Disable bounce messages in exim

nasos

Member
Feb 12, 2015
6
0
1
Athens, Greece
cPanel Access Level
Root Administrator
Hello.

I'm trying all day to find a solution, but nothing seems to work.

Recently my server had an email attack to one of my client's domain. The attack was targeting random (and not existing) mail accounts, which had a result of creating tons of bounce emails to the "original" sender. The result was an IP blacklisting.

I tried several ways to stop exim from sending bounce mails, but it keeps sending no matter what I tried. I have set the default action to "balckhole" for the specific domain in order to avoid more bounce mails, but from as far as I have read and understand, the default action should be set to "fail" and unknown recipients should be rejected at SMTP level with no other action (no bounce message). This is what I want, but I can't make it work.

exim log sample:

Code:
2015-02-12 13:06:34 1YLrbM-0005u2-NR ** [email protected] R=virtual_aliases: No such person at this address.
2015-02-12 13:06:34 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1YLrbM-0005u2-NR
2015-02-12 13:06:34 1YLrbO-0005uZ-9m <= <> R=1YLrbM-0005u2-NR U=mailnull P=local S=735 T="Mail delivery failed: returning message to sender" for [email protected]
2015-02-12 13:06:34 1YLrbM-0005u2-NR Completed
A valid user sends an e-mail to an invalid account of a valid domain I host, his SMTP gets "No such person at this address." message but then exim decides to return message to sender!

Any ideas please?

I use cpanel/WHM 11.48 set to work with exim/dovecot on a CentOS 6.6 dedicated server.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello :)

Please post the output from:

Code:
cat /etc/valiases/$domain
Replace any account identifying information from the output with an example.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
If your attack was or is attributed to a particular spammer domain, then there is a little tweak you could apply to exim, which would block said domain.
However, it requires you manually creating a blacklist.

Reading between the lines, i'd like to think that:

Ratelimit incoming SMTP connections that have only sent to failed recipients five seperate connection times in the last hour.
in Exim Config >> ACL Options.

Would perform what you are trying to achieve, but i'm no expert.



No doubt someone will be along shortly.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
To update, the user was advised to setup a temporary black hole while the bouncebacks are occurring to avoid this type of attack.

Thank you.
 

nasos

Member
Feb 12, 2015
6
0
1
Athens, Greece
cPanel Access Level
Root Administrator
Problem is almost solved, except a minor issue.

cPanel support sent me this URL:
/http://www.farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/. Actually I have found this information when I was making my own research, but because of a syntax error I got in exim when I tried the filter, and of course the lack of knowledge from my side on exim filter syntax, I didn't try it again. That time I had already 20+ open tabs in my browser trying to find a solution.

To make a long story short, Stephen Chaffins from cPanel support mentioned this URL when I opened the ticket and I decided to take a closer look. The problem in the filter was the double quotes in "no", so I removed them, and the permissions of a local file which I fixed, and the filter worked!

Code:
2015-02-18 12:27:47 SMTP connection from [209.85.215.45]:41102 (TCP/IP connection count = 1)
2015-02-18 12:27:47 H=mail-la0-f45.google.com [209.85.215.45]:41102 Warning: Sender rate 1.0 / 1h
2015-02-18 12:27:47 1YO1r9-0001op-GS <= [email protected] H=mail-la0-f45.google.com [209.85.215.45]:41102 [....] for [email protected]
2015-02-18 12:27:47 SMTP connection from mail-la0-f41.google.com [209.85.215.41]:33248 closed by QUIT
2015-02-18 12:27:52 cwd=/var/spool/MailScanner/incoming/32020 6 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1YO1r9-0001op-GS
2015-02-18 12:27:52 1YO1r9-0001op-GS ** [email protected] R=virtual_aliases: No such person at this address.
2015-02-18 12:27:52 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1YO1r9-0001op-GS
2015-02-18 12:27:52 1YO1rE-0001pf-F5 <= <> R=1YO1r9-0001op-GS U=mailnull P=local S=3609 T="Mail delivery failed: returning message to sender" for [email protected]
2015-02-18 12:27:52 1YO1r9-0001op-GS Completed
2015-02-18 12:27:52 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1YO1rE-0001pf-F5
2015-02-18 12:27:52 1YO1rE-0001pf-F5 cancelled by system filter: Delayed bounce message ignored
2015-02-18 12:27:52 1YO1rE-0001pf-F5 Completed
So, I sent an email from my personal gmail account to an invalid user at one of my local domains. Exim replied "No such person at this address, created the bounce message and then, wow! the bounce message was ignored!

But there is a catch... File /etc/localdomains (which the filter has to read) has permissions 0640 and the filter gets a 'permission denied' message. You can bypass this if you set it to 0644, but cPanel regularly changes it back to 0640 (for example when you press 'save' in WHM Exim configuration or upcp runs).

Code:
Error in system filter: failed to expand "${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains}{yes}{no}}" in filter file: failed to open /etc/localdomains for linear search: Permission ded (euid=32008 egid=510)
I tried to add the 'cpaneleximfilter' user (32008) to 'mail' group (group that /etc/localdomains file belongs) with 'useremod -a -G mail cpaneleximfilter', but permission is still denied (!). I have an open ticket pending with cPanel for this issue (6114895) and this is the minor issue I mentioned in the beginning of this post. You can copy this file to another one, apply the correct permissions, and update it regularly with a cron job. We'll name this file 'localdomains.eximfilter'.

Steps

1. Create the file '/etc/cpanel_exim_custom_filter' with the instructions of the above url. Remember to delete the double quotes from "no" and place it ABOVE all other filters.
Code:
if $sender_address is ""
  then
    if ${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains.eximfilter}{yes}{no}} is no
     then
      fail text "Delayed bounce message ignored"
      seen finish
    endif
endif
You can create the filter with the alternative way mentioned in the url which sends an email to a specific email, so you can avoid searching exim_mainlog in order to check if the filter works.
2. WHM -> Exim Configuration Manager -> Basic editor -> Filters
3. System filter file -> /etc/cpanel_exim_custom_filter if you have no filter enabled, or if you have another setup make the appropriate changes.
4. Don't use the 'Custom filter' option. The filter will be placed last and it will not work.
5. Remember to create /etc/localdomains.eximfilter file with the appropriate permissions.
6. cPanel -> Default address must be set to 'Discard' (/etc/valiases/[domain] must be set to :fail: )
7. Save and restart exim
8. Test by sending an email to an invalid account of a valid domain on your server.

That's it!

Special thanks to Farhad Malekpour with his precious information and of course to cPanel support team. If we find a solution regarding the permissions of /etc/localdomains file, I'll let you know.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
I am happy to see you were able to address the issue. Feel free to update us with the outcome of ticket number 6114895.

Thank you.
 

mike_n

Member
Nov 27, 2015
8
0
1
LS
cPanel Access Level
Website Owner
Hi,

I have the exact same problem (for one of my domains) as the OP. I am following the instructions but I cannot seem to get Exim to stop the bounce email, in all of my tests sending an email to an invalid account does still result in a bounce back to the original sender.

I am running WHM 11.52.1 on CentOS 6.7 on a GoDaddy VPS.

Here's what I have tried:

(1) cPanel > Default Address (for this domain account) is set to Discard. I've not only verified that in the cPanel for the specific account, but also

Code:
cat /etc/valiases/$domain
outputs:

Code:
*: :fail: No Such User Here
(2) I created the custom filter file. I copied the cpanel_exim_system_filter file and put the bounce condition code from Farhad Malekpour on TOP of all filters, so right ABOVE:

Code:
if not first_delivery
then
finish
endif
I then specified this filter file under WHM > Exim Configuration Manager > Basic Editor > Filters > System Filter File > check radio button and provide path to the custom file.

Saved changes. Then verified in exim.conf that the exim filter file has been updated. It was.

(3) The copy of the localdomains file, called same as the OP's localdomains.eximfilter was updated with 0644 permissions.

(4) restarted Exim not only through WHM but also through SSH.


It does NOT work. I do get the return bounce email to my personal email address, every single time.

Here's what the exim_mainlog reports for each test transactions:

Code:
2015-11-27 17:05:03 Start queue run: pid=4393
2015-11-27 17:05:03 End queue run: pid=4393
2015-11-27 17:05:30 SMTP connection from [98.136.216.197]:41059 (TCP/IP connection count = 1)
2015-11-27 17:06:11 H=nm30-vm6.bullet.mail.gq1.yahoo.com [98.136.216.197]:41059 X=TLSv1:AES128-SHA:128 CV=no F=<[email protected]> rejected RCPT <[email protected]>: No Such User Here
2015-11-27 17:06:11 SMTP connection from nm30-vm6.bullet.mail.gq1.yahoo.com [98.136.216.197]:41059 closed by QUIT
As you can see, it does discard the messages via "No Such User Here", but it does not execute the part of the if condition to not only disregard the bounce but to output "Delayed bounce message ignored"... so I can only assume that Exim does not read the condition correctly..... (?)


Here's what else I tried:

(5) I used the filter w/ and w/o double quotes around the "no". I made sure all other quotes are standard double quotes.

(6) I added a "noerror" before the "fail text", saw that in another thread

(7) I changed the group owner of the cpanel_exim_custom_filter file to 'mail', to ensure it has the same group owner as the original cpanel_exim_system_filter file

(8) I was assuming that my specified filter file was run as a custom filter lower in the stack, so I implemented the code directly into the original cpanel_exim_system_filter file, again on TOP. Changed WHM back to use that file. I ensured the no-bounce condition stayed in the file, and was not overwritten.

(9) Within the code, I used the "localdomains" file directly (set to 0644) instead of the copy "localdomains.eximfilter".


All of this did NOT improve things, I still always get the bounce email back to my personal account.

Any idea why this is not working for me ?

Also, I have 2 questions in regards to the OP instructions:

(I.) The OP writes "Don't use the 'Custom filter' option. The filter will be placed last and it will not work.". Where is the custom filter option ? My WHM does not have a custom filter option under Exim Configuration Manager > Basic Editor > Filters > System Filter File... or is the radio button option the "custom filter" ?

(II.) The OP writes that he saw that the file /etc/localdomains was giving a permission denied error, so he used a copy of the file. Where would that error be seen ? I checked exim logs and Apache logs but did not see the error. Now I did set all localdomain files to 0644 (maybe that's why I did not see this error) but just curious if I'm missing a log somewwere I should check...


Thanks for your help.

- Mike
 

feanorknd

Member
Sep 28, 2005
21
1
153
Hi all:

I preffer not to bounce messages, but only denying them with a simple SMTP message... the bounce message may be sended to original sender_address by the remote MTA, not my server.

So my rule at ACLs....

Code:
#**##########################################################################
#**# NOT ALLOW BOUNCE MESSAGES  FOR RECIPIENT ERRORS (sometimes sender_address does not exists, too)
#**# (if recipient does not exists, simple deny without bouncing message. The bounce message would be sended by
#**# the remote MTA)(( overloads and 30000 emails at spooler tails for this bouncing stupid problem..))
#**##########################################################################
deny message = RECIPIENT error: destination mail address does not exists around here.
log_message = RECIPIENT error: destination mail address does not exists around here.
  !authenticated = *
  !verify = recipient
 
Last edited by a moderator:

mike_n

Member
Nov 27, 2015
8
0
1
LS
cPanel Access Level
Website Owner
so yesterday, we were trying to implement this approach (that the OP posted) on another server, WHM with CentOS 6.7 as well, host on this one is LiquidWeb...

same problem, it does NOT execute the discard of the bounce... contacted support, they tried to implement it for 1.5 hours with the exact steps outlined in this thread and they could not get it done as well...

Any idea why this is not working ?

Thanks.

- Mike
 

mike_n

Member
Nov 27, 2015
8
0
1
LS
cPanel Access Level
Website Owner
I think we finally got this working... we had to reboot the server, just rebooting Exim and spamd did not do anything... we're on a VPS, not on our own private box, so that may be the difference...

we're finally now seeing the custom fail text message in the Exim mainlog...

so, I have 2 remaining questions:

(1) can somebody please explain the difference between this approach (implementing the custom bounce code from Farhad) and simply using a blackhole for a given account ?

As far as I understand it (please correct where wrong !), a blackhole will send all invalid emails to /dev/null, basically deleting them... this custom code discards invalid emails as well, but it writes a custom fail text message in the exim mainlog...

so is the only difference compared to a blackhole approach the custom fail text message in the exim mainlog ?

(2) can somebody (who has experience coding exim filters) please explain the first IF condition of the code...

Code:
if $sender_address is ""
to me, when I read it, it means if the variable $send_address is empty (not null, but empty), then proceed with the second if condition... that in turn would mean, that only invalid email that has an empty sender address would be processed by this code... but we would like for all invalid email to be processed by this code...

am I correct or am I misinterpreting the condition... ?

Thanks.

- M
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello :)

Have you considered simply configuring a temporary blackhole during the Exim attack?

Thank you.
 

mike_n

Member
Nov 27, 2015
8
0
1
LS
cPanel Access Level
Website Owner
Hi cPanelMichael,

I did set that up, but obviously we need a permanent solution, so since I don't know how to dynamically identify an "Exim attack" when it happens, I thought implementing this code would solve as a permanent solution...

Given your expertise, could you please answer the 2 questions from my last post:

(1) what is the diff of this solution to a blackhole ?

(2) could u explain the conditional logic of line 1 of the code ?

Thanks !

- M
 

mike_n

Member
Nov 27, 2015
8
0
1
LS
cPanel Access Level
Website Owner
Hi Michael,

well, I'm not sure if there are additional actions that I need at the moment...

but when googling for solution to this particular problem, people refer to this custom Exim filter solution, which was also what the OP used...

Why don't these people just set up a blackhole ? What is the "advantage" of the custom filter solution is ?

Thanks.

- M