mailhelo and mailips being cleared by upcp

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
Every now and then we find the files /etc/mailhelo and /etc/mailips zeroed out from the information that was there.

Our upcp is set to manual so there should be no real upcp updating unless we trigger it from WHM or the system console.

Last night at the normal upcp run time we see that /etc/mailhelo and /etc/mailips zeroed out again.

We need those files left intact because they provide exim (or whatever reads it) to act as a different IP and different domain name as the normal IP has a "bad reputation" as per IronPort stupid reputation scheme.

How can be tweak the system so it does not zero out those files. It does it without warning and we cannot send to anyone using the IronPort reputation crap until we go back and copy good mailhelo and mailips over the zeroed out ones and restart exim.
 

sawbuck

Well-Known Member
Jan 18, 2004
1,365
10
168
cPanel Access Level
Root Administrator
What cPanel/WHM version?

[Removed - setting /etc/mailips to immutable can result in several problems, including failed account creation attempts]
 
Last edited by a moderator:

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
What cPanel/WHM version?

[Removed - setting /etc/mailips to immutable can result in several problems, including failed account creation attempts]
cPanel 11.25.0-C42048 - WHM 11.25.0 - X 3.9
CENTOS 5.2 i686 standard

thanks for the chattr idea, but I really want to be sure I am doing the right thing. If something needs to blow out mailhelo/mailips or if it doesnt like what it sees for some reason it would be good to know what else I should do.

I dont want to open a trouble ticket right away as this may be a problem that has occured for others.
 
Last edited by a moderator:

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
If you wish to customize these files you will need to enable the following options in the Exim Configuration Editor:

Send HELO based on the domain name in /etc/mailhelo (*: HELONAME can be added to the file to change the default helo name)


Send outgoing mail from the IP that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
If you wish to customize these files you will need to enable the following options in the Exim Configuration Editor:

Send HELO based on the domain name in /etc/mailhelo (*: HELONAME can be added to the file to change the default helo name)


Send outgoing mail from the IP that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)
We did that months ago. Its just that every now and then they are zeroed out. When we went from 11.24.x to 11.25.x it did it and now last night it did it without any manual updating.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
Does running /scripts/updateuserdomains (this is the only thing in cpanel that touches the file) cause the files to be zeroed out?
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
Does running /scripts/updateuserdomains (this is the only thing in cpanel that touches the file) cause the files to be zeroed out?
Just ran it now (boy, I hope it doesnt do anything else bad) but it did not affect the two files. The contents remained the same and date stamp is the same.

I also just restarted EXIM after checking the file sizes just to be sure it wouldnt clear it out later (like when you sometimes delete a log but it doesnt update until you restart the associated app) and it didnt change the files date stamp or size.

Last night when they zeroed out it the time stamp was the same minute that upcp ran (even though its set for manual) so its something quick.
 

Arvand

Well-Known Member
Jul 26, 2003
128
1
168
I've just verified this. upcp just wiped mailips on all servers even though they had both the options checked in Exim configuration (EHLO and the other one).

[Removed - setting /etc/mailips to immutable can result in several problems, including failed account creation attempts]
 
Last edited by a moderator:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I've just verified this. upcp just wiped mailips on all servers even though they had both the options checked in Exim configuration (EHLO and the other one).

We now have to do a chattr +i but please look into this as we've already had customers threatening to cancel because their emails started going out the main IP again....
Was the upcp ran with force, or without force?

Please let us know the output from the following commands, to confirm OS, cPanel version, and relevant Exim configuration options:
Code:
# grep -H '' /etc/*release /usr/local/cpanel/version
# grep "mailhelo\|mailips" /etc/exim.conf.localopts
# stat /var/cpanel/custom_mailhelo /var/cpanel/custom_mailips
 
Last edited:

Arvand

Well-Known Member
Jul 26, 2003
128
1
168
Automatic updates. Not being done with --force.

[email protected] [~]# grep -H '' /etc/*release /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.4 (Final)
/usr/local/cpanel/version:11.25.0-RELEASE_42399
[email protected] [~]# grep "mailhelo\|mailips" /etc/exim.conf.localopts
custom_mailhelo=1
custom_mailips=1
per_domain_mailhelo=0
per_domain_mailips=0
[email protected] [~]# stat /var/cpanel/custom_mailhelo /var/cpanel/custom_mailips
File: `/var/cpanel/custom_mailhelo'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 802h/2050d Inode: 2910168 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2009-12-22 17:13:26.000000000 -0800
Modify: 2009-12-22 17:13:26.000000000 -0800
Change: 2009-12-23 00:45:12.000000000 -0800
File: `/var/cpanel/custom_mailips'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 802h/2050d Inode: 2909270 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2009-12-22 17:13:26.000000000 -0800
Modify: 2009-12-22 17:13:26.000000000 -0800
Change: 2009-12-23 00:45:08.000000000 -0800
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
Mine zeroed out again this morning. Updates are set to manual and we did not do any manual upates. It
shows the zeroing at the time upcp is set to run. It did not zero out for two days and then it did it this morning.

Don't know if you want mine too. Manual updates, nothing with force, all done in WHM, not console.

[email protected] [~]# grep -H '' /etc/*release /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.2 (Final)
/usr/local/cpanel/version:11.25.0-CURRENT_42048
[email protected] [~]# grep "mailhelo\|mailips" /etc/exim.conf.localopts
custom_mailhelo=1
custom_mailips=1
per_domain_mailhelo=0
per_domain_mailips=0
[email protected] [~]# stat /var/cpanel/custom_mailhelo /var/cpanel/custom_mailips
File: `/var/cpanel/custom_mailhelo'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 802h/2050d Inode: 361299 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2009-12-21 08:45:51.000000000 -0600
Modify: 2009-12-21 08:45:51.000000000 -0600
Change: 2009-12-21 16:45:01.000000000 -0600
File: `/var/cpanel/custom_mailips'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 802h/2050d Inode: 361300 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2009-12-21 08:45:51.000000000 -0600
Modify: 2009-12-21 08:45:51.000000000 -0600
Change: 2009-12-21 16:45:01.000000000 -0600
[email protected] [~]#
 
Last edited:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Automatic updates. Not being done with --force.

[email protected] [~]# grep -H '' /etc/*release /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.4 (Final)
/usr/local/cpanel/version:11.25.0-RELEASE_42399
...
Mine zeroed out again this morning. Updates are set to manual and we did not do any manual upates. It
shows the zeroing at the time upcp is set to run. It did not zero out for two days and then it did it this morning.

Don't know if you want mine too. Manual updates, nothing with force, all done in WHM, not console.

[email protected] [~]# grep -H '' /etc/*release /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.2 (Final)
/usr/local/cpanel/version:11.25.0-CURRENT_42048
...
Thank you both for the details; this is very much appreciated.

If the issue is persistently recurring please consider submitting a support request so that we can take a closer look at the affected system. When available, please PM me referencing this thread and your new ticket ID number so I may follow-up internally.
 

Arun

Active Member
Jan 28, 2006
29
1
153
/etc/mailips gets emptied

I use the option:

Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)

However I notice that after the cPanel 11.25 update, the /etc/mailips file gets emptied everyday when the auto upgrade runs. Is there anything to be done to prevent this from happenning?

cPanel 11.25.0-R42399
 

Arun

Active Member
Jan 28, 2006
29
1
153
I notice that the mailips file is now getting emptied more often, even after adding it back after a cpanel update and before the cpanel update runs next
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I notice that the mailips file is now getting emptied more often, even after adding it back after a cpanel update and before the cpanel update runs next
Please submit a support request so that we can inspect the system and investigate the symptoms. When available, please PM me the new ticket ID number so I may follow-up internally.


To help gather more information and detail I suggest using the audit daemon "auditd" to monitor the files; for RHEL and CentOS this is available when the software package (RPM) "audit" is installed.

For usage information, I recommend the official manual "man" pages accessible via the following commands:
Code:
# man auditd
# man auditctl
# man ausearch
Here are example rules that could be used in an audit daemon "auditd" rules configuration file; at minimum I would use the two rules for "/etc/mailhelo" and "/etc/mailips":
Code:
-w /etc/exim.conf.localopts -p war -k eximlocalopts
-w /etc/mailhelo -p wa -k etcmailhelo
-w /etc/mailips -p wa -k etcmailips
-w /var/cpanel/custom_mailhelo -p war -k varcpmailhelo
-w /var/cpanel/custom_mailips -p war -k varcpmailips
Here is the auditd rules configuration file path for CentOS5/RHEL5:
Code:
/etc/audit/audit.rules
Here is the auditd rules configuration file path for CentOS4/RHEL4:
Code:
/etc/audit.rules
The audit daemon init script may be found at one of the following paths:
Code:
# /etc/rc.d/init.d/auditd
# /etc/init.d/auditd
To search the audit logs a command like the following may be used, where "key" should be replaced by the filter key string defined by the option "-k" in the rule configuration:
Code:
# ausearch -i -k key
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Friendly Moderator Note

I use the option:

Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)

However I notice that after the cPanel 11.25 update, the /etc/mailips file gets emptied everyday when the auto upgrade runs. Is there anything to be done to prevent this from happenning?

cPanel 11.25.0-R42399
The above two posts are now merged into the existing larger thread to ease monitoring for new information and help others locate existing information.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
Yep, my Centos box did it again this morning after not doing it yesterday. Same thing, right at upcp time even though we have upcp set to manual.

I will start a ticket later when I have woke up and got things squared away.
 

Promethyl

Well-Known Member
Mar 27, 2004
68
0
156
Could it be it's copying /var/cpanel/custom_mailips over /etc/mailips ?