @ckg.in, that message never reach the mailbox, although no "Fail" message is ever received. That is (almost) all right.

    But if a message is sent from "test1@ckg.in" to any account, for example, test@example.net, the message is delivered, against the first rule.

    This is the content of /etc/vfilters/chk.in:

    Code:
    # Exim filter                                                                                                                     
                                                                                                                                      
    # Auto Generated by cPanel.  Do not manually edit this file as your changes will be overwritten.  If you must edit this filter, ed
                                                                                                                                      
    if not first_delivery and error_message then finish endif                                                                         
                                                                                                                                      
    #Recipients-are-not-ckg.in                                                                                                        
    if                                                                                                                                
     foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress does not contain "@ckg.in" )                                                  
    then                                                                                                                              
     fail "Message rejected."                                                                                                                       
    endif                                                                                                                             
                                                                                                                                      
    #From-is-not-ckg.in                                                                                                               
    if                                                                                                                                
     $header_from: does not contain "@ckg.in"                                                                                         
    then                                                                                                                              
     fail "Message rejected."                                                                                                         
    endif 
    
    This is the related content of /var/log/exim_mainlog

    (test@example.net is in place of the real address I used)

    Code:
    > tail -f /var/log/exim_mainlog
    
    2011-06-08 13:48:09 H=localhost (208.86.00.00) [127.0.0.1] Warning: Sender rate 2.6 / 1h
    2011-06-08 13:48:09 1QUMrR-00016N-Na <= test1@ckg.in H=localhost (208.86.00.00) [127.0.0.1] P=esmtpa A=dovecot_login:test1@ckg.in S=544 id=9a4a702d8b4a79d72c5be92b7756b457@ckg.in T="test"
    2011-06-08 13:48:09 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1QUMrR-00016N-Na
    2011-06-08 13:49:42 1QUMrR-00016N-Na => test@example.net R=lookuphost T=remote_smtp H=mail.server.org [208.116.00.00] X=TLSv1:DES-CBC3-SHA:168
    2011-06-08 13:49:42 1QUMrR-00016N-Na Completed
    

    How can the filter be fixed so that no messages are delivered if they do not contain "@ckg.in" in the Recipients?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    The only method I know how to do this would be a global router, but that would unfortunately only allow permitted senders to send emails from the machine and anyone else would only be able to send locally.

    In WHM > Exim Configuration Editor > Advanced section, you will have a routers section that looks like this:

    In the box below that part, you could put the following:

    Code:
       check_outgoing:
         driver = redirect
         domains = ! +local_domains
         senders = ! : ! lsearch;/etc/permitsend
         allow_fail
         data = :fail: you are not allowed to send outside
    Then click the "Save" button. At that point, you would then create /etc/permitsend file:

    Code:
    touch /etc/permitsend
    echo "admin@mydomain.com" >> /etc/permitsend
    This would add admin@mydomain.com to /etc/permitsend file and let that one account send to anyone. All other email accounts on every domain on the machine would be restricted to only send locally.

    Of note, /etc/permitsend file will only accept full email addresses, so you cannot simply put domain names in the file. That is why this will only work on a machine where you are restricting outgoing email access for all domains. If you do not want any accounts to be able to send outside the server, simply don't put any email account into the /etc/permitsend file.

    I did test this on my machine. I added 1 domain to the server, then I added two accounts to that domain (admin@mydomain.com and tristan@mydomain.com), then I put admin@mydomain.com into the /etc/permitsend file but did not put tristan@mydomain.com into that file. I was able to send via webmail from admin@mydomain.com to my cPanel account off the server, but I was not able to send from my tristan@mydomain.com account to any email account off the server (I could send to admin@mydomain.com from tristan@mydomain.com though).
     
  3. Vasudeva

    Vasudeva Member

    Joined:
    Jun 8, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hello Tristan,

    Thank you so much for your thorough explanation.

    If that is the only way to do it, that is how we are going to do it.

    Perhaps we can make a script to injects the allowed accounts in /etc/permitsend.

    I tried again, and this time, when I tried to send to test@mydomain.com from an offserver account, I even got the proper message I set in cPanel:

    Code:
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
     test@mydomain.com
       Message Rejected.
    
    Still, if I send from test@mydomain.com to that offserver account, the email is regularly delivered, instead of rejected.

    It is interesting how cPanel's "Account level filtering" feature works quite well for other situations, but not in this particular case.

    I wonder why is that. Would that be a limitation in Exim?

    Would it help if I use some rules with procmail or maildrop? Would that compromise cPanel stability?

    Thank you so much again for your kind and thorough help. Really appreciated.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It is a limitation in exim for outgoing messages, which is why the only way I could find so far upon investigating at the exim site was to use the method I detailed in my post.

    As for procmail or maildrop, you can always use a smart host router in exim to forward emails going out to another machine, then use that machine to filter the emails. This would only impact emails going out remotely and not locally to other domains on the machine.
     
  5. Vasudeva

    Vasudeva Member

    Joined:
    Jun 8, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Thank you so much for your time and thorough help.

    Your advice about Exim and /etc/permitsend is excellent.

    Thank you!
     
  6. Vasudeva

    Vasudeva Member

    Joined:
    Jun 8, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I added those directives in the Exim block section, and added the allowed senders in /etc/permitsend.

    Everything works as it should, but unfortunately allowed senders can send to other domains on the same machine as well, thus invalidating that rule we need to enforce.

    To summarize the requested behaviour: a given domain needs to be used only with an internal messaging system policy: no emails can be sent to, nor received from, any other domains, hosted on the same server or elsewhere. Emails regarding that domain are accepted only if sent to, or received from, that particular domain itself.

    A thought passed my mind to use spamassassin to assign a very high spam score to messages we do not want to have accepted, but I am not sure if that rule would work against regular mail processing for other domains that need to function as usual.

    I would be very grateful, and willing to compensate properly, for a working solution.
     
    #6 Vasudeva, Jun 10, 2011
    Last edited: Jun 10, 2011
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would highly suggest posting on the exim mailing list at exim.org location. You won't even have to pay to ask for assistance there. They are the experts for special configurations like this and, unlike most coding mailing lists, they are relatively nice to newcomers provided the exact specifics are provided in the initial message on what is needed and what has been tried.
     
  8. Vasudeva

    Vasudeva Member

    Joined:
    Jun 8, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I will, and I will report back here, so that my findings may be useful to others with similar needs.

    Thank you so much for all your advice!
     
  9. kaspersuits

    kaspersuits Registered

    Joined:
    Jun 19, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hey, i was looking for same information, thanks for the advice and input friends.
    Thanks for saving my time.
     
  10. Vasudeva

    Vasudeva Member

    Joined:
    Jun 8, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    As per Tristan's advice, I inquired at the Exim list.

    This is the thread: Replicating an internal messaging system policy with Exim

    https://lists.exim.org/lurker/thread/20110611.091832.2663ea98.en.html

    The bottom line is, they suggested some parts of a solution without using filters, but routers, but it was not working for me, since I am unable to follow the implicit parts of the recipe.

    I guess an experienced Exim administrator would see through that advice right away, but I could not fathom the more esoteric parts.

    But we found out that the solution advised by Tristan does work, as long as one put proper filters not only on the domain that needs to behave like an internal messaging system, but also on all the other domains on the server (which is not too bad to do).

    Ultimately, we did not like to use a file to be checked upon every mail sent, and we turned to use Communigate Pro, only for that domain that needs to follow an internal messaging system policy.

    Communigate Pro can be used without license for testing purposes, and it is extremely easy to set up for that purpose as well. Also, as long as default ports for POP, SMTP, IMAP are not used, it can pacifically coexists with Exim.
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Thank you for providing details on the thread opened on the exim mailing list. I am hoping that you might get a reply eventually about the transport to use. I am going to try to see if I could get a working method now that a local router example has been provided there. If I personally end up with any further details on how to get this accomplished locally rather than just remotely, I will update this thread as well.
     
  12. c4nr

    c4nr Registered

    Joined:
    Apr 6, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I was curious if there have been any updates to this issue. My problem is very similar. We are moving away from MSMail WGPO. We have email accounts setup for the more senior employees, they can email whoever they like. I created a subdomain of lan.ourbusiness.com. They should only be able to email with *@lan.ourbusiness.com and *@ourbusiness.com.
    I have the rules setup in a way that should work, but they do not.
     
Loading...

Share This Page