Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Why is Exim ignoring the list of blacklisted IPs

Discussion in 'General Discussion' started by Kent Brockman, Apr 11, 2013.

  1. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,178
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi sirs. I'm having the same issue as commented in this old thread, which wasn't solved either:
    http://forums.cpanel.net/f5/exim-ignoring-list-blacklisted-ips-230112.html

    I found that in cPanel 11.34 and now in 11.36, the IP Block list provided by WHM in the Exim config editor is completely useless. Exim continues to ignore those IP. I tried with single IPs instead of IP ranges, and they are also being ignored.
    I opened a ticket but the operators cannot find the reason. May be a problem with exim?

    Help with this issue will be appreciated. I have identified nearly 400 spam IP addresses and blocking those IPs is the thorough way I have to stop the lots of spam that are arriving to our servers.
    Thank you
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Kent, do you have that ticket ID handy?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,178
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep: 3866619
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I added an IP from one of my servers, saved, restarted EXIM and then fired off an email to that server. I received a 550 email in return, as expected.
    I added 200 more IPs to that list, leaving mine in there, saved, restarted EXIM and fired off another email. Another 550 email is sent back.

    cPanel EDGE 11.36.1 4

    A few questions if I could:
    How many IPs do you have in there?
    Why block them here instead of in CSF? CSF does not send back confirmation that my email was blocked, like this does.

    I do note that you've reopened the ticket, best to hold with that I think until Marlon gets back to you there.

    In my testing, this works as expected. Although, I certainly would not use it myself.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    BTW, it seems that my testing of 200 IPs crashed clamd. ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,178
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Infopro. I do prefer the Black List for exim rather than add them to CSF, because CSF create several rules for iptable that reside in memory. The more IPs you block in CSF, less free memory for your apps you'll have. In exchange, the exim block list is readed and closed whenever is needed, thus not consuming memory permanently. In the other hand, if you have a low powered server, one CPU, 1GB ram, the better you manage the memory usage by applications, the better the server will perform.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,178
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    oh BTW, I added my IP to the Black List, sent an email and it wasn't blocked. The logs shows the following:

    Code:
    2013-04-11 09:45:34 [7500] SMTP connection from [190.190.189.125]:58235 I=[209.217.250.110]:25 (TCP/IP connection count = 2)
    2013-04-11 09:45:39 [8167] no IP address found for host 125-189-190-190.cab.prima.net.ar (during SMTP connection from [190.190.189.125]:58235 I=[209.217.250.110]:25)
    2013-04-11 09:45:39 [8167] list matching forced to fail: failed to find host name for 190.190.189.125
    2013-04-11 09:45:41 [8167] 1UQGsm-00027j-Ld <= [email]XXXXXXXX@XXXXXXXX.com.ar[/email] H=(USB) [190.190.189.125]:58235 I=[209.217.250.110]:25 P=esmtpa A=courier_login:XXXXXXXX@XXXXXXXX.com.ar S=15984 id=042c01ce36b3$4b7de1f0$e279a5d0$@XXXXXXXX.com.ar T="mail de prueba" from <XXXXXXXX@XXXXXXXX.com.ar> for [email]XXXXXXXX@XXXXXXXXYYYYYYYY.com.ar[/email]
    2013-04-11 09:45:44 [8167] SMTP connection from (USB) [190.190.189.125]:58235 I=[209.217.250.110]:25 closed by QUIT
    
    Then, I deleted the IP form the Block List and sent the email again:

    Code:
    2013-04-11 09:50:37 [5671] SMTP connection from [190.190.189.125]:58315 I=[209.217.250.110]:25 (TCP/IP connection count = 6)
    2013-04-11 09:50:42 [23930] no IP address found for host 125-189-190-190.cab.prima.net.ar (during SMTP connection from [190.190.189.125]:58315 I=[209.217.250.110]:25)
    2013-04-11 09:50:42 [23930] list matching forced to fail: failed to find host name for 190.190.189.125
    2013-04-11 09:50:44 [23930] 1UQGxf-0006Dy-Cx <= [email]XXXXXXXX@XXXXXXXX.com.ar[/email] H=(USB) [190.190.189.125]:58315 I=[209.217.250.110]:25 P=esmtpa A=courier_login:XXXXXXXX@XXXXXXXX.com.ar S=15998 id=043501ce36b3$ffff9970$fffecc50$@XXXXXXXX.com.ar T="otro mail de prueba" from <XXXXXXXX@XXXXXXXX.com.ar> for [email]XXXXXXXX@XXXXXXXXYYYYYYYY.com.ar[/email]
    2013-04-11 09:50:46 [23930] SMTP connection from (USB) [190.190.189.125]:58315 I=[209.217.250.110]:25 closed by QUIT
    The two transactions look pretty the same.

    Can you tell what's going on? Can you share the portion of your logs for the trial you did?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure thing.


    Blocked:
    Code:
    2013-04-11 08:05:11 SMTP connection from [12.34.56.789]:47247 (TCP/IP connection count = 1)
    2013-04-11 08:05:12 H=12.34.56.789-static.reverse.softlayer.com [12.34.56.789]:47247 rejected connection in "connect" ACL: Host is banned
    2013-04-11 08:05:12 SMTP connection from 12.34.56.789-static.reverse.softlayer.com [12.34.56.789]:47247 closed by DROP in ACL
    Scanned and passed:
    Code:
    2013-04-11 09:09:56 SMTP connection from [12.34.56.789]:48624 (TCP/IP connection count = 1)
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 H=12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 Warning: Message has been scanned: no virus or other harmful content was found
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 <= me @ myotherdomain.com H=12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=2285 id=000001ce36b5$e3ed8e20$abc8aa60$@net T="TesterThree" for myother @ domain.com
    2013-04-11 09:10:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UQHGJ-0004GK-V1
    2013-04-11 09:10:00 SMTP connection from 12.34.56.789-static.reverse.softlayer.com (host.domain.com) [12.34.56.789]:48624 closed by QUIT
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 => mememe!  R=virtual_user T=virtual_userdelivery
    2013-04-11 09:10:00 1UQHGJ-0004GK-V1 Completed
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,178
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, this is weird. I can recall that "rejected connection in connect ACL: Host is banned" in my logs when the filter used to work! If I dont fail to remember, it stopped working when I upgraded to 11.34 :(
    Since then, waves of spam are unstoppable :(

    - - - Updated - - -

    May be this failure be caused by any individual, arbitrary, Exim configuration in WHM. Any option to (un)tick to evaluate if that is the culprit of exim ignoring block lists? Maybe, but which one?
    Do you have all the Exim configurations by default in WHM?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I can't grasp what this says, sorry.

    Yes, stock perfectly operational cPanel setup.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice