CSF blocking an IP because of Exim syntax errors

[niceguy167]

Sorry to re-open an old thread but it's related, I added several IPS to the csf.ignore file and this seems to not work as these ips still get blocked by these exim syntax errors. Is there another file I need the IPS in so they are not blocked by CSF?
Thanks
Currently on up to date version V14.19

[alexf]

You need to provide a snippet of the log showing where the EXIM syntax error / blocking is occurring.

I suspect that the client connection is NOT being blocked, but is failing due to EXIM syntax errors. Without logs there is no helping you.

If the issue is truly EXIM syntax error, then your client making the connection is not configured correctly for your servers EXIM settings. This IS NOT a CSF issue, if that is the case.

[niceguy167]

I was searching in all logs for the IP address of this issue to see if I can identify where it was located at and also what config file it was blocked in I thought it would be in csf.deny but it was not in there It was however listed in WHM under the Firewall when searching for the IP. I am guessing this is a bad device that is actually sending Exim errors (DVR) Any specific files I can check as I did do a search in /var/logs when looking but no luck. I will keep digging. Thanks again

[alexf]

Your mention of WHM tells me that you have cPanel on your server. Need to know to steer you further. You did not elaborate on who or what the blocked IP's are to your host with CSF but I am guessing that the following will get you on the right road.

From my experience with web/email clients; when they change a password or get a new device they often make a number of bad attempts to connect to services such as EXIM or Dovecot, etc., resulting in EXIM Errors. These will be seen by CSF and then cause the source IP to be blocked. Unblocking and Whitelisting are the first steps but getting the client password or SSL/TLS settings correct are both the initial cause and the answer.

From your original post, you mention trying to whitelist several IP's so that they will not be blocked. Please note that the csf.ignore file has a different use than the csf.allow file. If an IP is already blocked, then adding the IP to the csf.ignore file will have no affect. Adding an IP to the csf.allow file will whitelist it. Ignore says don't scan; Allow says whitelist me. Please reference the https://download.configserver.com/csf/readme.txt for more documentation and details.

Your CSF does indeed use 'iptables' command of your linux OS to accomplish the actual firewall function of either allowing or blocking an IP, IP range, IP-port, IP protocol (UDP, TCP, SNMP, ICMP, etc.). Depending on your host and your CSF configuration you may also be utilizing 'ipset' database to help 'iptables' handle large quantities of rule entries a bit faster.

You can query whether your specific IP's are 'blocked' from either the CSF web interface in WHM, etc. or from the command line via 'iptables' command with proper flags and parameters. From your WHM, Open ConfigServer Security & Firewall. Scroll down to csf - ConfigServer Firewall section; enter the IP to search in the box next to "Search for IP", then click on "Search for IP". If that IP is blocked you will see something like
https://redhedoil-my.sharepoint.com/:i: ... w?e=I9ndq1
Note that there is a GREEN button at the bottom that will execute the Unblock of the listed IP; otherwise you can unblock from the CSF GUI via Quick Unblock.

I suggest the following steps:
1. Verify that the IP is Blocked (see above steps).
2. Unblock the blocked IP in question.
3. Add the IP to the csf.allow file.
4. Then troubleshoot the EXIM errors that were causing the issue.
Your Exim errors log will be this file: /var/log/exim_rejectlog (it could be different depending on your host OS; mine is CentOS 7.9).

I hope that the above helps you on your journey.