The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rejecting mail instead of failing it

Discussion in 'E-mail Discussions' started by cyberspirit, Nov 25, 2003.

  1. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    When you set in cpanel as default address :fail: no such address here Exim actually accepts the message and then sends a notification back.
    This creates unnecessary load in the server from spamers sending from unknown addresses because a failure notice will come back.
    Is there a way for Exim to actually verify if a mailbox exists before accepting the message?
    Not accepting the message to begin with is better because it puts the burden and stress on the sending server and in spamers cases slows down their machine instead of mine.
    Other smtp servers do a check before accepting the message.
    Any idea how to do it?
     
  2. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Ok, so I did some testing and came up with a solution to this problem. I am just surprised this is not set as default in cpanel's exim configuration since it would cut down tremendously on unnecessary email traffic.

    Here is what I changed in the ACL's in the Exim Advanced configuration in WHM: (the thing I changed is the addition to the accept domains = +local_domains rule; I added endpass to pass it on to the next rule if it fails and the refusal message "unknown user" and the verify = recipient line. the rest is the same as it is by default. try it out and see how your outgoing mailqueue gets so much smaller!)


    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient
    accept domains = +relay_domains
    accept hosts = +relay_hosts
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I haven't tried it yet, but if this simple solution works properly you should mention it to DarkOrb. They should configure Exim like this as default and make people happy :)

    I've always set all main accounts to :blackhole: to prevent the mailqueue from building up. Ofcourse this is not the best solution (no fail message is returned)
     
  4. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    This looks like something copied from http://forum.ev1servers.net/showthread.php?s=&threadid=35346
     
  5. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Markie,
    I did not copy anything from the link provided but rather used the documentation and faq's on the exim.org website.
    But after looking at the link you provided I can see how they match to some degree which is an indication that it works.
    For your info, the example config in your link looks pretty much identical to an example config on the exim.org site. ;-)
    Anyway, we need to get darkorb to enter this as default to cut down on outqueue size and traffic that is not needed.
     
  6. LordJMann

    LordJMann Well-Known Member

    Joined:
    Jun 15, 2003
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    #6 LordJMann, Nov 29, 2003
    Last edited: Nov 29, 2003
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, giving:

    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient

    a try to see what happens.

    In the meantime, I usually run with:

    - Verify the existance of email senders
    - Discard emails for users who have exceeded their quota instead of keeping them in the queue.

    checked off. Any thoughts/results on what differences it makes, having them on or off?
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    The above modification will break getting :fail: messages returned to sender in some cases. But it should cut down your mail queue a bit.


    require verify = sender

    accept domains = +local_domains
    ---cut here---
    endpass
    message = The requested mailbox does not exist or is not accepting mail.
    verify = recipient
    --cut here---
    accept domains = +relay_domains
    accept hosts = +relay_hosts



    The above makes a little more sense as far as the message goes.
     
  9. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Nick,
    If the sending mailserver is configured right the sender will get a rejection message from the sending smtp server. If not then this is not really the receivers problem since the receiver's address is wrong anyway.
    I saw your proposed change but all you did offer was a different message that is passed onto the sending smtp server. The server itself does not really care about the message but only looks at the error code.
    Since we implemented our proposed change our outgoing queue is about 30% of what it was before!
    If you multiply that by the amount of resending attempts until the message expires you come up with a lot of wasted cpu time and traffic.
    I still believe that sending failure message is the wrong thing to do in this day and age since you might get an error message back since it was a spoofed email address anyway.
    This setting should become default for cpanel!
     
  10. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Although no one responded to this part, "- Discard emails for users who have exceeded their quota instead of keeping them in the queue." I noticed eMail in Queue actually went up. Only by turning it off has the Queue gone down to what it was before.

    I really don't see, the "endpass" code mentioned, doing anything?
     
  11. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    The whole point being, they dont want to return anything to the sender. Why would they? 99.99% of the time the return is a spammer and returning the msg would fail and pile up in the mail queue because the sender is a spammer. Why would you want to return msgs?
     
  12. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Website Rob,
    The endpass line just says that if the scripts fails it will go to the next router in the exim.conf file.
    And Markie, you seem to be confused about the term message. We talk about smtp error codes here and the messages that are passed on to the sending smtp server before the data command is even issued. So there is no piling up in the mail queue because we actually prevent it with the change we are discussing here. You might want to read more about smtp error codes and messages and what happens at the different stages to help you understand the difference to a regular message or email.
     
  13. Huminie

    Huminie Member

    Joined:
    Nov 24, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for posting this! This is the exact behavior I am looking for. If the address in the rcpt to: line is not a valid email account on my server, I want the SMTP response to be a 500 series failure...not a 250 accept and a rejection later.

    Problem is, I have added the lines above to the appropriate area of my Exim advanced config, however when I do a manual telnet test to my server is is does not seem to be working for me.

    Any suggestions on where I should look to get this working?

    I am real new with cPanel/WHM so I could easily have missed something obvious.

    TIA!
     
  14. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Being that I am pretty much an idiot where it comes to exim, what exactly do I need to put in the advanced configuration? It seems in both examples posted that some of the code is already there and some needs to be added?

    Thanks in advance for clarification!
     
  15. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Ok, let me try to be a little clearer on the changes needed to accomplish this:

    The original configuration of the ACLs in the exim.conf file in cpanel looks like this: (this is only a part of the ACLs and the rest should not be changed but left untouched)

    accept domains = +local_domains
    accept domains = +relay_domains
    accept hosts = +relay_hosts
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *

    These ACLs pretty much define the conditions under which email is accepted after the RCPT command and before the DATA command.
    What I did then was to add conditions for the first ACL in this example (accept domains = +local_domains) which is responsible for accepting emails for local domains.
    So I added the following lines after accept domains = +local_domains:
    endpass
    message = unknown user
    verify = recipient

    These lines do the following. endpass in exim is used to end and pass on the script to the next ACL if the conditions are not met - in this case if the email is not for a local domain.
    message is the message that is returned to the sending smtp server with the 550 error code. This message and the error code is then in most cases returned by the sending smtp server! to the sender of the email.
    verify = recipient is the line that actually sets the condition for the message. This means if the recipient cannot be verified the message is sent in return to the RCPT command.

    So after the change this part of the ACLs looks like this:

    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient
    accept domains = +relay_domains
    accept hosts = +relay_hosts
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *



    All the other ACLs do not get changed because it only makes sense to verify recipients on a local system.

    Does this help to understand the change and mechanism better?
     
  16. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Yup! Can't wait to try it out!

    Thanks!
     
  17. Huminie

    Huminie Member

    Joined:
    Nov 24, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Well, I guess I just feel like a dork then since I can't get this to work. Everything you say makes perfect sense, and it all looks good to me, but it just doesn't work. My server still gives a 250 for "rcpt to:<reallybogususer@mydomain.com> even after these changes.

    Here is what I have:


    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient
    accept domains = +relay_domains
    accept hosts = +relay_hosts
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *


    If this looks ok, is there anything else I could be missing? Sorry to be such a pain, but this is getting a bit frustrating for me. :(
     
  18. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Huminie,
    Send me your /etc/exim.conf file via PM and I will take a look at it.
     
  19. Huminie

    Huminie Member

    Joined:
    Nov 24, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    The file is too long to PM. Can you PM me an email addy?

    Thanks for your help!
     
  20. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Couldn't you have just sent the question to cyberspirit via a PM?

    Come on guys, we don't want to read about you two having PM problems.
     
Loading...

Share This Page