ConfigServer Community Forum

Since the update to CSF 8.17, I have been receiving the following typical alert for every 100 or so messages sent by Mailman to legitimate lists:

Time: Tue Apr 5 17:15:20 2016 -0400
Type: LOCALHOSTRELAY, Local Account - ::1
Count: 109 emails relayed
Blocked: No

For a list of 600-700 members, I receive 6 alerts. Note the strange account name. 8.19 did not correct the problem and it never happened before 8.17. Fortunately the messages are not blocked. I have also verified that none of my settings for the relevant variables have changed for years. I'm seeing this from 2 servers that are essentially configured the same.

I realize I could disable the alerts, but I'm not sure I should even be seeing these for mailing lists and I wouln't want to miss other relevant alerts.

same here

the ":: 1" at the end of the report is a bit ambiguous
ideally, I'd like to whitelist the user who is creating the lfd reports as they are a known legit volume email sender, but the report doesn't seem to indicate anything that can be whitelisted

I can easily identify the mailing list and therefore the account from the sample 10 messages. However, those same accounts sometimes abuse the normal relay limits outside of their mailing lists. I would never whitelist the accounts, but technically mailman is the sender and shouldn't appear at all, as it never did before.

The changelog for 8.17 notes: Added IPv6 support to RT_LOCALHOSTRELAY tracking

My guess is that there is just a little coding error in that change.

If you could provide a couple of example log lines from mailman emails we could look into adding an option to ignore them, but only if they differ from normal log lines.

The only coding change was to detect IPv6 localhost in addition to IPv4 localhost nothing more.

here's one from mine:

Subject: lfd on servername: LOCALHOSTRELAY Alert for ::1
Time: Wed Apr 6 20:35:05 2016 +1000
Type: LOCALHOSTRELAY, Local Account - ::1
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2016-04-06 20:15:02 1ankUI-002wUV-5V <= error@domain.org.au H=(domain.org.au) [::1]:56311 P=esmtp S=30471 id=3b4bbf974b9f5bcbb76b22f6d1f59a4d@domain.org.au T="AUSTRALIAN NEWS 6th April 2016" for emailaddress@osbcured.com

PS not mailman in my case - I think they're using phplist, or something custom built

Well, now it seems to even be mixing domains and senders both private emails and mailman lists as one account ::1 OOOPS! TOO MANY URL'S for post. I'll have to delete a few lines

Time: Wed Apr 6 08:56:38 2016 -0400
Type: LOCALHOSTRELAY, Local Account - ::1
Count: 113 emails relayed
Blocked: No

Sample of the first 10 emails:

2016-04-06 08:26:04 [15098] 1anmX6-0003vW-H4 <= swcdprogramadministrators-bounces@ofswcd.org H=(host2.greenxxxxhost.com) [::1]:47183 I=[::1]:25 P=esmtp S=120217 M8S=0 id=000201d18ff7$080e8b40$182ba1c0$@ofswcd.org T="[Swcdprogramadministrators] HELP Needed" from <swcdprogramadministrators-bounces@ofswcd.org> for xxxxxxxxxxxxxxxxxxx

2016-04-06 08:26:35 [15358] 1anmXb-0003zi-Cv <= <> H=(host2.greenxxxxxhost.com) [::1]:47259 I=[::1]:25 P=esmtpa A=dovecot_login:betty.xxxxxxxxxxx@vaswcd.org S=2018 M8S=0 id=c11050770a7d42df03ff3c3e0592c2d7@vaswcd.org T="Return Receipt (read): FW: Powhatan Earth Day Celebration - April 20,\n 2016" from <> for xxxxxxxxxxxxxxxxxxxxxx

2016-04-06 08:33:04 [17968] 1anmds-0004fo-GL <= alyxxxxx@merrimackccd.org H=(host2.greenxxxxhost.com) [::1]:47550 I=[::1]:25 P=esmtpa A=dovecot_login:alyssa@merrimackccd.org S=1487 M8S=0 id=c215de3146f33d16d7c0191e033aab00@merrimackccd.org T="Re: Insider Article" from <alyxxxxx@merrimackccd.org> for xxxxxxxxxxxxxxx

Unless cpanel changed the logging in their last upgrade, it would seem to be a simple parsing error as the ::1 is clearly in each log entry.

Those logs lines show that lfd is now correctly logging LOCALHOST emails for emails being relayed through the IPv6 localhost address ::1 (as stated in v8.17 change log) which is the IPv4 equivalent of 127.0.0.1. If you do not want those emails to be reported, you would have to disable LOCALHOSTRELAY.

The only change might be the prioritisation of AUTHRELAY over LOCALRELAY for those with A=dovecot_login over those that are relayed locally which we will consider.

I'm not sure I understand all of what you're saying, but thank you for looking at it.