Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Sender Verify Workaround

Discussion in 'E-mail Discussion' started by deadlock, Jun 12, 2018.

  1. deadlock

    deadlock Well-Known Member

    Joined:
    May 12, 2002
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    306
    I host a website, let's say problemdomain.com on my server but their MX records are set up for Gmail (via their domain registrar). This is fine, but when they try to send me an email (my domain is hosted on the same server), I get:

    Code:
    2018-06-12 16:20:37 H=mail-vk0-f49.google.com [209.85.213.49]:42330 sender verify fail for <friend@problemdomain.com>: The mail server could not deliver mail to friend@problemdomain.com.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    2018-06-12 16:20:37 H=mail-vk0-f49.google.com [209.85.213.49]:42330 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<friend@problemdomain.com> rejected RCPT <jim@deadlock.com>: Sender verify failed
    2018-06-12 16:20:37 H=mail-vk0-f49.google.com [209.85.213.49]:42330 Warning: "Detected session with all messages failed"
    2018-06-12 16:20:37 H=mail-vk0-f49.google.com [209.85.213.49]:42330 Warning: "Increment slow_fail_block Ratelimit - mail-vk0-f49.google.com [209.85.213.49]:42330 because of all messages failed"
    2018-06-12 16:20:37 SMTP connection from mail-vk0-f49.google.com [209.85.213.49]:42330 closed by QUIT
    I've previously attempted to fix this by:

    1. Removing all MX records from the zone file for problemdomain.com

    2. Removing problemdomain.com from /etc/localdomains

    3. Adding problemdomain.com to /etc/remotedomains

    .... but still no joy.

    It's strange that it says "deliver mail to friend@problemdomain.com" because that's the sender address, not the recipient.

    Any suggestions to fix this so they can send me emails?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @deadlock


    If the domain's MX records are not hosted on your server the domain should not be present in /etc/localdomains so you were correct in making that modification but it looks like there may be more than one item preventing mail from being sent to problemdomain.com. Based on the error message it looks like it's also failing Sender verification. Can you tell me if either of the following is set to On in WHM>>Service Configuration>>Exim Configuration Manager:

    Sender Verification Callouts
    Sender Verification

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. deadlock

    deadlock Well-Known Member

    Joined:
    May 12, 2002
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    306
    Sender Verification Callouts - Off (default)
    Sender Verification - On (default)

    I wouldn't want to disable Sender Verification globally, I would drown in spam. I did some googling earlier and I think it's not possible to whitelist by domain?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @deadlock

    I wouldn't want you to disable that either, I just wanted to see if both were enabled. Can you add your friend's IP to the Sender verification bypass IP addresses which is also present in Exim Configuration Manager and let me know if the issue persists?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. deadlock

    deadlock Well-Known Member

    Joined:
    May 12, 2002
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    306
    I don't know what his IP is right now because he sends via Gmail so it's not included in his headers. I could find out what it is but it's probably a dynamic IP so this wouldn't be a useful long-term solution.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @deadlock

    Is the email address friend@problemdomain.com or friend@gmail.com? If it's friend@problemdomain.com you can find the IP address by doing the following via SSH:

    Code:
    dig a problemdomain.com
    
    Then to find the IP address of the MX record you'll first query what the MX record is:
    Code:
    dig mx problemdomain.com
    and then use the output to get the A record:

    Code:
    dig a mxrecord.problemdomain.com
    Also if they're using Gmail to send/receive mail you can get google's Public IP addresses:

    Google IP address ranges for outbound SMTP - G Suite Administrator Help
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. deadlock

    deadlock Well-Known Member

    Joined:
    May 12, 2002
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    306
    Their MX records look like this:

    Code:
    problemdomain.com.	3154	IN	MX	20 alt2.aspmx.l.google.com.
    problemdomain.com.	3154	IN	MX	30 aspmx3.googlemail.com.
    problemdomain.com.	3154	IN	MX	20 alt1.aspmx.l.google.com.
    problemdomain.com.	3154	IN	MX	30 aspmx2.googlemail.com.
    problemdomain.com.	3154	IN	MX	10 aspmx.l.google.com.
    They've confirmed that their outgoing mail is via Gmail. So what you're saying is that I need to Sender-Verify-Bypass the IP address ranges of all the Gmail servers? Won't that generally invite a whole lot of spam, and affect all the other users on my server?

    "[Google] mail servers use a large range of IP addresses, and the addresses often change"

    If this is the case then it seems I'm on a wild goose chase, I'll probably just stick to my clumsy workaround of trying to remember to use my Gmail account to communicate with him. At least I've reached a conclusion anyway, so thanks for that.

    On a side note, would it not be a useful cPanel option to be able to whitelist individual domains from Sender Verify checking, instead of having to whitelist entire mail servers by IP?
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Ultimately the problem here is that friend@problemdomain.com has a bad SPF record so the sender verification is failing. If you want to accept/send mail to the domain you'll have to either recommend they resolve the issue with their SPF or whitelist them from being checked against sender verification checks. You can try to just whitelist the domain's IP address but I would assume the issue is really that they're sending from Gmail and they've not updated their SPF to include google which would lead to the necessity to add Gmail's IP's to the sender verification bypass list. I can't say for certain if you'd end up receiving a lot of spam if this is done but it would affect the rest of the users on the server.

    Because an IP is fixed and where a domain points may not be it is necessary to use IP's in this instance rather than domains.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice