Skip to main content

Exim on cPanel defers instead of bouncing for domains with no valid DNS records

cirint

I’m having an issue with CiviCRM repeatedly sending to domains that don’t have valid DNS records. Exim returns a 451 temporary error rather than a permanent failure, causing CiviCRM’s scheduled mailings to remain in a running state as they endlessly retry.

What’s the correct way to configure Exim so that messages to these invalid domains are hit with a limit that they are not deferred?


Comments

13 comments

Date Votes
  • mtindor

    How about giving an example of a domain that CivicCRM is sending to but is failing with the 451-temporary.   You know, so that we can actually check for ourselves and see what DNS records are missing and more fully understand why it's generating 4xx deferral.

    0
  • cirint

    Hi,

    No email example was provided because I've ruled out a DNS issue. A standard dig query returns no NS/A/MX records for the domain – yielding SERVFAIL/REFUSED responses.

    The real problem is how Exim in cPanel handles these failures. For instance, when an email is sent to an invalid address, CiviCRM logs an error like:

    SMTP: Invalid response code … (code: 451, response: Temporary local problem – please try later)

     

    By contrast, our Postfix servers generate a hard bounce (“Host or domain name not found”), which matches a predefined bounce pattern in CiviCRM.

    In discussions with various sysadmins and CiviCRM developers, it appears that the “Temporary local problem” reply from Exim is exactly what needs addressing.

    For clarity, here are some obfuscated logs:

    DNS Lookup:

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40669
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ; EDE: 23 (Network Error): ([217.160.81.23] rcode=REFUSED for obfuscated-domain.tld/ns)
    ; EDE: 23 (Network Error): ([217.160.83.23] rcode=REFUSED for obfuscated-domain.tld/ns)
    ; EDE: 23 (Network Error): ([217.160.82.23] rcode=REFUSED for obfuscated-domain.tld/ns)
    ; EDE: 23 (Network Error): ([217.160.80.23] rcode=REFUSED for obfuscated-domain.tld/ns)
    ; EDE: 22 (No Reachable Authority): (At delegation obfuscated-domain.tld for obfuscated-domain.tld/ns)

    CiviCRM log:



    2025-02-20 13:30:05+0000  [info] SMTP Socket Error or failed to set sender error. Message: Failed to add recipient: person@invalidhost.co.uk [SMTP: Invalid response code received from SMTP server while sending email. (code: 451, response: Temporary local problem – please try later)], Code: 10005

     

    This behaviour has been observed across multiple cPanel servers (Exim 4.96.2 and 4.98 on Ubuntu 20.04 and AlmaLinux 8.10 with cPanel versions 118.0 and 124.0).

    I’d appreciate advice on configuring Exim so that it doesn’t defer these messages but instead triggers an immediate, permanent bounce.

    0
  • cPRex Jurassic Moderator

    mtindor - we also shouldn't be sharing public info, such as domains or IP addresses, on the Forums.

    cirint - what does the Exim log show on the machine when one of the emails hits the cPanel server?

    0
  • cirint

    cPRex

    Thanks for your response. 

    It will be like 



    2025-02-24 09:30:06 H=(site.co.uk) [127.0.0.1]:54854 F=<bounce@domain.co.uk> temporarily rejected RCPT <person@baddomain.org>: host lookup did not complete

    In reality its a unique bounce ID so taking that one example, so far its been every 15 minutes in the log and 115 times just in the current exim_mainlog. 


    0
  • cPRex Jurassic Moderator

    Thanks for the additional details.  From your server, are you able to run this command and get a result?

    dig mx baddomain.org

    or even just

    dig baddomain.org

     

    0
  • cirint

    Hi

    No results are returned, same expected result digging it via the server as doing it locally.  Initially the closest thing I could find to this was https://support.cpanel.net/hc/en-us/community/posts/19153934138135-Exim-Stuck-if-email-is-to-domain-without-MX-record but it looks like they applied retry rules and possibly solved it whereas currently we are using default config. 

    0
  • cPRex Jurassic Moderator

    If no results are returned either from your local workstation or the server, it seems like there is a configuration issue with the domain sending the email, so that would be outside of your control (unless you also happen to control that domain as well)

    mtindor - I did see your reply here, which I obviously didn't approve.  While it may sound like "gatekeeping" we do need to comply with laws like GDPR and other things that deal with personally identifiable information.  It does make it difficult, and sometimes impossible, to help users with specific issues especially if DNS is involved, but that just means the Forum isn't the right place for that assistance.  The same rules apply to our Reddit and Discord as well.

    0
  • cirint

    Hi 

    Maybe I didn't explain this well, but the issue is the attempt itself to keep sending to them. I don't have control over the bad domains working there way into a contact list (they are the kind of domains that someone set up once in their name thinking it was a great idea but then didn't maintain DNS around it, they are not obvious spam addresses and probably valid once upon a time) - I have full control over the servers trying to send.  So its exim trying to send it that I was hoping to configure to stop trying to re-send. 

    0
  • cPRex Jurassic Moderator

    So the issue is Exim attempting to send the reply to the potentially malicious messages and THEN you get the bounce in the legitimate email account?

    This is called "backscatter" and the best thing you can do to stop that would be to make sure Greylisting is enabled on the machine:

    https://docs.cpanel.net/cpanel/email/configure-greylisting/

    0
  • cirint
    Hi

    I appreciate your input.I only want Exim on my cPanel servers to stop re-sending to domains without valid DNS. My cPanel servers are only sending mail so I have no concerns about incoming mail. I want it to treat these addresses as permanently undeliverable rather than deferring.
    0
  • cPRex Jurassic Moderator

    While I'm a firm believer of "anything is possible" i don't believe you're going to be able to have that fine of control with the options available in Exim.

    Are the messages that are being deferred causing an issue?  Eventually the messages will just fail as the mailserver retries and they age out of the retry queue.

    0
  • cirint
    Thanks.

    I think I might be on my own with this one.

    It is an issue. The mailings generating these messages get stuck in a re-attempting state (via CiviCRM) because the 451 response is unexpected. The system users don’t know which domains are invalid, as they usually rely on CiviCRM to interpret the mail server’s response. This forces manual intervention: users need to realise certain long-time contacts are no longer valid, and I have to remove those entries from the database to stop further attempts or therwise, their mailing jobs remain in a ‘running’ state indefinitely. I was hoping there’d be a way to handle this on the sending side, rather than adding custom code.
    0
  • cPRex Jurassic Moderator

    Unfortunately yes - this level of control would likely involve customizing the server or Exim at a level that isn't supported by the cPanel tools.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post