exim sending failure and not rejection

keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
I have a thread open which eventually evolves in to this question, but feel that this question really deserves a thread in it's own right.

So I have a mailbox which has never existed [email protected]
If I send to this email, exim rejects the mail at smtp time. (expected)

I have another mailbox [email protected] that maybe used to exist.
exim doesn't reject, but accepts then sends a failure, same result ultimately, but not quite how it ought to work.

There are no forwarders or filters that I can see.

I've checked home/user/mail and see no mailbox. also home/user/mail/domain and see nothing.
I've also checked etc/valiases/user and see no entries in there either.

I have CSF explorer installed, if i search 'files, folders and words' for '[email protected]', nothing is returned.
If I search for '[email protected]', then all sorts of entries are returned.

If [email protected] used to exist (which I strongly suspect it did), then something somewhere has been left behind, when the account was removed.

so have I missed anything ?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,801
1,878
363
cPanel Access Level
Root Administrator
Hey hey! A grep through all of /home/username for the full email address would show if there were any trace of that, but I haven't heard of this exact behavior before. Would you be able to post a log of the "accept then fail" scenario so I can try and reproduce on my end?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
Does /home/$(/scripts/whoowns mydomain.com)/mail/mydomain.com/cpanel exist?

This is a somewhat known issue. I think it happened after cPanel switched to using Dovecot for LMTP.

The cPanel end-user interface still looks in /home/$(/scripts/whoowns mydomain.com)/etc/mydomain.com/passwd to determine if an email account exists. But Exim uses the existence of a directory under /home/$(/scripts/whoowns mydomain.com)/mail/mydomain.com/ to determine if an email account exists.

The two get out of sync some how. So cPanel will tell you that [email protected] doesn't exist, but if a directory exists at /home/$(/scripts/whoowns mydomain.com)/mail/mydomain.com/cpanel then Exim will accept the email as a real email account.
 

keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
struggling to locate this location.
/home/$(/scripts/whoowns mydomain.com)/mail/mydomain.com

Maybe I'm misreading something ?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
Actually you already checked this, according to your original post.

/home/$(/scripts/whoowns mydomain.com)/mail/mydomain.com/cpanel is just a fancy way of checking /home/%userthatownsmydomain.com%/mail/mydomain.com/cpanel but giving it within the context of only knowing mydomain.com.

It's kind of like using order of operations with parenthesis in math. When the command is run the command - /scripts/whoowns mydomain.com will run first - which on a cPanel system will return the username that owns mydomain.com. That username fits into the placement of $(/scripts/whoowns mydomain.com) and then the rest of the string is returned as given.

ls -ald /home/$(/scripts/whoowns mydomain.com)/mail/mydomain.com/cpanel

is the same thing as

ls -ald /home/%userthatownsmydomain.com%/mail/mydomain.com/cpanel

but without knowing the username or multiple variables, you're deriving the username or other variables from a known variable - mydomain.com.

You probably need to be using bash as your shell - but that's typically default on CentOS and CentOS based distributions and pretty much any large distribution or distribution that cPanel supports.
 

keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
So here's the bounce i get back when sending from gmail:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
No such person at this address."



This is what exim says:

2022-06-13 18:36:53 1o0nzi-00072v-2T <= [email protected] H=mail-qv1-f52.google.com [209.85.219.52]:40701 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=2623 id=CAEHC+xnEEVxwZvsmVbY=bfisVMomvrqgvEHXU=[email protected] T="this is a test" for [email protected]
2022-06-13 18:36:55 cwd=/var/spool/exim/input 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1o0nzi-00072v-2T
2022-06-13 18:36:55 1o0nzi-00072v-2T ** [email protected] R=virtual_aliases: No such person at this address."
2022-06-13 18:36:55 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1o0nzi-00072v-2T
2022-06-13 18:36:55 1o0nzj-00074b-F6 <= <> R=1o0nzi-00072v-2T U=mailnull P=local S=4456 T="Mail delivery failed: returning message to sender" for [email protected]
2022-06-13 18:36:55 1o0nzi-00072v-2T Completed


and the same test to an address which I just made up and never existed:

2022-06-13 18:41:30 SMTP connection from [209.85.222.182]:34745 (TCP/IP connection count = 1)
2022-06-13 18:42:11 H=mail-qk1-f182.google.com [209.85.222.182]:34745 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<[email protected]> rejected RCPT <[email protected]>: No such person at this address."
2022-06-13 18:42:42 SMTP connection from mail-qk1-f182.google.com [209.85.222.182]:34745 closed by QUIT
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
I was able to find an instance of this happening on one of our servers - not [email protected], it was a different email address.

Investigating this found that the email address mentioned in the logs (i.e. [email protected]) was set up as a forwarder, it exists in /etc/valiases/mydomain.com - but the address it was forwarding to... which was another @mydomain.com email address, did not exist. And the domain has their default address set to :fail: messages.

So the server was accepting the email for [email protected] because the email address exists as a forwarder in /etc/valiases/mydomain.com

But the address that [email protected] was set to forward to does not exist, so the message is sent to the default address for mydomain.com.

The default address for mydomain.com is set to :fail: messages.

So the server is left to send the bounceback rejection message.

Solution... remove the [email protected] forwarder from the /etc/valiases/mydomain.com file - it wasn't receiving mail anyway.

Did you by chance check for case-insensitive matches in /etc/valiases/mydomain.com ?

grep -i [email protected] /etc/valiases/mydomain.com
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
Additionally, is mail for mydomain.com perhaps forwarding to another domain on the server?

Is there anything in the file:

/etc/vdomainaliases/mydomain.com

I can't remember exactly where this is set up in cPanel or really how it is used. Been a long time since I've messed with this.

But if /etc/vdomainaliases/mydomain.com has the contents:

mydomain.com: myotherdomain.com

Then all mail for mydomain.com will be forwarded to a corresponding @myotherdomain.com email address.

/etc/valiases/myotherdomain.com may contain a [email protected] forwarder that is forwarding to a non-existant email address.
 

keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
In another thread I doscovered that my domain is under some form of spoofing, resulting in me tightening spf (-all)
Could this be related.

As crazy as this may sound, could my server be somehow processing emails from this rogue server
If the email address exists on the rogue server, could the real domain then assume that it must exist on my server and is sending it to fail rather than reject.
 

keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
I'm still trying to get to the bottom of this.
Today I decided to maybe create an email account 'cpanel' , see what happens when I then delete it.
Upon trying to create the account i got the following error.

Error: Sorry, “cpanel” is a reserved username. Please choose another name.

does this give any clues