The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable bounce messages in exim

Discussion in 'E-mail Discussions' started by nasos, Feb 12, 2015.

  1. nasos

    nasos Member

    Joined:
    Feb 12, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    Hello.

    I'm trying all day to find a solution, but nothing seems to work.

    Recently my server had an email attack to one of my client's domain. The attack was targeting random (and not existing) mail accounts, which had a result of creating tons of bounce emails to the "original" sender. The result was an IP blacklisting.

    I tried several ways to stop exim from sending bounce mails, but it keeps sending no matter what I tried. I have set the default action to "balckhole" for the specific domain in order to avoid more bounce mails, but from as far as I have read and understand, the default action should be set to "fail" and unknown recipients should be rejected at SMTP level with no other action (no bounce message). This is what I want, but I can't make it work.

    exim log sample:

    Code:
    2015-02-12 13:06:34 1YLrbM-0005u2-NR ** invaliduser@validlocaldomain.com R=virtual_aliases: No such person at this address.
    2015-02-12 13:06:34 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1YLrbM-0005u2-NR
    2015-02-12 13:06:34 1YLrbO-0005uZ-9m <= <> R=1YLrbM-0005u2-NR U=mailnull P=local S=735 T="Mail delivery failed: returning message to sender" for validuser@validremotedomain.com
    2015-02-12 13:06:34 1YLrbM-0005u2-NR Completed
    A valid user sends an e-mail to an invalid account of a valid domain I host, his SMTP gets "No such person at this address." message but then exim decides to return message to sender!

    Any ideas please?

    I use cpanel/WHM 11.48 set to work with exim/dovecot on a CentOS 6.6 dedicated server.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please post the output from:

    Code:
    cat /etc/valiases/$domain
    Replace any account identifying information from the output with an example.

    Thank you.
     
  3. nasos

    nasos Member

    Joined:
    Feb 12, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    Hello

    Content is as following:

    Code:
    *: :fail: No such person at this address.
    Thank you
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If your attack was or is attributed to a particular spammer domain, then there is a little tweak you could apply to exim, which would block said domain.
    However, it requires you manually creating a blacklist.

    Reading between the lines, i'd like to think that:

    Ratelimit incoming SMTP connections that have only sent to failed recipients five seperate connection times in the last hour.
    in Exim Config >> ACL Options.

    Would perform what you are trying to achieve, but i'm no expert.



    No doubt someone will be along shortly.
     
    #4 keat63, Feb 13, 2015
    Last edited: Feb 13, 2015
  5. nasos

    nasos Member

    Joined:
    Feb 12, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    Thank you, I've already done that but the sender is random every time.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What about Dictionary Attack Protection, DKIM and RBL's
     
  7. nasos

    nasos Member

    Joined:
    Feb 12, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    All these are enabled. I use mailscanner too...
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  9. nasos

    nasos Member

    Joined:
    Feb 12, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    Thank you.

    Ticket number is #6113219
     
    #9 nasos, Feb 17, 2015
    Last edited: Feb 17, 2015
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, the user was advised to setup a temporary black hole while the bouncebacks are occurring to avoid this type of attack.

    Thank you.
     
  11. nasos

    nasos Member

    Joined:
    Feb 12, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    Problem is almost solved, except a minor issue.

    cPanel support sent me this URL:
    /http://www.farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/. Actually I have found this information when I was making my own research, but because of a syntax error I got in exim when I tried the filter, and of course the lack of knowledge from my side on exim filter syntax, I didn't try it again. That time I had already 20+ open tabs in my browser trying to find a solution.

    To make a long story short, Stephen Chaffins from cPanel support mentioned this URL when I opened the ticket and I decided to take a closer look. The problem in the filter was the double quotes in "no", so I removed them, and the permissions of a local file which I fixed, and the filter worked!

    Code:
    2015-02-18 12:27:47 SMTP connection from [209.85.215.45]:41102 (TCP/IP connection count = 1)
    2015-02-18 12:27:47 H=mail-la0-f45.google.com [209.85.215.45]:41102 Warning: Sender rate 1.0 / 1h
    2015-02-18 12:27:47 1YO1r9-0001op-GS <= mypersonalaccount@gmail.com H=mail-la0-f45.google.com [209.85.215.45]:41102 [....] for invaliduser@validlocaldomain.com
    2015-02-18 12:27:47 SMTP connection from mail-la0-f41.google.com [209.85.215.41]:33248 closed by QUIT
    2015-02-18 12:27:52 cwd=/var/spool/MailScanner/incoming/32020 6 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1YO1r9-0001op-GS
    2015-02-18 12:27:52 1YO1r9-0001op-GS ** invaliduser@validlocaldomain.com R=virtual_aliases: No such person at this address.
    2015-02-18 12:27:52 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1YO1r9-0001op-GS
    2015-02-18 12:27:52 1YO1rE-0001pf-F5 <= <> R=1YO1r9-0001op-GS U=mailnull P=local S=3609 T="Mail delivery failed: returning message to sender" for mypersonalaccount@gmail.com
    2015-02-18 12:27:52 1YO1r9-0001op-GS Completed
    2015-02-18 12:27:52 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1YO1rE-0001pf-F5
    2015-02-18 12:27:52 1YO1rE-0001pf-F5 cancelled by system filter: Delayed bounce message ignored
    2015-02-18 12:27:52 1YO1rE-0001pf-F5 Completed
    So, I sent an email from my personal gmail account to an invalid user at one of my local domains. Exim replied "No such person at this address, created the bounce message and then, wow! the bounce message was ignored!

    But there is a catch... File /etc/localdomains (which the filter has to read) has permissions 0640 and the filter gets a 'permission denied' message. You can bypass this if you set it to 0644, but cPanel regularly changes it back to 0640 (for example when you press 'save' in WHM Exim configuration or upcp runs).

    Code:
    Error in system filter: failed to expand "${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains}{yes}{no}}" in filter file: failed to open /etc/localdomains for linear search: Permission ded (euid=32008 egid=510)
    I tried to add the 'cpaneleximfilter' user (32008) to 'mail' group (group that /etc/localdomains file belongs) with 'useremod -a -G mail cpaneleximfilter', but permission is still denied (!). I have an open ticket pending with cPanel for this issue (6114895) and this is the minor issue I mentioned in the beginning of this post. You can copy this file to another one, apply the correct permissions, and update it regularly with a cron job. We'll name this file 'localdomains.eximfilter'.

    Steps

    1. Create the file '/etc/cpanel_exim_custom_filter' with the instructions of the above url. Remember to delete the double quotes from "no" and place it ABOVE all other filters.
    Code:
    if $sender_address is ""
      then
        if ${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains.eximfilter}{yes}{no}} is no
         then
          fail text "Delayed bounce message ignored"
          seen finish
        endif
    endif
    You can create the filter with the alternative way mentioned in the url which sends an email to a specific email, so you can avoid searching exim_mainlog in order to check if the filter works.
    2. WHM -> Exim Configuration Manager -> Basic editor -> Filters
    3. System filter file -> /etc/cpanel_exim_custom_filter if you have no filter enabled, or if you have another setup make the appropriate changes.
    4. Don't use the 'Custom filter' option. The filter will be placed last and it will not work.
    5. Remember to create /etc/localdomains.eximfilter file with the appropriate permissions.
    6. cPanel -> Default address must be set to 'Discard' (/etc/valiases/[domain] must be set to :fail: )
    7. Save and restart exim
    8. Test by sending an email to an invalid account of a valid domain on your server.

    That's it!

    Special thanks to Farhad Malekpour with his precious information and of course to cPanel support team. If we find a solution regarding the permissions of /etc/localdomains file, I'll let you know.
     
    #11 nasos, Feb 18, 2015
    Last edited: Feb 18, 2015
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  13. mike_n

    mike_n Member

    Joined:
    Nov 27, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    LS
    cPanel Access Level:
    Website Owner
    Hi,

    I have the exact same problem (for one of my domains) as the OP. I am following the instructions but I cannot seem to get Exim to stop the bounce email, in all of my tests sending an email to an invalid account does still result in a bounce back to the original sender.

    I am running WHM 11.52.1 on CentOS 6.7 on a GoDaddy VPS.

    Here's what I have tried:

    (1) cPanel > Default Address (for this domain account) is set to Discard. I've not only verified that in the cPanel for the specific account, but also

    Code:
    cat /etc/valiases/$domain
    outputs:

    Code:
    *: :fail: No Such User Here
    (2) I created the custom filter file. I copied the cpanel_exim_system_filter file and put the bounce condition code from Farhad Malekpour on TOP of all filters, so right ABOVE:

    Code:
    if not first_delivery
    then
    finish
    endif
    I then specified this filter file under WHM > Exim Configuration Manager > Basic Editor > Filters > System Filter File > check radio button and provide path to the custom file.

    Saved changes. Then verified in exim.conf that the exim filter file has been updated. It was.

    (3) The copy of the localdomains file, called same as the OP's localdomains.eximfilter was updated with 0644 permissions.

    (4) restarted Exim not only through WHM but also through SSH.


    It does NOT work. I do get the return bounce email to my personal email address, every single time.

    Here's what the exim_mainlog reports for each test transactions:

    Code:
    2015-11-27 17:05:03 Start queue run: pid=4393
    2015-11-27 17:05:03 End queue run: pid=4393
    2015-11-27 17:05:30 SMTP connection from [98.136.216.197]:41059 (TCP/IP connection count = 1)
    2015-11-27 17:06:11 H=nm30-vm6.bullet.mail.gq1.yahoo.com [98.136.216.197]:41059 X=TLSv1:AES128-SHA:128 CV=no F=<mypersonalemail@yahoo.com> rejected RCPT <invaliduser@mydomain.com>: No Such User Here
    2015-11-27 17:06:11 SMTP connection from nm30-vm6.bullet.mail.gq1.yahoo.com [98.136.216.197]:41059 closed by QUIT
    
    As you can see, it does discard the messages via "No Such User Here", but it does not execute the part of the if condition to not only disregard the bounce but to output "Delayed bounce message ignored"... so I can only assume that Exim does not read the condition correctly..... (?)


    Here's what else I tried:

    (5) I used the filter w/ and w/o double quotes around the "no". I made sure all other quotes are standard double quotes.

    (6) I added a "noerror" before the "fail text", saw that in another thread

    (7) I changed the group owner of the cpanel_exim_custom_filter file to 'mail', to ensure it has the same group owner as the original cpanel_exim_system_filter file

    (8) I was assuming that my specified filter file was run as a custom filter lower in the stack, so I implemented the code directly into the original cpanel_exim_system_filter file, again on TOP. Changed WHM back to use that file. I ensured the no-bounce condition stayed in the file, and was not overwritten.

    (9) Within the code, I used the "localdomains" file directly (set to 0644) instead of the copy "localdomains.eximfilter".


    All of this did NOT improve things, I still always get the bounce email back to my personal account.

    Any idea why this is not working for me ?

    Also, I have 2 questions in regards to the OP instructions:

    (I.) The OP writes "Don't use the 'Custom filter' option. The filter will be placed last and it will not work.". Where is the custom filter option ? My WHM does not have a custom filter option under Exim Configuration Manager > Basic Editor > Filters > System Filter File... or is the radio button option the "custom filter" ?

    (II.) The OP writes that he saw that the file /etc/localdomains was giving a permission denied error, so he used a copy of the file. Where would that error be seen ? I checked exim logs and Apache logs but did not see the error. Now I did set all localdomain files to 0644 (maybe that's why I did not see this error) but just curious if I'm missing a log somewwere I should check...


    Thanks for your help.

    - Mike
     
  14. feanorknd

    feanorknd Member

    Joined:
    Sep 28, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hi all:

    I preffer not to bounce messages, but only denying them with a simple SMTP message... the bounce message may be sended to original sender_address by the remote MTA, not my server.

    So my rule at ACLs....

    Code:
    #**##########################################################################
    #**# NOT ALLOW BOUNCE MESSAGES  FOR RECIPIENT ERRORS (sometimes sender_address does not exists, too)
    #**# (if recipient does not exists, simple deny without bouncing message. The bounce message would be sended by
    #**# the remote MTA)(( overloads and 30000 emails at spooler tails for this bouncing stupid problem..))
    #**##########################################################################
    deny message = RECIPIENT error: destination mail address does not exists around here.
    log_message = RECIPIENT error: destination mail address does not exists around here.
      !authenticated = *
      !verify = recipient
    
    
     
    #14 feanorknd, Nov 30, 2015
    Last edited by a moderator: Nov 30, 2015
  15. mike_n

    mike_n Member

    Joined:
    Nov 27, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    LS
    cPanel Access Level:
    Website Owner
    so yesterday, we were trying to implement this approach (that the OP posted) on another server, WHM with CentOS 6.7 as well, host on this one is LiquidWeb...

    same problem, it does NOT execute the discard of the bounce... contacted support, they tried to implement it for 1.5 hours with the exact steps outlined in this thread and they could not get it done as well...

    Any idea why this is not working ?

    Thanks.

    - Mike
     
  16. mike_n

    mike_n Member

    Joined:
    Nov 27, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    LS
    cPanel Access Level:
    Website Owner
    I think we finally got this working... we had to reboot the server, just rebooting Exim and spamd did not do anything... we're on a VPS, not on our own private box, so that may be the difference...

    we're finally now seeing the custom fail text message in the Exim mainlog...

    so, I have 2 remaining questions:

    (1) can somebody please explain the difference between this approach (implementing the custom bounce code from Farhad) and simply using a blackhole for a given account ?

    As far as I understand it (please correct where wrong !), a blackhole will send all invalid emails to /dev/null, basically deleting them... this custom code discards invalid emails as well, but it writes a custom fail text message in the exim mainlog...

    so is the only difference compared to a blackhole approach the custom fail text message in the exim mainlog ?

    (2) can somebody (who has experience coding exim filters) please explain the first IF condition of the code...

    Code:
    if $sender_address is ""
    to me, when I read it, it means if the variable $send_address is empty (not null, but empty), then proceed with the second if condition... that in turn would mean, that only invalid email that has an empty sender address would be processed by this code... but we would like for all invalid email to be processed by this code...

    am I correct or am I misinterpreting the condition... ?

    Thanks.

    - M
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  18. mike_n

    mike_n Member

    Joined:
    Nov 27, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    LS
    cPanel Access Level:
    Website Owner
    Hi cPanelMichael,

    I did set that up, but obviously we need a permanent solution, so since I don't know how to dynamically identify an "Exim attack" when it happens, I thought implementing this code would solve as a permanent solution...

    Given your expertise, could you please answer the 2 questions from my last post:

    (1) what is the diff of this solution to a blackhole ?

    (2) could u explain the conditional logic of line 1 of the code ?

    Thanks !

    - M
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Choosing a "blackhole" deletes incoming messages to non-existing email accounts without a failure notice. No bounce message is sent. You simply choose the "Discard" option as documented at:

    Default Address - Documentation - cPanel Documentation

    Could you clarify what additional actions you want to occur that require the custom filter rule?

    Thank you.
     
  20. mike_n

    mike_n Member

    Joined:
    Nov 27, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    LS
    cPanel Access Level:
    Website Owner
    Hi Michael,

    well, I'm not sure if there are additional actions that I need at the moment...

    but when googling for solution to this particular problem, people refer to this custom Exim filter solution, which was also what the OP used...

    Why don't these people just set up a blackhole ? What is the "advantage" of the custom filter solution is ?

    Thanks.

    - M
     
Loading...

Share This Page