Exim Sending IP, DKIM

[_jman]

I have one domain on a dedicated IPv4 address different from the one my main WHM account uses, and am having some trouble with Exim choosing the correct outbound IP and domain. I also appear to have some DKIM issues.

A little bit of substitution: the actual value are correct in both /etc/mailhelo and /etc/mailips.
For my main WHM user: example_main.com with an IPv4 address of 1.2.3.4
For my other domain user: example_alternate.com with an IPv4 address of 5.6.7.8

So far as I can tell, reverse DNS is set up correctly.
running "nslookup 5.6.7.8" returns
8.7.6.5.in-addr.arpa name = example_alternate.com

Same for 1.2.3.4 and example_main.com

Also, using misk's DNS lookup tool ( DNS Lookup / NSLookup: Check DNS Records - Misk.com ) on 5.6.7.8 returns the main WHM accounts' NS records (ns1.example_main.com, ns2.example_main.com) as authoritive.

(I know, they're on the same machine, don't really *need* two entries...)

With regards the sending IP:
"Send mail from account’s dedicated IP address" is ON in Service Configuration / Exim Configuration.
Using the above substitution:
/etc/mailhelo has example_alternate.com: example_alternate.com
/etc/mailips has example_alternate.com: 5.6.7.8

Permission for both files appear OK (root/mail, 0640).

There are default * entries in both for vps.example_main.com and 1.2.3.4, respectively.

The messages were sent from a machine external to Exim, not from the server itself, via SMTP with credentials from an email account associated with example_alternate.com.

Sending to a hotmail address resulted in these headers:
Authentication-Results: spf=pass (sender IP is 1.2.3.4)
smtp.mailfrom=example_alternate.com; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=pass action=none
header.from=example_alternate.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of example_alternate.com designates
1.2.3.4 as permitted sender) receiver=protection.outlook.com;
client-ip=1.2.3.4; helo=vps.example_main.com;

Shouldn't that be referencing example_alternate's IP, not example_main's? And why is there no DKIM, when example_alternate's zone file clearly has one?

Sending to an AOL address resulted in this header:
X-Originating-IP: [1.2.3.4]

And this is what sending to a gMail address had:
Received: from vps.example_main.com (vps.example_main.com. [1.2.3.4])

Assuming Exim is honoring /etc/mailips, Shouldn't all of them been showing example_alternate.com and 5.6.7.8 ?

AOL also had a couple of interesting headers that look to have been inserted by /etc/exim.pl.local
X-Get-Message-Sender-Via: vps.example_main.com: mailgid via get_recent_authed_mail_ips_entry: [email protected]_main.com/cached: in recent_authed_mail_ips_users using first address
X-Authenticated-Sender: vps.example_main.com: [email protected]_main.com

It looks like this might be an attempt to eliminate unnecessary lookups and save system overhead. However, I legitimately send emails from one machine, using multiple "sender" domains and addresses (work hat, home hat, etc.). Why would Exim not be noticing the domain in the "from" address doesn't match the cached one? It had no business inserting that header with an email address that didn't match the sender's domain. In this case, test emails were sent not sent from my email client, but an instance of PHPMailer which knew nothing about example_main.com, so cPanel seems to be adding these headers based on the sending IP.

There should be a way to turn that off, or at least let the routine be smart enough to compare current and cached domains of the sender address before avoiding the lookup and returning the cached value.

With regards to DKIM:
In example_alternate.com's zone file, there is a TXT entry:
default._domainkey
with a value of "v=DKIM1; k=rsa; p=(a very long key)"

Yet, the source of the message to hotmail says:
smtp.mailfrom=example_alternate.com; hotmail.com; dkim=none (message not signed)

For the message to AOL, this was in the headers:
dkim=neutral (no sig) [email protected]_alternate.com;

Headers in a message to a gMail address had no reference to dkim.

Just curious what I could be doing wrong. According to all docs I've read, when a remote host receives a message from example_alternate.com, it should show it as coming from 2.3.4.5, not 1.2.3.4, and it should have the signed DKIM record.

FWIW, the messages *do* appear to be getting delivered. I just don't understand why they have the wrong IP's and domain names attached to them.

Any replies would be most appreciated. Thanks!
--
Carl

 

[cPanelLauren]

AOL also had a couple of interesting headers that look to have been inserted by /etc/exim.pl.local
X-Get-Message-Sender-Via: vps.example_main.com: mailgid via get_recent_authed_mail_ips_entry: [email protected]_main.com/cached: in recent_authed_mail_ips_users using first address
X-Authenticated-Sender: vps.example_main.com: [email protected]_main.com

It looks like this might be an attempt to eliminate unnecessary lookups and save system overhead. However, I legitimately send emails from one machine, using multiple "sender" domains and addresses (work hat, home hat, etc.). Why would Exim not be noticing the domain in the "from" address doesn't match the cached one? It had no business inserting that header with an email address that didn't match the sender's domain. In this case, test emails were sent not sent from my email client, but an instance of PHPMailer which knew nothing about example_main.com, so cPanel seems to be adding these headers based on the sending IP.

This is a setting in WHM>>Server Configuration>>Tweak Settings -> Allow users to relay mail if they use an IP through which someone has validated an IMAP or POP3 login with the last hour (Pop-before-SMTP)

Provides the IMAP/POP before SMTP authentication method. You must enable RecentAuthedMailIpTracker in the Service Manager for this functionality to work. However, we recommend that you do not enable this option, and you should instead use SMTP authentication on modern systems.

The default setting for this is off and it would have had to be manually enabled at some point.


For the issues with mailips to clarify:

• Because you're using "Send mail from account's dedicated IP" you have dedicated these IP's to the accounts?
• Does this occur with mail sent directly from the server or is it limited to mail that is sent using a script like PHP mail?
• Can you provide the full headers of an email that is sent using the incorrect IP (just replace identifying information)

 

[_jman]

Hi, Lauren, thanks for the reply.

This is a setting in WHM>>Server Configuration>>Tweak Settings -> Allow users to relay mail if they use an IP through which someone has validated an IMAP or POP3 login with the last hour (Pop-before-SMTP)

This setting is already set to off in WHM.

For the issues with mailips to clarify:

• Because you're using "Send mail from account's dedicated IP" you have dedicated these IP's to the accounts?
• Does this occur with mail sent directly from the server or is it limited to mail that is sent using a script like PHP mail?
• Can you provide the full headers of an email that is sent using the incorrect IP (just replace identifying information)

Yes, have one dedicated IP for my main domain (and a few others), and the target domain giving trouble has its own dedicated IP.
Don't typically send directly from the server, but made up a new account at the secondary domain and looks like this time it did show the correct IP, so am thinking that the caching may have had something to do with it.
If you'd like to see it unredacted, would have to upload via a support ticket, but here's a sanitized version:

Sent to a hotmail address via SMTP with credentials from an email account at the secondary domain.

For sanitization:
Sender IP of main WHM account replaced with 1.2.3.4
Main domain replaced with myprimarydomain.com
Sending domain replaced with myseconddomain.com
Recipient hotmail address replaced with [email protected]

Received: from DB3EUR04HT097.eop-eur04.prod.protection.outlook.com
(2603:10b6:600::46) by CY4PR06MB3126.namprd06.prod.outlook.com with HTTPS via
CY1PR03CA0036.NAMPRD03.PROD.OUTLOOK.COM; Sun, 31 May 2020 22:49:04 +0000
Received: from DB3EUR04FT056.eop-eur04.prod.protection.outlook.com
(2a01:111:e400:7e0c::50) by
DB3EUR04HT097.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0c::222)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.17; Sun, 31 May
2020 22:49:02 +0000
Authentication-Results: spf=pass (sender IP is 1.2.3.4)
smtp.mailfrom=myseconddomain.com; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=pass action=none
header.from=myseconddomain.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of myseconddomain.com designates
1.2.3.4 as permitted sender) receiver=protection.outlook.com;
client-ip=1.2.3.4; helo=vps.myprimarydomain.com;
Received: from vps.myprimarydomain.com (1.2.3.4) by
DB3EUR04FT056.mail.protection.outlook.com (10.152.24.69) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3045.17 via Frontend Transport; Sun, 31 May 2020 22:49:02 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:76971B6CADB2E4791E93BC06AF197D36D5BCA5094B085D1DB3D6EDEF0669A7F7;UpperCasedChecksum:DB55BAAD3DF6638A1B2BA69F3E5C8A923774BDFD49258C5846B1D8E838E857B4;SizeAsReceived:1405;Count:23
Received: from [136.49.108.80] (port=50534 helo=Sending-Computer.local)
    by vps.myprimarydomain.com with esmtp (Exim 4.93)
    (envelope-from <[email protected]>)
    id 1jfWlI-0003wm-8A
    for [email protected]; Sun, 31 May 2020 17:49:00 -0500
Date: Sun, 31 May 2020 17:49:00 -0500
To: [email protected]
From: Second Domain <[email protected]>
Reply-To: [email protected]
Subject: Email Subject
Message-ID: <[email protected]>
X-Mailer: My Second Domain Mailer
Content-Type: text/html; charset=iso-8859-1
X-MY-PRIMARY-DOMAIN-MailScanner-Information: Please contact [email protected] for more information.
X-MY-PRIMARY-DOMAIN-MailScanner-ID: 1jfWlI-0003wm-8A
X-MY-PRIMARY-DOMAIN-MailScanner: Found to be clean
X-MY-PRIMARY-DOMAIN-MailScanner-SpamCheck:
X-MY-PRIMARY-DOMAIN-MailScanner-From: [email protected]
X-Spam-Status: No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.myprimarydomain.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - myseconddomain.com
X-Get-Message-Sender-Via: vps.myprimarydomain.com: mailgid via get_recent_authed_mail_ips_entry: [email protected]/cached: in recent_authed_mail_ips_users using first address
X-Authenticated-Sender: vps.primarydomian.com: [email protected]
X-IncomingHeaderCount: 23
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 31 May 2020 22:49:02.1423
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
1c3f599d-0c6f-4b58-7ab5-08d805b4d064
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
CIP:72.14.177.183;CTRY:US;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:vps.myprimarydomain.com;PTR:vps.myprimarydomain.com;CAT:NONE;SFTY:;SFS:;DIR:INB;SFP:;
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource:
DB3EUR04FT056.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 5/31/2020 10:28:18 PM
X-MS-Office365-Filtering-Correlation-Id: 1c3f599d-0c6f-4b58-7ab5-08d805b4d064
X-MS-TrafficTypeDiagnostic: DB3EUR04HT097:
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 1.2.3.4
X-SID-PRA: [email protected]
X-SID-Result: PASS
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-SCL: 0
X-Microsoft-Antispam: BCL:0;
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2020 22:49:02.0183
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c3f599d-0c6f-4b58-7ab5-08d805b4d064
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3EUR04HT097
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.5096175
X-MS-Exchange-Processed-By-BccFoldering: 15.20.3045.014
X-Microsoft-Antispam-Mailbox-Delivery:
    abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000282)(90000002)(90005002)(90025001)(90026001)(90027001)(9000001)(9015001)(9030002)(5061607266)(5061608174)(4900115)(8391040)(4920090)(6375004)(4950130)(4990090)(9140004);RF:JunkEmail;
X-Message-Info:
    qoGN4b5S4yr1FZhTsFkSmFJMw/yv7ZAXFKo3g5iCzG5HSWeySSkqYiJCASxarkiK6EXSqDOvSAjOGRdpucQfIkdJO/Efr+dlDb3Mct1TPRa1hKMm3dAYmxOhDW4UDiEAXwmZyYRZjaDaMgq0uCOtIrTJpGnIKeox/jB/L/Rm7RwpAE+wMLmWhnaG8iXdTvzIKJu2fHsYltgWV/Cx21f9aQ==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Microsoft-Antispam-Message-Info:
    =?iso-8859-1?Q?kXwTZChF3QSMhd7kTZAtxMntE+kdg5gc7zq9oV0tYiemHuphuf4uFaOm0r?=
=?iso-8859-1?Q?PtxBAou2I9SM/wKKRitSrlyRi2+y24i55XWYT5JRGK7laQ1/E6ES/z93Ny?=
=?iso-8859-1?Q?yHBliWjf64G0bqTZyzIpatTlpCwpxSPYtdS9hklpcwdgE302oLeR0aoS0Z?=
=?iso-8859-1?Q?622K3O3SkbqY6WEvr2gfK5nzqwv1zYTW2sVfYR3T08yRJt5i/Rr9rnS+Kx?=
=?iso-8859-1?Q?kK2cg891C572nH08HRQjgke0p7Yu0PlhI1MpHwfdc3jimzhH+rBql+Krei?=
=?iso-8859-1?Q?1m11sVDzMc8Eunm9d2HakJJ88reN0qiq9n6anUSzQrQ+G9aLUzTDOsj+yY?=
=?iso-8859-1?Q?oE8JkAhnjPwrfm9CEOkG9cBR74w4clk7B9H5Xxdxznwe1tM/MmhgC3OTRo?=
=?iso-8859-1?Q?HFSkcSqsgTr38/ACNbx0EKWyYxdAl8i702qwgyblTVDRq9BKuxswy30Xx9?=
=?iso-8859-1?Q?vth0b3LcczGt61ieVSjhgKNRl1Nf5sBa7+MvYRMt9BRuKyjRJmy7rOEFo0?=
=?iso-8859-1?Q?ZqLcKr/wxV/0N705Jx3rlFPVtPhlWVb66lxDkK6Ca7M8gDKMwfN0PK9gJH?=
=?iso-8859-1?Q?sjwdBr++MhpNmWtousUgiYaEC6+PX0ihLznmNnJDUw9tQ3xffpm8+TjsTQ?=
=?iso-8859-1?Q?vjsP5qc+jDBSm43cQ4aQoybMqgKtf1qDNFO3g9Bqox1cPnSjp78U2a1iKz?=
=?iso-8859-1?Q?xXYUBVN2dIa/dLFrvXP+t8cp9kjtyG70vvell2ROW6cJcEruwXLZByP9EC?=
=?iso-8859-1?Q?+/hPJ+HRvpbP7AyqEO82Bm4EZxvhiYCA/vDW9lTN0PPDOK9IIPSTWMgaw/?=
=?iso-8859-1?Q?Psn8x1qod4Rnn6Rvb6NHYvDgVjEAx4aNIVemk0z/xYopTto/LL/Zp2256R?=
=?iso-8859-1?Q?BNuN2OG4fGA/AhzbQwSyHnwCEQXXXwTHZ1EB7sZRWyoLmK9MAtLPzyEn/p?=
=?iso-8859-1?Q?oH7kt05RNjVoQzk+U+lMJRAn3GVs/ixbRCYfpN9pdLEbKTJ5pVE22TZA5P?=
=?iso-8859-1?Q?OAB7V51jzcfAOoUIr648G9X+szHeCzikK5usM4U/uRJlF70CfELRvXFRt9?=
=?iso-8859-1?Q?/Q=3D=3D?=
MIME-Version: 1.0

 

[cPanelLauren]

Thanks for providing that, it is helpful.

So it sounds like only PHP mail is affected? Reading through Exim Configuration Manager Basic Editor | cPanel & WHM Documentation and it gives no indication that this would function differently.

Rather than enable "Send mail from account’s IP address" have you tried with enabling "Reference /etc/mailips for custom IP on outgoing SMTP connections" and then manually setting this in /etc/mailips? Instructions for editing that file are here: How to Configure the Exim Outgoing IP Address | cPanel & WHM Documentation

 

[_jman]

Rather than enable "Send mail from account’s IP address" have you tried with enabling "Reference /etc/mailips for custom IP on outgoing SMTP connections" and then manually setting this in /etc/mailips?

Thanks, will try that and let you know...