The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unexpected SPF config bounced mail from my gateway

Discussion in 'E-mail Discussions' started by dolphyn, Dec 30, 2009.

  1. dolphyn

    dolphyn Well-Known Member

    Joined:
    Nov 27, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Warning to anyone who uses an external anti-spam gateway:

    An SPF-related setting was added to my exim.conf on December 27 which improperly caused some mail from my gateway to be bounced until I learned of the problem today.

    My gateway is whitelisted, but apparently the new SPF-related setting does NOT respect the whitelists.

    Some mail relayed through my gateway was rejected with the error:
    SPF: [gateway IP] is not allowed to send mail from [domain]

    My CPanel Update configuration is
    cPanel/WHM Updates: Manual Updates Only (STABLE tree)
    cPanel Package Updates: Manual Updates Only
    Security Package Updates: Automatic

    Needless to say, it's kind of upsetting to have my Exim configuration updated (and broken) without any notification. Should I have been notified about this, and if so, how? Thanks.
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The rejected e-mail issue is caused by the sender's domain name having a misconfigured SPF record as defined in the applicable DNS zone. If the custom mail gateway should be allowed to send mail then the DNS zones should be updated to correct the SPF records for the domain names involved.

    SPF records may be enabled, disabled, and modified via the following area in cPanel:
    cPanel: Main >> Mail >> E-mail Authentication
    Documentation: Email Authentication
     
  3. dolphyn

    dolphyn Well-Known Member

    Joined:
    Nov 27, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    No, we cannot "correct" the SPF records of external domains that send mail to us, and we wouldn't expect external domains to know about our gateway when configuring their SPF records.

    All of our incoming mail passes through our gateway on the way to the CPanel server, and the CPanel update caused our CPanel server to reject mail from our own gateway. I didn't know about the problem until customers complained about missing mail.

    We've fixed the issue for now, but I'm still trying to understand how it is that an automatic update changed our Exim configuration when we have the automatic updates turned off. Thanks!
     
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I apologize as I believe I may have misunderstood the specific scenario involved. Please note there have not been any very recent updates to the STABLE build tree and the last one was on August 25 of 2009.

    What is the indication that the setting was added automatically by cPanel/WHM?

    Was an update performed of cPanel, Exim, or any related software interacting with Exim (e.g., ClamAVconnector plug-in or related third-party software)?

    Was the Exim Configuration Editor accessed before or around the time the issue was noticed? I would check the cPanel access_log to obtain additional details:
    Code:
    /usr/local/cpanel/logs/access_log
    Here is a command to help locate relevant access_log entries for the Exim Configuration Editor:
    Code:
    # egrep "saveexim.*HTTP" /usr/local/cpanel/logs/access_log
     
  5. dolphyn

    dolphyn Well-Known Member

    Joined:
    Nov 27, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi Don,

    Thanks for calling my attention to the CPanel access logs. That solves part of the mystery; my helper intended to enable the SPF setting on his separate server but he accidentally made the change on my server instead. :eek:

    But, I think there is still a CPanel issue, because both the host name and the IP of my incoming gateway are listed in /etc/trustedmailhosts, which (by my reckoning) should override the SPF blacklist setting.

    Thanks, and sorry for the tone of my earlier post. I was feeling a bit grumpy, didn't explain the situation very well, and I blamed the CPanel update because I didn't think we had touched the settings.

    Happy New Year!
     
    #5 dolphyn, Dec 31, 2009
    Last edited: Dec 31, 2009
  6. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    You're welcome. When possible, please let us know the full cPanel version number (i.e., to confirm the full version of the installed STABLE build). I believe the issue might have been fixed in cPanel version 11.24.4 where the build number is at least "33362" or higher. If the symptom persists while using the latest version (per http://httpupdate.cpanel.net/#builds) I would consider submitting a support request so that we may assist with investigation. If submitting a support request, when available, please let me know the ticket ID number (e.g, via a PM) so I may follow-up internally.

    Reference internal case ID number: #7898

    P.S., Enjoy the new year and have a most excellent and relaxing holiday weekend! :)
     
Loading...

Share This Page