Skip to main content

Emails from same domain goes to trash

bmezini
Hi, so I have this very wierd problem that I can't find a solution to. It started a while ago when a user (user1@domain.com) noticed that e-mails from another user (user2@domain.com) were going to trash. The wierd part is that this happens only between these two specific users when user2@domain.com sends an e-mail to user1@domain.com and NOT vice-versa. I tried placing email filters that would specifically deliver email from user2 to user1's inbox but it didnt change anything. Another thing to note is that when I manually move the e-mails to inbox, after a while they are moved automatically to trash. I'd appreciate some help as I don't have any idea anymore. Thanks in advance, Brian.

Comments

13 comments

Date Votes
  • cPanelLauren
    Does user1@domain.com use an email client such as mac mail or Outlook to check mail over IMAP?
    0
  • bmezini
    He does, namely mac mail, but this problem also happens in webmail.
    0
  • loyalcom
    check user1@domain.com email filter first. Then if he use imap in mac mail. check email rule
    0
  • bmezini
    There are no filters in cPanel, but there might be in the mail client and I will check. What doesn't make sense to me is: Why would filters in a mail client affect the email in the server? I mean, shouldn't they only affect the copy of the mail that arrives in the client?
    0
  • cPanelLauren
    My point in asking if they use a mail client is that while the mail client is connected and (whether or not he's currently using it), if the mail client is connected with IMAP it is entirely possible there is a rule or filter on the MAC Mail client that moves the mail there - this will subsequently show the mail also being moved in WebMail. One of the quickest ways to test this (without looking at the logs) is to simply change the password of the account without updating ANY mail clients. This allows WebMail access only and if when doing this the mail isn't moved to the trash you know now for sure it's the mail client that's the source of the issue.
    0
  • bmezini
    I understand, and I gave it a try. First i did what you mentioned and the e-mail did, in fact, go to inbox... only to be sent to trash once again before updating the password in the mail client. So i created a new rule in the client to send emails from user2 to inbox. And it worked, the emails were going to inbox... until they were pushed back to trash a few minutes later for no apparent reason.
    0
  • cPanelLauren
    Hi @bmezini You could check /var/log/maillog for the mail to identify what is happening. Here are some examples: If you move a message from the inbox to trash from webmail, you will see the following in /var/log/maillog
    Sep 4 09:48:37 server dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3820, TLS, session= Sep 4 09:48:37 server dovecot: imap(user@domain.tld)<3820>: copy from INBOX: box=INBOX.Trash, uid=9, msgid=<1567607820.FEinqzAkYmo4JmUE@server.domain.tld>, size=49270, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen) Sep 4 09:48:37 server dovecot: imap(user@domain.tld)<3820>: expunge: box=INBOX, uid=61115, msgid=<1567607820.FEinqzAkYmo4JmUE@server.domain.tld>, size=49270, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen) Sep 4 09:48:37 server dovecot: imap(user@domain.tld)<3820>: Logged out in=108, out=1137, bytes=108/1137
    Note that the IP listed in this example is 127.0.0.1 If you move a message from inbox to trash from the mail client (using Apple Mail), you will see the following in /var/log/maillog
    Sep 4 09:55:29 server dovecot: imap-login: Login: user=, method=PLAIN, rip=184.94.XXX.XX, lip=104.145.XXX.XX, mpid=5947, TLS, session=<44VmZbuRjO24XsUC> Sep 4 09:55:37 server dovecot: imap(user@domain.tld)<5946>: copy from INBOX: box=INBOX.Trash, uid=11, msgid=<1567608425.gdXBiOiY9QRPl5tI@server.domain.tlds>, size=49258, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen) Sep 4 09:55:37 server dovecot: imap(user@domain.tld)<5947><44VmZbuRjO24XsUC>: flag_change: box=INBOX.Trash, uid=11, msgid=<1567608425.gdXBiOiY9QRPl5tI@server.domain.tlds>, size=49258, subject=[server.domain.tld] TEST MESSAGE, flags=(\Seen \Recent $NotJunk) Sep 4 09:55:37 server dovecot: imap(user@domain.tld)<5946>: delete: box=INBOX, uid=61117, msgid=<1567608425.gdXBiOiY9QRPl5tI@server.domain.tlds>, size=49258, subject=[server.domain.tld] TEST MESSAGE, flags=(\Deleted \Seen)
    It will also be useful to search the exim mainlog for the message, in the event there is a filter that is responsible this will be shown in the exim log. For example: [root@server ~]# exigrep 1i5WYw-0000oO-K0 /var/log/exim_mainlog 2019-09-04 09:47:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1i5WYw-0000oO-K0 2019-09-04 09:47:11 1i5WYw-0000oO-K0 H=mail-wr1-f41.google.com [209.85.221.41]:42153 Warning: "SpamAssassin as MYUSER detected message as spam (4.3)" 2019-09-04 09:47:11 1i5WYw-0000oO-K0 H=mail-wr1-f41.google.com [209.85.221.41]:42153 Warning: Message has been scanned: no virus or other harmful content was found 2019-09-04 09:47:11 1i5WYw-0000oO-K0 <= mygmailuser@gmail.com H=mail-wr1-f41.google.com [209.85.221.41]:42153 P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4286 id=CAF7rb1Lb2j3oOG4xU-XVEvF8Gtngowet7zVWOezRn5CmZMjCGA@mail.gmail.com T="test" for user@domain.tld 2019-09-04 09:47:11 1i5WYw-0000oO-K0 => user+spam R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 yHkIFW/Ob13RDAAA9Z/phw Saved" 2019-09-04 09:47:11 1i5WYw-0000oO-K0 Completed
    0
  • bmezini
    These are the logs from /var/log/exim_mainlog for a test message that was later sent to trash [CODE=bash]2019-09-04 11:23:15 1i5RVT-0003fN-47 H=(some.domain.com) [::1]:40722 Warning: Message has been scanned: no virus or other harmful content was found 2019-09-04 11:23:15 1i5RVT-0003fN-47 <= user2@domain.com H=(some.domain.com) [::1]:40722 P=esmtpa A=dovecot_login:user2@domain.com S=618 id=dd3a2e0e94c495ec4ff9250358a1b9db@domain.com T="Test" for user1@domain.com 2019-09-04 11:23:15 1i5RVT-0003fN-47 => /home/domain787/mail/domain.com/user1/ R=virtual_user_filter T=address_directory 2019-09-04 11:23:15 1i5RVT-0003fN-47 Completed
    These are the logs from /var/log/maillog for the same message Sep 4 11:23:15 host dovecot: lda(user1@domain.com)<14105>: msgid=: saved mail to INBOX
    0
  • cPanelLauren
    That output indicates there's a filter in place: 2019-09-04 11:23:15 1i5RVT-0003fN-47 => /home/domain787/mail/domain.com/user1/ R=virtual_user_filter T=address_directory
    Specifically: R=virtual_user_filter
    If you go to cPanel>>Email>>Email Filters -> Manage Filters next to the email account - what is listed there?
    0
  • bmezini
    That's the filter that i mentioned earlier in this post to deliver the mail to inbox. Below are the filtering rules.
    0
  • cPanelLauren
    That makes sense. Can we see a mail transaction without that? Based on that and the fact that it's delivered to the INBOX per the maillog I'm leaning more and more toward there having to be an external factor in place here. When you changed the password for the account (before updating it in any mail client) did you restart dovecot to force the sessions to be re-established before you tested sending mail to the account?
    0
  • bmezini
    ... When you changed the password for the account (before updating it in any mail client) did you restart dovecot to force the sessions to be re-established before you tested sending mail to the account?

    Actually I did not think of that, I went straight to test the delivery. I'll get back to you the first chance I get to test your suggestion. Thank you for the support btw, appreciated.
    0
  • cPanelLauren
    Actually I did not think of that, I went straight to test the delivery. I'll get back to you the first chance I get to test your suggestion.

    Great! Just trying to rule out a stale connection there. Will await your findings.
    Thank you for the support btw, appreciated.

    Happy to help!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post