ConfigServer Community Forum

I have "ConfigServer Security & Firewall" installed on my WHM/cPanel server. It's great and really thwarts a lot of intrusion attempts as well as other security features.

Have one BIG problem however. For security I have SMTP_BLOCK enabled to stop spam out from malicious scripts (if any where ever installed). Under CSF configuration I have SMTP_ALLOWUSER set to the accounts that I always want to be able to send mail out from scripts. This is set to: "cpanel,account1,account2" (where account1 and account2 are actual WHM account user names).

For some reason (haven't tracked when exactly this happens but probably on update) this setting intermittently stops working. It doesn't change but I have to restart CSF in order for the script to be able to send mail again. I find out because my client calls and is very mad because their contact us form doesn't work and throws a mail send error. Here's that error: CONTACT FORM ERROR: authentication failure [SMTP: Invalid response code received from server (code: 535, response: Incorrect authentication data)]

So it's blocking the script from sending email even though the configuration file still whitelists their account name under SMTP_ALLOWUSER! I have to go into WHM to the CSF config area and click the "Firewall Configuration" button, then just scroll to the bottom and click "Change" and then the "Restart CSF/LFD" button and it works again. I really MUST get this resolved. Is this due to CSF updating or maybe cPanel updating and not reading in that value? Any ideas?

I submitted this to my server tech support staff as well and here's what one of them said:
The nightly cPanel updates wouldn't be modifying the CSF installation. What I believe is causing this is actually the auto-update feature of CSF, which I've disabled via the WHM >> Plugins >> ConfigServer Security&Firewall >> Firewall Configuration. It's really not important to update the firewall software unless there is an explicit vulnerability against it, which I have yet to see. So this should prevent any future issues with it dropping the variable.

Now, I can see how that would cause the issue but I am worried that the auto-update installs protection from new exploits/vunerabilities so I don't want to miss out on those! Can you let me know how often CSF updates and if you feel this would solve this problem. I'm sure there is a better way than just disabling the auto-updates, right?

Any ideas guys? Actually not sure if it's this now because a user can send out SMTP from the server even though they aren't listed under SMTP_ALLOWUSER! I only have port 25 listed in the config file, and my php sends out port 465 (via PEAR smtp mail). If that's the case, then the intermittent blocking of the ability to send SMTP is caused by something else. How could I find out by what?

I seem to be seeing an issue with this too. It looks like SMTP_ALLOWUSER is no longer working properly in version 6.10. At least from what I can remember.

My config has the lines:
Am I reading this correctly? Does this mean that regular users (not root, not user cpanel, and users that don't belong to the groups mail or mailman) should not be able to connect to localhost on port 25? I thought this is how the behavior used to be, maybe I'm wrong, but regular users are now able to connect to localhost on port 25.

It looks like version 5.75 has the same behavior, so perhaps I am wrong and this never worked this way. I'm just really not sure what the point of SMTP_ALLOWLOCAL is local users are able to connect to localhost on port 25 regardless if this is enabled or not.

(Apologies if this is considered hijacking this thread, my issue appears to be a little different from trappedatuf's but I thought they were similar)

Version 5.07 appears to show the behavior that I expect. Local regular users are unable to connect to port 25. I'm not sure what all has changed between 5.07 and 6.10. Nothing stands out to me from the changelog. Perhaps something to do with IPv6? Kind of at a loss. It may be something that I don't have configured properly.

SMTP_BLOCK prevents all users except for SMTP_ALLOWUSER and SMTP_ALLOWGROUP from connecting out to ports in SMTP_PORTS. If SMTP_ALLOWLOCAL is enabled, then an exception is made for lo:, so any user can still connect to localhost but will still be blocked from connecting to all other IP's. This has always been the case.

Having said that, I've just done some testing and there might be an issue with SMTP_ALLOWLOCAL, I'll update in a short while...

I've released v6.11 to fix this.

EDIT: after multiple restarts of LFD from WHM I am able to start getting the notices again. Will report back of intermittent failures crop up again.

Hi, not sure if this is related, or a separate/misconfiguration issue, but it seems too self-defeating

here's my config on csf 6.15 Now I'm not getting any email notifications from LFD only -- all lfd notices have stopped -- ! Webscripts work, and sending mail with SSL works (though that uses 587, not 25). Is this expected behavior?