SMTP Restrictions (WHM) versus SMTP_BLOCK (CSF)

Your new/first Tips, tricks and tutorial forum.
Post Reply
User avatar
admin
Site Admin
Posts: 31
Joined: March 7th, 2022, 1:09 am

SMTP Restrictions (WHM) versus SMTP_BLOCK (CSF)

Post by admin »

Regarding CSF Firewall setting...
and with my experience...

If your core business is related to bulk email marketing...
and got email delivery problems...
which is... emails not delivered and frozen.
while your mail server is in good standing?

Check your mail server status report here:
Mx Tool Box:
http://mxtoolbox.com/SuperTool.aspx?act ... n=toolpage

Virus Total Scanner:
https://vms.drweb.com/online/?lng=en

Anti Abuse multi-rbl checker:
http://www.anti-abuse.org

and If you've found:
The outbound email issue is happening because SMTP Restrictions are enabled, while CSF is also in use.
CSF has its own version of SMTP Restrictions called "SMTP Block", and we recommend using this in place of SMTP restrictions when CSF is installed

https://support.cpanel.net/hc/en-us/art ... 24mYNdY3DA

If CSF is installed on the server, it is strongly recommended to use its SMTP_BLOCK feature instead of the SMTP Restrictions option within WHM. CSF can remove rules that are not explicitly defined in its own configuration files. As such, rules added via the SMTP Restrictions could be lost when CSF restarts or reloads the rules. In some cases, this could cause problems with all outbound mail.

The SMTP Restrictions feature is controlled through Web Host Manager. When this feature is enabled, only the root user, Mail Agent, and Mailman services are allowed to make outgoing connections over ports 25, 465, and 587. If any other user attempts the connection, it is looped back to the server.

You need to disabled SMTP Restrictions on your server via WHM SMTP Restrictions.

If you've got problem with the SMTP_BLOCK feature, you may want to run the built-in CSF test script to confirm that any necessary modules are installed.
This can be called within your ssh access with the following CLI command:

Code: Select all

Your_root_access@your_device: ~$ /etc/csf/csftest.pl
Or using GUI
Within your cPanel:

WHM>> Plugin>> ConfigServer Security & Firewall >> All >> Check Server Security
(Perform a basic security, stability and settings check on the server)

Regarding Spammer, Abuser and Phishing, Spoofing attacker, still coming... even thought:

WHM >> Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor option Tab >> the Apache SpamAssassin™ Options tab

has been configured correctly?

You may need to add those annoying zombie IP's to your:
Blacklisted SMTP IP addresses, The IP addresses blocked with this option are stored in the following file:
(Works on Dovecot, Sendmail, Exim, Postfix, Qmail, Horde)

Code: Select all

/etc/spammeripblocks
How to find those Activity?
I'm using exim and LogView - File System Log Viewer Plugins and choose exim_mainlog :

Code: Select all

/var/log/exim_mainlog
(Please use another MTA (Mail transport agent) configuration if your server not using EXIM MTA)

(Click this url to download: http://www.log-view.com)

Code: Select all

###############################################################################
# Copyright 2006, LogView
# URL: http://www.log-view.com
# Email: info@log-view.com
###############################################################################


#LogView - File System Log Viewer
################################

#This is an exclusive add-on product for cPanel servers running on Linux.

#This script provides a graphical interface for cpanel severs, extending WHM features 
#which previously needed to be performed using command line instructions. LogView makes 
#it simpler with fewer tasks to view system logs.

#LogView allows you to easily view logs, and view the content of the logs. 
#Since LogView uses a graphical interface it eliminates the need to login using any 
#SSH2 programs or any confusing commands.

2022-09-14 15:38:29 SMTP connection from [169.239.45.61]:56981 (TCP/IP connection count = 2)
2022-09-14 15:38:31 no host name found for IP address 169.239.45.61
2022-09-14 15:38:39 dovecot_login authenticator failed for ([169.239.45.61]) [169.239.45.61]:56981: 535 Incorrect authentication data (set_id=bounce@theairmails.com)
2022-09-14 15:38:40 SMTP connection from srv8.jsalfianmarketing.com [104.37.168.247]:39146 lost D=1m
2022-09-14 15:38:41 SMTP connection from ([169.239.45.61]) [169.239.45.61]:56981 lost D=11s
2022-09-14 15:38:43 SMTP connection from [78.38.152.39]:57577 (TCP/IP connection count = 1)
2022-09-14 15:38:46 no host name found for IP address 78.38.152.39
2022-09-14 15:38:48 SMTP connection from [69.70.243.90]:39575 (TCP/IP connection count = 2)
2022-09-14 15:38:53 dovecot_login authenticator failed for ([78.38.152.39]) [78.38.152.39]:57577: 535 Incorrect authentication data (set_id=bounce)
2022-09-14 15:38:54 dovecot_login authenticator failed for modemcable090.243-70-69.static.videotron.ca [69.70.243.90]:39575: 535 Incorrect authentication data (set_id=abuse@247-ads.com)
2022-09-14 15:38:54 SMTP connection from modemcable090.243-70-69.static.videotron.ca [69.70.243.90]:39575 lost D=6s
2022-09-14 15:38:55 SMTP connection from ([78.38.152.39]) [78.38.152.39]:57577 lost D=11s
2022-09-14 15:38:55 SMTP connection from [60.8.213.170]:59525 (TCP/IP connection count = 1)
2022-09-14 15:38:57 H=[60.8.213.170]:59525 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no rejected connection in "connect" ACL: Country is banned
2022-09-14 15:38:57 SMTP connection from [60.8.213.170]:59525 closed by DROP in ACL
2022-09-14 15:41:53 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2022-09-14 15:43:14 SMTP connection from [127.0.0.1]:36264 (TCP/IP connection count = 1)
2022-09-14 15:43:16 SMTP connection from [127.0.0.1]:36264 closed by QUIT
2022-09-14 15:43:16 SMTP connection from [127.0.0.1]:33920 (TCP/IP connection count = 1)
2022-09-14 15:43:17 SMTP connection from (localhost) [127.0.0.1]:33920 closed by QUIT
2022-09-14 15:44:54 SMTP connection from [66.115.128.98]:48690 (TCP/IP connection count = 1)
2022-09-14 15:44:54 no host name found for IP address 66.115.128.98
2022-09-14 15:44:54 SMTP connection from (USER) [66.115.128.98]:48690 lost D=0s
2022-09-14 15:46:53 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
Then add those IP's to your:
(DO NOT ADD YOUR SMTP Local host SpamD(aemon) IP: 127.0.0.1 Or YOUR OWN SERVER IP EVER)

Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor Tab >> Access Lists: Blacklisted SMTP IP addresses and choose the edit button.

Don't forget to check LogView - File System Log Viewer Plugins and choose exim_mainlog, pay attention for every details of -- closed by DROP in ACL (Access Control Lists), meaning those IP has been already added -- just add newest IP's to blocked everyday to:
(FYI: cPanel & WHM ships with a default list of Access Control Lists (ACLs). Plugin developers and server administrators can also add ACL entries.)

Check first with this tool:
https://www.abuseipdb.com/check/

Then add those IP's to:

Code: Select all

/etc/spammeripblocks
Post Reply