Skip to main content

SMTP Restrictions breaks email

Comments

8 comments

  • cPanelLauren
    I think there may be some confusion here as to what the purpose of SMTP restrictions in WHM>>Security Center>>SMTP Restrictions is [QUOTE=https://docs.cpanel.net/whm/security-center/smtp-restrictions/]This interface allows you to configure your server so that only the mail transport agent (MTA), Mailman mailing list software, and the root user can connect to remote SMTP servers. This will deny other users and services the ability to bypass your mail server to directly send mail, which is common practice for spammers.
    This controls which users are able to connect to remote SMTP servers, by restricting this to the root, mailman and MTA users. This means with SMTP restrictions on with or without authentication a user that is not root, mailman or the MTA will not be able to connect to a remote server to send mail. When you attempt to connect directly using telnet
    or openssl s_client
    in this manner to a remote mailserver, with SMTP restrictions enabled you will indeed be blocked. This setting does not manage your users sending authenticated emails from the server via a secured or unsecured channel. By default, all users need to authenticate to send mail. The only exception to this is when you enable the following (which is disabled by default) [QUOTE] Allow users to relay mail if they use an IP address through which someone has validated an IMAP or POP3 login within the last hour (Pop-before-SMTP) Provides the IMAP/POP before SMTP authentication method. You must enable RecentAuthedMailIpTracker in the Service Manager for this functionality to work. However, we recommend that you do not enable this option, and you should instead use SMTP authentication on modern systems.
    0
  • maverickws
    Hi there sorry for the late reply.
    Allow users to relay mail if they use an IP address through which someone has validated an IMAP or POP3 login within the last hour (Pop-before-SMTP) Provides the IMAP/POP before SMTP authentication method. You must enable RecentAuthedMailIpTracker in the Service Manager for this functionality to work. However, we recommend that you do not enable this option, and you should instead use SMTP authentication on modern systems.

    So if on the same ip/user there's an app checking for email to that given server, connection will be allowed? With SMTP Restrictions enabled?
    0
  • cPanelLauren
    SMTP restrictions aren't related to this at all, completely different thing.
    0
  • maverickws
    SMTP restrictions aren't related to this at all, completely different thing.

    If your proposed solution and SMTP Restrictions are completely different things, how will your suggested approach help me, given that is disabling SMTP Restrictions that solves the issue?
    0
  • cPanelLauren
    I'm trying to understand what is still not being understood here.
    • SMTP restrictions control who is able to connect to remote servers to send mail.
    • I did not propose any solution to you, I simply explained what the service does as it is clear there is a misunderstanding.
    • You note in your initial response that your servers require authentication, all cPanel servers by default require authentication, the exception being if you use the setting I mentioned.
    • SMTP restrictions will keep ANYONE who is not the MTA, ROOT, or MAILMAN from being able to connect to remote servers. If you need your users to be able to connect to remote servers then don't use SMTP restrictions but do not get it confused with authentication as ALL users must authenticate to send mail.
    0
  • maverickws
    I'm trying to understand what is still not being understood here.
    • SMTP restrictions control who is able to connect to remote servers to send mail.
    • I did not propose any solution to you, I simply explained what the service does as it is clear there is a misunderstanding.
    • You note in your initial response that your servers require authentication, all cPanel servers by default require authentication, the exception being if you use the setting I mentioned.
    • SMTP restrictions will keep ANYONE who is not the MTA, ROOT, or MAILMAN from being able to connect to remote servers. If you need your users to be able to connect to remote servers then don't use SMTP restrictions but do not get it confused with authentication as ALL users must authenticate to send mail.

    Do you know if there is a feature request to add users to an allow list for this? So it would be possible for select users to connect to remote servers having smtp restrictions enabled? Thank you.
    0
  • cPanelLauren
    Looks like this one is relevant:
    0
  • maverickws
    Looks like this one is relevant:
    0

Please sign in to leave a comment.