CSF Blocking SMTP mail when its not configured to do so

24 posts Page 2 of 3
NETLINK
Junior Member
Posts: 12
Joined: 20 Dec 2012, 18:39


67.xxx.xxx.11 is the server itself, the localhost, running CSF and the PHP app.
188.xxx.xxx.202 is the remote SMTP server.
I have access to both servers and I was monitoring the incoming packets on the SMTP server while I tried to get my PHP application to send mail from 67.xxx.xxx.11. There was nothing. So, it seems like the connection is getting blocked on the localhost, not on the remote server.

188.xxx.xxx.202 is whitelisted in CSF and even in LFD (ip.ignore). But I've also whitelisted the server's own IP (67.xxx.xxx.11), just to be sure.

The SMTP credentials are 100% correct, as they work right after restarting CSF. Also, there are no failure entries in the logs on the remote server.
Sergio
Junior Member
Posts: 1362
Joined: 12 Dec 2006, 14:56


When there are not failures logs in CSF is due that EXIM is the one that checks emails before anything else.
Have you tried to whitelist the IP in EXIM?
NETLINK
Junior Member
Posts: 12
Joined: 20 Dec 2012, 18:39


01 Dec 2018, 16:05Sergio wrote:
When there are not failures logs in CSF is due that EXIM is the one that checks emails before anything else.
Have you tried to whitelist the IP in EXIM?
I have, although I'm not 100% sure where I should whitelist it. I think where it's whitelisted currently is for incoming mail.
But the problem is, if I disabled the CSF firewall, the issue doesn't occur. Yesterday, mail stopped working (through remote SMTP). I then restarted the firewall, and it started working again. Until today, when it stopped working again. But if I keep the firewall disabled, it continues to work indefinitely.
Sergio
Junior Member
Posts: 1362
Joined: 12 Dec 2006, 14:56


Ok, do this in CSF:
- Go to "Search System Logs".
- Select "/var/log/maillog"
- Search for the IP.

Please post some lines but clearing the IP or other sensitive info like email address.
wwnick
Junior Member
Posts: 5
Joined: 09 Dec 2018, 22:38


Hi Sergio,

This very same problem has been plaguing us for a couple of months... our billing system (running on a cPanel server) suddenly can't send emails. Once csf is restarted everything is fine.

I have the IP address for server and the SMTP server in csf.allow and lfd Ignore files. There are no 'Firewall block' messages in the /var/log/messages file either.

I can't work it out at all, but it's a huge problem for us as it stops Invoices, Order's, Provisioning emails and Support Tickets from being sent out.
Sergio
Junior Member
Posts: 1362
Joined: 12 Dec 2006, 14:56


After reading that when CSF is restarted everything works again, try to do the following:
in your main CSF control panel add the IP that is being blocked in QUICK IGNORE, restart CSF and check if that does the trick.
NETLINK
Junior Member
Posts: 12
Joined: 20 Dec 2012, 18:39


03 Dec 2018, 03:13Sergio wrote:
Ok, do this in CSF:
- Go to "Search System Logs".
- Select "/var/log/maillog"
- Search for the IP.

Please post some lines but clearing the IP or other sensitive info like email address.
I did a grep, but I didn't see anything that seemed like it might be relevant.
10 Dec 2018, 19:29Sergio wrote:
After reading that when CSF is restarted everything works again, try to do the following:
in your main CSF control panel add the IP that is being blocked in QUICK IGNORE, restart CSF and check if that does the trick.
You mean the remote IP, right? I have had that in /etc/csf/csf.ignore since the beginning.

Could this have something to do with IPv6 maybe?
wwnick
Junior Member
Posts: 5
Joined: 09 Dec 2018, 22:38


10 Dec 2018, 19:29Sergio wrote:
After reading that when CSF is restarted everything works again, try to do the following:
in your main CSF control panel add the IP that is being blocked in QUICK IGNORE, restart CSF and check if that does the trick.
As NETLINK mentioned, I also have the remote SMTP server's IP address in csf.allow and csf.ignore. Actually, I had them there, and then I moved them to the global allow and ignore files (together with all of the other 15+ servers), which I can confirm working:

IPSET: Set:chain_GALLOW Match:nn.nnn.nn.nn Setting:GLOBAL_ALLOW

Do you still want us to add to QUICK IGNORE?

My biggest concern is that I only picked this up because we periodically stopped receiving emails from our billing system, which we get all day, but what effect is this having on all our other servers where email may not be getting delivered from websites via SMTP. It seems to be a silent problem insofar as there are no errors messages logged anywhere for this problem.
NETLINK
Junior Member
Posts: 12
Joined: 20 Dec 2012, 18:39


This happened again on 15/JAN and I've just noticed now because clients are not receiving mail. I haven't restarted the firewall yet and mails are still being blocked from going out. However, I am able to ping the remote SMTP server and I can even connect to it on port 465, which is the same port I'm using for outgoing mail. Please see below.
Code: Select all
# ping [REMOTEHOST].com
PING [REMOTEHOST].com (xxx.xxx.99.202) 56(84) bytes of data.
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=1 ttl=51 time=90.4 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=2 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=3 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=4 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=5 ttl=51 time=90.4 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=6 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=7 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=8 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=9 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=10 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=11 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=12 ttl=51 time=90.3 ms
64 bytes from [REMOTEHOST].com (xxx.xxx.99.202): icmp_seq=13 ttl=51 time=90.3 ms
^C
--- [REMOTEHOST].com ping statistics ---
13 packets transmitted, 13 received, 0% packet loss, time 12002ms
rtt min/avg/max/mdev = 90.343/90.375/90.434/0.334 ms



# openssl s_client -servername [REMOTEHOST].com -connect [REMOTEHOST].com:465
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = [REMOTEHOST].com
verify return:1
---
    Start Time: 1546982296
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 [REMOTEHOST].com ESMTP Postfix (Debian/GNU)
Sergio
Junior Member
Posts: 1362
Joined: 12 Dec 2006, 14:56


@Netlink
Just for curiosity, How many emails per hour are your server configured to allow to send and/or receive emails in CSF from one IP?
24 posts Page 2 of 3