Exim problem receiving delivery error messages

[fenixer]

Hello:

I have a problem related to my exim spool queue, frozing messages simillar like this, where mydomain.tld is a domain hosted by me.

2008-02-03 05:06:53 SMTP connection from [203.190.60.202]:48793 I=[85.112.x.x]:25 (TCP/IP connection count = 5)
2008-02-03 05:06:55 H=emailmx.infoseek.jp [203.190.60.202]:48793 I=[85.112.x.x]:25 Warning: Sender rate 0.1 / 1h
2008-02-03 05:06:56 1JLW87-0003Ce-OU <= <> H=emailmx.infoseek.jp [203.190.60.202]:48793 I=[85.112.x.x]:25 P=smtp S=1708 T="failure notice" from <> for [email protected]
2008-02-03 05:06:56 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1JLW87-0003Ce-OU
2008-02-03 05:06:56 1JLW87-0003Ce-OU ** [email protected] F=<> R=virtual_aliases: No Such User Here
2008-02-03 05:06:56 1JLW87-0003Ce-OU Frozen (delivery error message)
2008-02-03 05:06:56 SMTP connection from emailmx.infoseek.jp [203.190.60.202]:48793 I=[85.112.x.x]:25 closed by QUIT

I guess a spammer used mydomain.tld to send Spam from a non-legitimal server (not mine of course).. the problem is he used random adresses using mydomain.tld to send spam, and 3rd. SMTP servers of course try to send me the "delivery error message", because of spam, or just because any other problem.

At some cases, my spool queue could have nearly thousands of these emails, the 3rd. SMTP servers sends me without a correct "From:", as you may see.

I don't know why Exim frozens the emails and maintains them at the queue, instead of simply refuse them or drop them, as the To: adress does not exists in my server.

Spammer uses <ramdom>@mydomain.tld to send spam from his house, by example --> destination SMTP refuse them and send to my server (mydomain.tld) the current notification to <ramdom>@mydomain.tld --> <ramdom>@mydomain.tld does not exist in my server, and instead of refuse or drop it, it keeps frozen in my queue list.

Anyone know how to prevent this? Thanks

 

[sarhosting]

I think this could be caused by a mailing list and or Spoofing.

Do some reverse DNS * SPF Records as well. SHould help stop the spoofing.

 

[fenixer]

I think this could be caused by a mailing list and or Spoofing.

Do some reverse DNS * SPF Records as well. SHould help stop the spoofing.

Thanks, but I dont think SPF is the solution, since very few domains uses SPF nowadays... the most of the SMTP servers does not care of them.

The problem is not the spoofing.. Nowadays, I cannot do nothing to prohibit some spammers to use my domain to send spam (yes, SPF, but not much useful nowadays)... the problem is the notifications are getting frozen in my exim, and staying in my spool queue in spite of being deleted (they are going to a non-existent user).

¿?

 

[fenixer]

Well, in spite of being using RELEASE in all my servers, I am adding manually through a bash script a SPF record for all my domains hosted, directly writting at var/named/zones the new "standard" record... After that I will configure at DNS templates for new domains...

Other question is: is exim installed default with cpanel check for SPF records when receiving emails from 3rd SMTPs?

But this question does not resolv the initial one, since the problem is not the "domain spoofing" here, but EXIM frozing emails with "<> from" instead of giving the fail to the 3rd SMTP server just because delivery address does not exists at my server.

 

[fenixer]

SMF records applied, but not the most external SMTP servers checks them nowadays... Problem is still... please someone!!

You can check:
http://www.configserver.com/free/fail.html

Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.

Well, in my case it justs receives message and then frozen it!!!

Some more data:

IN MY QUEUE:

1JMoh4-0004UG-Pz-H
mailnull 47 12
<>
1202321302 0
-helo_name luatvietnam.vn
-host_address 203.162.168.16.1839
-interface_address 85.x.x.x.25
-received_protocol smtp
-body_linecount 50
-max_received_linelength 93
-frozen 1202407547
-host_lookup_failed
-manual_thaw
XX
1
[email protected]

210P Received: from [203.162.168.16] (port=1839 helo=luatvietnam.vn)
by myserver.mine.com with smtp (Exim 4.68)
id 1JMoh4-0004UG-Pz
for [email protected]; Wed, 06 Feb 2008 19:08:23 +0100
069P Received: (qmail 6913 invoked for bounce); 5 Feb 2008 09:04:11 -0500
032 Date: 5 Feb 2008 09:04:11 -0500
032F From: [email protected]
039T To: [email protected]
024 Subject: failure notice

WHEN TRYING TO DELIVER FROM QUEUE:

Message 1JMoh4-0004UG-Pz is no longer frozen
LOG: MAIN
cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1JMoh4-0004UG-Pz
delivering 1JMoh4-0004UG-Pz
LOG: MAIN
** [email protected] F=<> R=virtual_aliases: No Such User Here
LOG: MAIN
Frozen (delivery error message)

AT LOGS (first time):

2008-02-06 19:08:17 SMTP connection from [203.162.168.16]:1839 I=[85.112.9.44]:25 (TCP/IP connection count = 9)
2008-02-06 19:08:20 no host name found for IP address 203.162.168.16
2008-02-06 19:08:22 H=(luatvietnam.vn) [203.162.168.16]:1839 I=[85.x.x.x]:25 Warning: Sender rate 0.0 / 1h
2008-02-06 19:08:23 1JMoh4-0004UG-Pz <= <> H=(luatvietnam.vn) [203.162.168.16]:1839 I=[85.x.x.x]:25 P=smtp S=2405 T="failure notice" from <> for [email protected]
2008-02-06 19:08:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1JMoh4-0004UG-Pz
2008-02-06 19:08:23 1JMoh4-0004UG-Pz ** [email protected] F=<> R=virtual_aliases: No Such User Here
2008-02-06 19:08:23 1JMoh4-0004UG-Pz Frozen (delivery error message)
2008-02-06 19:08:24 SMTP connection from (luatvietnam.vn) [203.162.168.16]:1839 I=[85.x.x.x]:25 closed by QUIT

What the hell? It is :FAIL: supposed to reject emails during SMTP protocol!?!?!?! why the email is at my server queue, and frozen?!?!?!

Please help! I am trying to find a solution, but blackholing it is not a great idea I think.

 

[fenixer]

ok

finally find the problem for myself...

########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################
#
# cPanel Default ACL Template Version: 3.8
# Template: mailman2.exiscan.dist
#
########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################

acl_connect:
[% ACL_CONNECT_BLOCK %]

# do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
#acl_smtp_notquit is required for this to work (exim 4.68)

accept

acl_notquit:
[% ACL_NOTQUIT_BLOCK %]


#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.


#**########################################################################################
#**########################################################################################
#**# PARA EVITAR BOUNCE MESSAGES A ENTREGAS A DIRECCIONES QUE NO EXISTEN
#**# (si lo pongo aqui, el servidor deniega la entrega del mensaje si el recipient no es
#**# valido).... Cpanel manda cojones... sobrecargas y colas de 3000 correos por esta cosa
#**########################################################################################
require verify = recipient
#**########################################################################################
#**########################################################################################
...
...etc

Added require verify = recipient before checking anything else and accepting the email.

Cpanel, with it defaults, first accept the email, and then refuse it sending a bounce message to the external SMTP server.. I think this is a bit crazy.. Why do we have to send the "non existent user" email, instead of just refusing during SMTP protocol the incoming email? for that have I a ":fail:"??? Now, with my modification, is the external SMTP the one who notify the sender.

CPANEL, I think you might take care of this!