Outgoing smtp connections, to local Exim

mikelsanz

Member
May 23, 2013
10
0
1
cPanel Access Level
Reseller Owner
Hello! We have some hosts with Wordpress installs, with a plugin to change mail() function, to external SMTP gateway. From last upgrade to v.68, we can't use this, and all the outgoing smtp attempts, goes to local Exim, and not outside...

Connection: opening to ssl://externalgateway:465, timeout=300, options=array ()
Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): Peer certificate CN=s3.localnameserver.xxx' did not match expected CN=mail.externalgateway.xxx'
Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): Failed to enable crypto
Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): unable to connect to ssl://externalgateway.xxx:465 (Unknown error)
SMTP ERROR: Failed to connect to server: (0)

-----------------------------

smtp:none:plain://mail.externalgateway.xxx':587 <--- Calling to external gateway

220-s3.example.com ESMTP Exim 4.89 #1 Mon, 20 Nov 2017 13:00:52 +0100
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
EHLO 185.162.171.12
250-s3.localnameserver.xxx Hello XYZ.XYZ.XYZ.XYZ [XYZ.XYZ.XYZ.XYZ] <--- But connected to local Exim...
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
AUTH PLAIN
334
AHdlYnNAZW52aW9zLjIwY29tdW5pY2FjaW9uLm5ldABzbXRwMjAxNCs=
535 Incorrect authentication data
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

Can you verify if the "WHM Home » Security Center » SMTP Restrictions" feature is enabled on this system? If so, does disabling it solve the issue?

Thank you.
 

Anas Ashfaq

Registered
Jan 15, 2018
1
0
1
Finland
cPanel Access Level
Root Administrator
Hello,

Disabling the restrictions solves the issue but is that a recommended solution?

Is there a way to enable the smtp restrictions and add an exception to the trust mail sending providers e.g. mailgun

Thank you
 

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
We don't provide a method at this time to make this option specific to users or outbound hosts; however, this is simply implemented through iptables UID/GID matches:
Code:
# iptables -nL|grep match
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 992
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 12
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1            multiport dports 25,465,587 owner UID match 202
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 0
It shouldn't be difficult to apply manually, but this would also make a good feature request. I also believe CSF(ConfigServer Security and Firewall) provides this functionality.
 
  • Like
Reactions: kawasakai

kawasakai

Active Member
Sep 17, 2015
44
3
58
Germany
cPanel Access Level
Root Administrator
Hello,

It shouldn't be difficult to apply manually, but this would also make a good feature request. I also believe CSF(ConfigServer Security and Firewall) provides this functionality.
My current rule to allow reaching external SMTP servers for a certain user looks like:
Code:
iptables -t nat -I OUTPUT 5 -d 1.2.3.4 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 1036 -j RETURN
Now I need some advice how to to apply this rule permanent, in in a way which doesn't disturb cPanels own ruleset.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Now I need some advice how to to apply this rule permanent, in in a way which doesn't disturb cPanels own ruleset.
Have you considered using CSF to manage the firewall rules? CSF offers options that allow you to restrict SMTP similar to the SMTP Restrictions option in WHM, but with more control over specific users:

ConfigServer Security & Firewall (csf)

Or, you could simply use CSF to manage your own custom firewall rules to ensure they are preserved through restarts.

Thank you.