Unexpected SPF config bounced mail from my gateway

dolphyn · Dec 30, 2009

Warning to anyone who uses an external anti-spam gateway:

An SPF-related setting was added to my exim.conf on December 27 which improperly caused some mail from my gateway to be bounced until I learned of the problem today.

My gateway is whitelisted, but apparently the new SPF-related setting does NOT respect the whitelists.

Some mail relayed through my gateway was rejected with the error:
SPF: [gateway IP] is not allowed to send mail from [domain]

My CPanel Update configuration is
cPanel/WHM Updates: Manual Updates Only (STABLE tree)
cPanel Package Updates: Manual Updates Only
Security Package Updates: Automatic

Needless to say, it's kind of upsetting to have my Exim configuration updated (and broken) without any notification. Should I have been notified about this, and if so, how? Thanks.

cPanelDon · Dec 30, 2009

dolphyn said: ↑

Warning to anyone who uses an external anti-spam gateway:

An SPF-related setting was added to my exim.conf on December 27 which improperly caused some mail from my gateway to be bounced until I learned of the problem today.

My gateway is whitelisted, but apparently the new SPF-related setting does NOT respect the whitelists.

Some mail relayed through my gateway was rejected with the error:
SPF: [gateway IP] is not allowed to send mail from [domain]

My CPanel Update configuration is
cPanel/WHM Updates: Manual Updates Only (STABLE tree)
cPanel Package Updates: Manual Updates Only
Security Package Updates: Automatic

Needless to say, it's kind of upsetting to have my Exim configuration updated (and broken) without any notification. Should I have been notified about this, and if so, how? Thanks.
Click to expand...

The rejected e-mail issue is caused by the sender's domain name having a misconfigured SPF record as defined in the applicable DNS zone. If the custom mail gateway should be allowed to send mail then the DNS zones should be updated to correct the SPF records for the domain names involved.

SPF records may be enabled, disabled, and modified via the following area in cPanel:
cPanel: Main >> Mail >> E-mail Authentication
Documentation: Email Authentication

dolphyn · Dec 31, 2009

cPanelDon said: ↑

The rejected e-mail issue is caused by the sender's domain name having a misconfigured SPF record as defined in the applicable DNS zone. If the custom mail gateway should be allowed to send mail then the DNS zones should be updated to correct the SPF records for the domain names involved.
Click to expand...

No, we cannot "correct" the SPF records of external domains that send mail to us, and we wouldn't expect external domains to know about our gateway when configuring their SPF records.

All of our incoming mail passes through our gateway on the way to the CPanel server, and the CPanel update caused our CPanel server to reject mail from our own gateway. I didn't know about the problem until customers complained about missing mail.

We've fixed the issue for now, but I'm still trying to understand how it is that an automatic update changed our Exim configuration when we have the automatic updates turned off. Thanks!

cPanelDon · Dec 31, 2009

dolphyn said: ↑

No, we cannot "correct" the SPF records of external domains that send mail to us, and we wouldn't expect external domains to know about our gateway when configuring their SPF records.

All of our incoming mail passes through our gateway on the way to the CPanel server, and the CPanel update caused our CPanel server to reject mail from our own gateway. I didn't know about the problem until customers complained about missing mail.

We've fixed the issue for now, but I'm still trying to understand how it is that an automatic update changed our Exim configuration when we have the automatic updates turned off. Thanks!
Click to expand...

I apologize as I believe I may have misunderstood the specific scenario involved. Please note there have not been any very recent updates to the STABLE build tree and the last one was on August 25 of 2009.

What is the indication that the setting was added automatically by cPanel/WHM?

Was an update performed of cPanel, Exim, or any related software interacting with Exim (e.g., ClamAVconnector plug-in or related third-party software)?

Was the Exim Configuration Editor accessed before or around the time the issue was noticed? I would check the cPanel access_log to obtain additional details:
Code:
/usr/local/cpanel/logs/access_log
Here is a command to help locate relevant access_log entries for the Exim Configuration Editor:
Code:
# egrep "saveexim.*HTTP" /usr/local/cpanel/logs/access_log

dolphyn · Dec 31, 2009

Hi Don,

Thanks for calling my attention to the CPanel access logs. That solves part of the mystery; my helper intended to enable the SPF setting on his separate server but he accidentally made the change on my server instead.

But, I think there is still a CPanel issue, because both the host name and the IP of my incoming gateway are listed in /etc/trustedmailhosts, which (by my reckoning) should override the SPF blacklist setting.

Thanks, and sorry for the tone of my earlier post. I was feeling a bit grumpy, didn't explain the situation very well, and I blamed the CPanel update because I didn't think we had touched the settings.

Happy New Year!

cPanelDon · Dec 31, 2009

dolphyn said: ↑

Hi Don,

Thanks for calling my attention to the CPanel access logs. That solves part of the mystery; my helper intended to enable the SPF setting on his separate server but he accidentally made the change on my server instead.

But, I think there is still a CPanel issue, because both the host name and the IP of my incoming gateway are listed in /etc/trustedmailhosts, which (by my reckoning) should override the SPF blacklist setting.

Thanks, and sorry for the tone of my earlier post. I was feeling a bit grumpy, didn't explain the situation very well, and I blamed the CPanel update because I didn't think we had touched the settings.

Happy New Year!
Click to expand...

You're welcome. When possible, please let us know the full cPanel version number (i.e., to confirm the full version of the installed STABLE build). I believe the issue might have been fixed in cPanel version 11.24.4 where the build number is at least "33362" or higher. If the symptom persists while using the latest version (per http://httpupdate.cpanel.net/#builds) I would consider submitting a support request so that we may assist with investigation. If submitting a support request, when available, please let me know the ticket ID number (e.g, via a PM) so I may follow-up internally.

Reference internal case ID number: #7898

P.S., Enjoy the new year and have a most excellent and relaxing holiday weekend!

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unexpected SPF config bounced mail from my gateway

dolphyn Well-Known Member

cPanelDon cPanel Quality Assurance Analyst Staff Member

dolphyn Well-Known Member

cPanelDon cPanel Quality Assurance Analyst Staff Member

dolphyn Well-Known Member

cPanelDon cPanel Quality Assurance Analyst Staff Member

Failed to add recipient Unexpected failure

unexpected /bin/su permission changed

Unexpected return value of get_transfer_session_state

Unexpected condition from IMAP server

Unexpected condition from IMAP server

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unexpected SPF config bounced mail from my gateway

dolphyn Well-Known Member

cPanelDon cPanel Quality Assurance Analyst Staff Member

dolphyn Well-Known Member

cPanelDon cPanel Quality Assurance Analyst Staff Member

dolphyn Well-Known Member

cPanelDon cPanel Quality Assurance Analyst Staff Member

Failed to add recipient Unexpected failure

unexpected /bin/su permission changed

Unexpected return value of get_transfer_session_state

Unexpected condition from IMAP server

Unexpected condition from IMAP server

Share This Page