CSF Blocking SMTP mail when its not configured to do so

[NETLINK]

Hi Sergio. Where would this be under? Relay Tracking?

RT_AUTHRELAY_LIMIT is set to 100
RT_AUTHRELAY_BLOCK is set to 0

It's my understanding that this will send an alert but not do any blocking.

[Sergio]

I just wanted to be sure what do you have in there as it could block an IP to send emails if it has reached the limit and reading all of the info, this could be a possibility as CSF is blocking something and when CSF is turned off it lets the other server to run.
Another option to explore is to not have any BlackLIst set in CSF under LFD BLOCKLISTS, as could be that the IP range could be blocked and you don't know.

Basically, what I am trying to do is to check where is your external IP address to appear, besides the ALLOW and IGNORE options.

[araspa]

Apologies in advance for hijacking the thread but seems we also have the same issue..

https://forum.configserver.com/viewtopi ... =6&t=11153

[wwnick]

I *THINK* I may have just got a hint....

My Wordpress site decided to stop sending emails, and I managed to do a little testing. It was configured to send messages via SMTP to an external site, today I suddenly got emails that it wouldn't send due to incorrect authentication. So I used the test option in the Wordpress plugin and noticed this:

220-myserver.mydomain.net ESMTP Exim 4.91 #1 Thu,
14 Feb 2019 16:27:22 +1100
220-We do not authorize the use of this system to
transport unsolicited,
220 and/or bulk e-mail.
EHLO domainname
250-myserver.mydomain.net Hello domainname
[10.0.0.5]

After running csf-ra, I ran the test again, this time I saw this:

220 smtp.externalserver.com ESMTP ready
EHLO domainname
250-smtp.externalserver.com
250-PIPELINING
250-SIZE 71000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 STARTTLS
STARTTLS

(I've changed the names to protect the innocent )
As you can see, external traffic was being hijacked, and routed to the internal server. The outgoing port was 587.

I hope this is useful in tracking the issue down.

[mydigia]

I *THINK* I may have just got a hint....

My Wordpress site decided to stop sending emails, and I managed to do a little testing. It was configured to send messages via SMTP to an external site, today I suddenly got emails that it wouldn't send due to incorrect authentication. So I used the test option in the Wordpress plugin and noticed this:

220-myserver.mydomain.net ESMTP Exim 4.91 #1 Thu,
14 Feb 2019 16:27:22 +1100
220-We do not authorize the use of this system to
transport unsolicited,
220 and/or bulk e-mail.
EHLO domainname
250-myserver.mydomain.net Hello domainname
[10.0.0.5]

After running csf-ra, I ran the test again, this time I saw this:

220 smtp.externalserver.com ESMTP ready
EHLO domainname
250-smtp.externalserver.com
250-PIPELINING
250-SIZE 71000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 STARTTLS
STARTTLS

(I've changed the names to protect the innocent )
As you can see, external traffic was being hijacked, and routed to the internal server. The outgoing port was 587.

I hope this is useful in tracking the issue down.

Thanks for this, I found the blocking rule:

Code: Select all

5       29  1740 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587,2525

As you said, traffic on those ports destined to outside is being redirected back. I removed it and my emails send out now, the question is what is adding that rule there and how to stop it because that doesn't solve the issue from root cause. As long as CSF/LFD enabled, I am assuming that rule gets added somehow by something?

The only rule in configuration that is related to above is SMTP_REDIRECT, which on my configuration is switched off.

SMTP_REDIRECT:
This option redirects outgoing SMTP connections destined for remote servers for non-bypass users to the local SMTP server to force local relaying of email. Such email may require authentication (SMTP AUTH).

Screenshot: https://www.dropbox.com/s/ubsrskoiex1za ... 7.png?dl=0

[ForumAdmin]

Thanks for this, I found the blocking rule:

Code: Select all

5       29  1740 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587,2525

The only way csf would add such a rule to iptables is if you have enabled SMTP_REDIRECT in csf.conf since that is what that setting does.

If SMTP_REDIRECT is not enabled, then something external to csf is inserting that rule into iptables and you would have to identify what. For example, the cPanel option WHM > Tweak Settings > Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) does this, which csf expressly displays a warning that that option should not be used on restart:

Code: Select all

*WARNING* The option "WHM > Tweak Settings > Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" is incompatible with this firewall. The option must be disabled in WHM and the SMTP_BLOCK alternative in csf used instead

If that is not enabled either, then you will have to look elsewhere.

[mydigia]

Thanks for this, I found the blocking rule:

Code: Select all

5       29  1740 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,26,465,587,2525

The only way csf would add such a rule to iptables is if you have enabled SMTP_REDIRECT in csf.conf since that is what that setting does.

If SMTP_REDIRECT is not enabled, then something external to csf is inserting that rule into iptables and you would have to identify what. For example, the cPanel option WHM > Tweak Settings > Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) does this, which csf expressly displays a warning that that option should not be used on restart:

Code: Select all

*WARNING* The option "WHM > Tweak Settings > Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" is incompatible with this firewall. The option must be disabled in WHM and the SMTP_BLOCK alternative in csf used instead

If that is not enabled either, then you will have to look elsewhere.

Thank you, indeed that was on and I don't know how we survived so long with that being ON without anyone complaining on that particular server. Thanks again and sorry for missing such a basic setting.

[salmino]

I have been having this issue for a while, and so far, have not been able to figure out what the problem is. Everything will work as expected for a few days, sometimes longer. Then, suddenly, mail sent out by PHP with SMTP gets blocked and will not go out until I restart CSF.
https://tgw.onl/bluehost/ https://tgw.onl/dreamhost/ https://tgw.onl/hostgator/

[sneader]

(deleted post -- I found that SMTP_BLOCK was enabled in CSF, which was the cause of our sendgrid block)

- Scott