Page 1 of 1

Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 22 Mar 2016, 22:02
by AndyB78
Hello!

Following a few spam episodes gone undetected by the Relay Tracking in CSF/LFD, we have determined that mails sent from cPanel Webmail are not tracked at all by CSF/LFD.

Relay Tracking is working for mails sent from email clients (we have tested this). But mails sent from Webmail are not tracked. We have tested this with all the email software in cPanel (Horde, RoundCube and Squirrel) and on multiple cPanel servers.

log_selector = +incoming_port +smtp_connection +all_parents -retry_defer +subject +arguments +received_recipients

Please take into urgent consideration this problem as we all rely heavily on mail tracking for early spam detection (mandatory for avoiding further problems).

Thanks in advance!

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 22 Mar 2016, 22:15
by ForumAdmin
You need to post some examples of the log lines that you are seeing from /var/log/exim_mainlog that you believe are not being detected by the exim regex. If you are not seeing lines in the exim log, then the emails are being sent directly via SMTP and there is nothing at all lfd can do about that.

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 22 Mar 2016, 22:33
by AndyB78
Probably I should have made it clear that I tested this myself by sending mails from Webmail (from all 3 webmail software in cPanel) above the threshold set in all Relay Tracking sections and I have not received any warning email. So relay tracking is not working for mails sent from webmail. So I am not speaking about mails sent by SMTP but about mails I have personally sent from Horde, RoundCube and Squirrel.

Of course I made the same test from Thunderbird to make sure that normally I receive relay warnings. And I did receive the warnings. So relay tracking works normally when Webmail is NOT used.

I repeated this test for multiple servers with cPanel and CSF/LFD.

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 09:02
by AndyB78
I want to ask a forum administrator to please move this thread to Report Bugs. This is a bug report and one of a serious nature and I feel it is not getting the deserved attention.

Thank you!

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 09:30
by ForumAdmin
ForumAdmin wrote:You need to post some examples of the log lines that you are seeing from /var/log/exim_mainlog that you believe are not being detected by the exim regex.
Additionally, you should test using the cPanel default setting of log_selector incase it is your setting of that parameter that is causing the problem and if not also post those log lines.

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 12:43
by AndyB78
Hi,

We already have the default cPanel setting for log_selector.

Here are the lines (of course I've replaced all nameservers and 1.2.3.4 is the IP of the recipient's server). Of course I have sent enough emails to go over the Relay Tracking threshold (also confirmed by receiving the "Relay, remote IP" warning from the recipient's server CSF/LFD). Also I had to remove all hostnames (including the ones in the dummy email addresses) because the forum wouldn't allow me a post with URLs in it.

Mails sent from Squirrel (for which I have not received warnings from the sender's server CSF/LFD)

2016-03-24 14:15:14 1aj4AU-00044F-Dp <= email@sender H=(server) [::1]:43674 P=esmtpa A=dovecot_login:email@sender S=739 id=37ee7bfc8efd077d07203db0b3cf5334.squirrel@server T="Test L1" for email@recipient
2016-03-24 14:15:15 cwd=/var/spool/MailScanner/incoming/28630 6 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1aj4AU-00044F-Dp 1aj4AU-00044Q-9m
2016-03-24 14:15:15 1aj4AU-00044F-Dp SMTP connection outbound 1458821715 1aj4AU-00044F-Dp sender_net email@recipient
2016-03-24 14:15:15 1aj4AU-00044F-Dp [1.2.3.4] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server"
2016-03-24 14:15:17 1aj4AU-00044F-Dp => email@recipient R=dkim_lookuphost T=dkim_remote_smtp H=recipient_net [1.2.3.4] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=1aj4AW-00041D-3u"
2016-03-24 14:15:17 1aj4AU-00044F-Dp Completed

2016-03-24 14:15:21 1aj4Ab-00046P-2c <= email_sender H=(server) [::1]:43736 P=esmtpa A=dovecot_login:email@sender S=740 id=8aaf0514c1516c16be3a91f5d9f9411b.squirrel T="Test L2" for email@recipient
2016-03-24 14:15:21 cwd=/var/spool/MailScanner/incoming/28630 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1aj4Ab-00046P-2c
2016-03-24 14:15:21 1aj4Ab-00046P-2c SMTP connection outbound 1458821721 1aj4Ab-00046P-2c sender_net email@recipient
2016-03-24 14:15:21 1aj4Ab-00046P-2c [1.2.3.4] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server"
2016-03-24 14:15:24 1aj4Ab-00046P-2c => email@recipient R=dkim_lookuphost T=dkim_remote_smtp H=recipient_net [1.2.3.4] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=1aj4Ac-00046H-AU"
2016-03-24 14:15:24 1aj4Ab-00046P-2c Completed

2016-03-24 14:15:27 1aj4Ah-000498-MX <= email_sender H=(server_sender) [::1]:43846 P=esmtpa A=dovecot_login:email@sender S=741 id=790cd56e5adc31191d39a944a33fd281.squirrel@server T="Test L3" for email@recipient
2016-03-24 14:15:28 cwd=/var/spool/MailScanner/incoming/28630 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1aj4Ah-000498-MX
2016-03-24 14:15:28 1aj4Ah-000498-MX SMTP connection outbound 1458821728 1aj4Ah-000498-MX sender_net email@recipient
2016-03-24 14:15:28 1aj4Ah-000498-MX [1.2.3.4] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server"
2016-03-24 14:15:30 1aj4Ah-000498-MX => email@recipient R=dkim_lookuphost T=dkim_remote_smtp H=recipient_net [1.2.3.4] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=1aj4Ai-00049g-Vp"
2016-03-24 14:15:30 1aj4Ah-000498-MX Completed

If you want I can also provide log lines for mails sent from Thunderbird for which I received the warning.

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 18:17
by ForumAdmin
Thank you for that. That is showing relaying through the localhost IPv6 address which is indeed not currently tracked. We'll add that to the next release of csf.

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 18:30
by AndyB78
Hi,

Do you have any rough idea of an ETA?

Thanks!

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 18:32
by ForumAdmin
No,we do not provide timescales with our free scripts.

Re: Relay Tracking not working for mails sent from Webmail in ver. 8.16

Posted: 24 Mar 2016, 18:50
by AndyB78
Well, thanks at least for clearing up what the problem was. I've disabled IPv6 on the server as we don't really need it (I hope) until the update.