Emails from same domain goes to trash

bmezini

Member
Aug 30, 2019
7
0
1
Tirana, Albania
cPanel Access Level
Root Administrator
Hi, so I have this very wierd problem that I can't find a solution to.
It started a while ago when a user ([email protected]) noticed that e-mails from another user ([email protected]) were going to trash. The wierd part is that this happens only between these two specific users when [email protected] sends an e-mail to [email protected] and NOT vice-versa. I tried placing email filters that would specifically deliver email from user2 to user1's inbox but it didnt change anything. Another thing to note is that when I manually move the e-mails to inbox, after a while they are moved automatically to trash. I'd appreciate some help as I don't have any idea anymore.

Thanks in advance,
Brian.
 
Last edited:

bmezini

Member
Aug 30, 2019
7
0
1
Tirana, Albania
cPanel Access Level
Root Administrator
There are no filters in cPanel, but there might be in the mail client and I will check. What doesn't make sense to me is: Why would filters in a mail client affect the email in the server? I mean, shouldn't they only affect the copy of the mail that arrives in the client?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,478
591
263
Houston
cPanel Access Level
DataCenter Provider
My point in asking if they use a mail client is that while the mail client is connected and (whether or not he's currently using it), if the mail client is connected with IMAP it is entirely possible there is a rule or filter on the MAC Mail client that moves the mail there - this will subsequently show the mail also being moved in WebMail. One of the quickest ways to test this (without looking at the logs) is to simply change the password of the account without updating ANY mail clients. This allows WebMail access only and if when doing this the mail isn't moved to the trash you know now for sure it's the mail client that's the source of the issue.
 
  • Like
Reactions: bmezini

bmezini

Member
Aug 30, 2019
7
0
1
Tirana, Albania
cPanel Access Level
Root Administrator
I understand, and I gave it a try. First i did what you mentioned and the e-mail did, in fact, go to inbox... only to be sent to trash once again before updating the password in the mail client. So i created a new rule in the client to send emails from user2 to inbox. And it worked, the emails were going to inbox... until they were pushed back to trash a few minutes later for no apparent reason.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,478
591
263
Houston
cPanel Access Level
DataCenter Provider
Hi @bmezini

You could check /var/log/maillog for the mail to identify what is happening. Here are some examples:

If you move a message from the inbox to trash from webmail, you will see the following in /var/log/maillog
Code:
Sep  4 09:48:37 server dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3820, TLS, session=<EaXUTLuR2pB/AAAB>
Sep  4 09:48:37 server dovecot: imap([email protected])<3820><EaXUTLuR2pB/AAAB>: copy from INBOX: box=INBOX.Trash, uid=9, msgid=<[email protected]>, size=49270, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen)
Sep  4 09:48:37 server dovecot: imap([email protected])<3820><EaXUTLuR2pB/AAAB>: expunge: box=INBOX, uid=61115, msgid=<[email protected]>, size=49270, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen)
Sep  4 09:48:37 server dovecot: imap([email protected])<3820><EaXUTLuR2pB/AAAB>: Logged out in=108, out=1137, bytes=108/1137
Note that the IP listed in this example is 127.0.0.1

If you move a message from inbox to trash from the mail client (using Apple Mail) , you will see the following in /var/log/maillog

Code:
Sep  4 09:55:29 server dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=184.94.XXX.XX, lip=104.145.XXX.XX, mpid=5947, TLS, session=<44VmZbuRjO24XsUC>
Sep  4 09:55:37 server dovecot: imap([email protected])<5946><KchfZbuRzom4XsUC>: copy from INBOX: box=INBOX.Trash, uid=11, msgid=<[email protected]>, size=49258, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen)
Sep  4 09:55:37 server dovecot: imap([email protected])<5947><44VmZbuRjO24XsUC>: flag_change: box=INBOX.Trash, uid=11, msgid=<[email protected]>, size=49258, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen \Recent $NotJunk)
Sep  4 09:55:37 server dovecot: imap([email protected])<5946><KchfZbuRzom4XsUC>: delete: box=INBOX, uid=61117, msgid=<[email protected]>, size=49258, subject=[server.domain.tld] TEST MESSAGE, flags=(\Deleted \Seen)
It will also be useful to search the exim mainlog for the message, in the event there is a filter that is responsible this will be shown in the exim log. For example:

Code:
[[email protected] ~]# exigrep 1i5WYw-0000oO-K0 /var/log/exim_mainlog
2019-09-04 09:47:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1i5WYw-0000oO-K0

2019-09-04 09:47:11 1i5WYw-0000oO-K0 H=mail-wr1-f41.google.com [209.85.221.41]:42153 Warning: "SpamAssassin as MYUSER detected message as spam (4.3)"
2019-09-04 09:47:11 1i5WYw-0000oO-K0 H=mail-wr1-f41.google.com [209.85.221.41]:42153 Warning: Message has been scanned: no virus or other harmful content was found
2019-09-04 09:47:11 1i5WYw-0000oO-K0 <= [email protected] H=mail-wr1-f41.google.com [209.85.221.41]:42153 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4286 [email protected]l.com T="test" for [email protected]
2019-09-04 09:47:11 1i5WYw-0000oO-K0 => user+spam <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> yHkIFW/Ob13RDAAA9Z/phw Saved"
2019-09-04 09:47:11 1i5WYw-0000oO-K0 Completed
 

bmezini

Member
Aug 30, 2019
7
0
1
Tirana, Albania
cPanel Access Level
Root Administrator
These are the logs from /var/log/exim_mainlog for a test message that was later sent to trash

Bash:
2019-09-04 11:23:15 1i5RVT-0003fN-47 H=(some.domain.com) [::1]:40722 Warning: Message has been scanned: no virus or other harmful content was found
2019-09-04 11:23:15 1i5RVT-0003fN-47 <= [email protected] H=(some.domain.com) [::1]:40722 P=esmtpa A=dovecot_login:[email protected] S=618 [email protected] T="Test" for [email protected]
2019-09-04 11:23:15 1i5RVT-0003fN-47 => /home/domain787/mail/domain.com/user1/ <[email protected]> R=virtual_user_filter T=address_directory
2019-09-04 11:23:15 1i5RVT-0003fN-47 Completed
These are the logs from /var/log/maillog for the same message

Code:
Sep  4 11:23:15 host dovecot: lda([email protected])<14105><e7LgD4OCb10ZNwAAVD+tjQ>: msgid=<[email protected]>: saved mail to INBOX
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,478
591
263
Houston
cPanel Access Level
DataCenter Provider
That output indicates there's a filter in place:

Code:
2019-09-04 11:23:15 1i5RVT-0003fN-47 => /home/domain787/mail/domain.com/user1/ <[email protected]> R=virtual_user_filter T=address_directory
Specifically:

Code:
R=virtual_user_filter
If you go to cPanel>>Email>>Email Filters -> Manage Filters next to the email account - what is listed there?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,478
591
263
Houston
cPanel Access Level
DataCenter Provider
That makes sense. Can we see a mail transaction without that? Based on that and the fact that it's delivered to the INBOX per the maillog I'm leaning more and more toward there having to be an external factor in place here.

When you changed the password for the account (before updating it in any mail client) did you restart dovecot to force the sessions to be re-established before you tested sending mail to the account?
 

bmezini

Member
Aug 30, 2019
7
0
1
Tirana, Albania
cPanel Access Level
Root Administrator
...
When you changed the password for the account (before updating it in any mail client) did you restart dovecot to force the sessions to be re-established before you tested sending mail to the account?
Actually I did not think of that, I went straight to test the delivery. I'll get back to you the first chance I get to test your suggestion.

Thank you for the support btw, appreciated.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,478
591
263
Houston
cPanel Access Level
DataCenter Provider
Actually I did not think of that, I went straight to test the delivery. I'll get back to you the first chance I get to test your suggestion.
Great! Just trying to rule out a stale connection there. Will await your findings.

Thank you for the support btw, appreciated.

Happy to help!