The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why is Exim ignoring the list of blacklisted IPs

Discussion in 'General Discussion' started by Kent Brockman, Apr 11, 2013.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi sirs. I'm having the same issue as commented in this old thread, which wasn't solved either:
    http://forums.cpanel.net/f5/exim-ignoring-list-blacklisted-ips-230112.html

    I found that in cPanel 11.34 and now in 11.36, the IP Block list provided by WHM in the Exim config editor is completely useless. Exim continues to ignore those IP. I tried with single IPs instead of IP ranges, and they are also being ignored.
    I opened a ticket but the operators cannot find the reason. May be a problem with exim?

    Help with this issue will be appreciated. I have identified nearly 400 spam IP addresses and blocking those IPs is the thorough way I have to stop the lots of spam that are arriving to our servers.
    Thank you
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Kent, do you have that ticket ID handy?
     
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep: 3866619
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I added an IP from one of my servers, saved, restarted EXIM and then fired off an email to that server. I received a 550 email in return, as expected.
    I added 200 more IPs to that list, leaving mine in there, saved, restarted EXIM and fired off another email. Another 550 email is sent back.

    cPanel EDGE 11.36.1 4

    A few questions if I could:
    How many IPs do you have in there?
    Why block them here instead of in CSF? CSF does not send back confirmation that my email was blocked, like this does.

    I do note that you've reopened the ticket, best to hold with that I think until Marlon gets back to you there.

    In my testing, this works as expected. Although, I certainly would not use it myself.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    BTW, it seems that my testing of 200 IPs crashed clamd. ;)
     
  6. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Infopro. I do prefer the Black List for exim rather than add them to CSF, because CSF create several rules for iptable that reside in memory. The more IPs you block in CSF, less free memory for your apps you'll have. In exchange, the exim block list is readed and closed whenever is needed, thus not consuming memory permanently. In the other hand, if you have a low powered server, one CPU, 1GB ram, the better you manage the memory usage by applications, the better the server will perform.
     
  7. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    oh BTW, I added my IP to the Black List, sent an email and it wasn't blocked. The logs shows the following:

    Code:
    2013-04-11 09:45:34 [7500] SMTP connection from [190.190.189.125]:58235 I=[209.217.250.110]:25 (TCP/IP connection count = 2)
    2013-04-11 09:45:39 [8167] no IP address found for host 125-189-190-190.cab.prima.net.ar (during SMTP connection from [190.190.189.125]:58235 I=[209.217.250.110]:25)
    2013-04-11 09:45:39 [8167] list matching forced to fail: failed to find host name for 190.190.189.125
    2013-04-11 09:45:41 [8167] 1UQGsm-00027j-Ld <= [email]XXXXXXXX@XXXXXXXX.com.ar[/email] H=(USB) [190.190.189.125]:58235 I=[209.217.250.110]:25 P=esmtpa A=courier_login:XXXXXXXX@XXXXXXXX.com.ar S=15984 id=042c01ce36b3$4b7de1f0$e279a5d0$@XXXXXXXX.com.ar T="mail de prueba" from <XXXXXXXX@XXXXXXXX.com.ar> for [email]XXXXXXXX@XXXXXXXXYYYYYYYY.com.ar[/email]
    2013-04-11 09:45:44 [8167] SMTP connection from (USB) [190.190.189.125]:58235 I=[209.217.250.110]:25 closed by QUIT
    
    Then, I deleted the IP form the Block List and sent the email again:

    Code:
    2013-04-11 09:50:37 [5671] SMTP connection from [190.190.189.125]:58315 I=[209.217.250.110]:25 (TCP/IP connection count = 6)
    2013-04-11 09:50:42 [23930] no IP address found for host 125-189-190-190.cab.prima.net.ar (during SMTP connection from [190.190.189.125]:58315 I=[209.217.250.110]:25)
    2013-04-11 09:50:42 [23930] list matching forced to fail: failed to find host name for 190.190.189.125
    2013-04-11 09:50:44 [23930] 1UQGxf-0006Dy-Cx <= [email]XXXXXXXX@XXXXXXXX.com.ar[/email] H=(USB) [190.190.189.125]:58315 I=[209.217.250.110]:25 P=esmtpa A=courier_login:XXXXXXXX@XXXXXXXX.com.ar S=15998 id=043501ce36b3$ffff9970$fffecc50$@XXXXXXXX.com.ar T="otro mail de prueba" from <XXXXXXXX@XXXXXXXX.com.ar> for [email]XXXXXXXX@XXXXXXXXYYYYYYYY.com.ar[/email]
    2013-04-11 09:50:46 [23930] SMTP connection from (USB) [190.190.189.125]:58315 I=[209.217.250.110]:25 closed by QUIT
    The two transactions look pretty the same.

    Can you tell what's going on? Can you share the portion of your logs for the trial you did?
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure thing.


    Blocked:
    Code:
    2013-04-11 08:05:11 SMTP connection from [12.34.56.789]:47247 (TCP/IP connection count = 1)
    2013-04-11 08:05:12 H=12.34.56.789-static.reverse.softlayer.com [12.34.56.789]:47247 rejected connection in "connect" ACL: Host is banned
    2013-04-11 08:05:12 SMTP connection from 12.34.56.789-static.reverse.softlayer.com [12.34.56.789]:47247 closed by DROP in ACL
    Scanned and passed:
    Code:
    2013-04-11 09:09:56 SMTP connection from [12.34.56.789]:48624 (TCP/IP connection count = 1)
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 H=12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 Warning: Message has been scanned: no virus or other harmful content was found
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 <= me @ myotherdomain.com H=12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=2285 id=000001ce36b5$e3ed8e20$abc8aa60$@net T="TesterThree" for myother @ domain.com
    2013-04-11 09:10:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UQHGJ-0004GK-V1
    2013-04-11 09:10:00 SMTP connection from 12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 closed by QUIT
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 => mememe!  R=virtual_user T=virtual_userdelivery
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 Completed
     
  9. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, this is weird. I can recall that "rejected connection in connect ACL: Host is banned" in my logs when the filter used to work! If I dont fail to remember, it stopped working when I upgraded to 11.34 :(
    Since then, waves of spam are unstoppable :(

    - - - Updated - - -

    May be this failure be caused by any individual, arbitrary, Exim configuration in WHM. Any option to (un)tick to evaluate if that is the culprit of exim ignoring block lists? Maybe, but which one?
    Do you have all the Exim configurations by default in WHM?
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I can't grasp what this says, sorry.

    Yes, stock perfectly operational cPanel setup.
     
Loading...

Share This Page