Outgoing mail contol is preventing non-plesk (SSH) users from sending mail

[gregconway]

With outgoing mail control switched on my non-plesk users created under SSH receive this error when trying to email out -

Mail handler 'limit-out' said: REPLY:554:5.7.0 Your message could not be sent. The user is not allowed to send email.

With outgoing mail control switched off they can send email just fine.

Any ideas how to work around this?

Thanks

 

[gregconway]

Just to elaborate further.... root can send emails but other SSH users cannot. I have tried adding a [email protected] mail account to the self-entitled "control" domain on each server (which I added a root@ user for long ago) but that hasn't solved it.

 

[IgorG]

Enable "Allow scripts and users to use Sendmail" option. More detail here - http://download1.parallels.com/Plesk/Doc/en-US/online/plesk-administrator-guide/73368.htm

 

[gregconway]

Hi Igor. Thanks for the response. I don't recall this setting (so I presume it must be enabled by default). I've checked it and it is enabled. I've tried disabling and re-enabling the setting... but I still can't send Email.
I still get "Mail handler 'limit-out' said: REPLY:554:5.7.0 Your message could not be sent. The user ... is not allowed to send email."
The manual says "The system users of the plan's subscriptions will be able to send email messages by using Sendmail even if the limits for a mailbox and domain are exceeded" so users should be able to send even if an overuse is recorded (which it isn't).
It says sendmail but we postfix... I presume this wouldn't be an issue?
Any further ideas?
And have you by any chance any thoughts on my greylisting problem?! (http://talk.plesk.com/threads/grey-listing-question.335755/)
Thanks!
Greg.

 

[gregconway]

A further update on this... an end-user reported that they couldn't send emails from their webmail client. I logged in and tried to send an email - I received this error -

SMTP Error: [451] 4.7.1 Service unavailable - try again later

I checked the logs and found this -

postfix/smtpd[27143]: 5922C11400B9: milter-reject: DATA from localhost.localdomain[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<webmail.domain.com>

Outgoing mail control wasn't reporting any issues but on a hunch I disabled it, following which I could then send the mail without any problems.

So I am going to have to disable mail control as it doesn't seem to work correctly. I've still also got the original issue of ssh users not being able to send emails (despite 'Allow scripts and users to use Sendmail' being enabled).
Would appreciate any thoughts on why this doesn't actually work!

Thanks.

 

[gregconway]

Bump. I've had to switch outgoing mail control off as it doesn't seem to work

 

[IgorG]

If it is Plesk 12.0.8 version - have you tried repair mail settings with mchk utility?

 

[gregconway]

Hi Igor. Thanks for the response. All our servers are at the latest Plesk version, and yum/Plesk updates are applied daily as required so everything is fully patched. Would it help to run mchk anyway?

 

[IgorG]

Would it help to run mchk anyway?

You can try at least.

 

[gregconway]

I gave it a try. It ran through and reported no problems -
/usr/local/psa/admin/bin/mchk
==> Checking for: mailsrv_conf_init... ok
==> Checking for: mail_handlers_init... ok
==> Checking for: mailsrv_entities_dump... ok
==> Checking for: mail_admin_aliases... ok
==> Checking for: mail_auth_dump... ok
==> Checking for: mailman_lists_dump... ok
==> Checking for: mail_kav8_restore... ok
==> Checking for: mail_responder_restore... ok
==> Checking for: mail_imap_restore... ok
==> Checking for: mail_spam_restore... ok
==> Checking for: mail_grey_restore... ok
==> Checking for: mail_mailbox_restore... ok
==> Checking for: mail_spf_restore... ok
==> Checking for: mail_dk_restore... ok
==> Checking for: mail_drweb_restore... not found, skipped
==> Checking for: mail_outgoing_restore... ok
==> Checking for: mail_transport_restore... ok
I then re-enabled outgoing mail control, tried to send an email and still the same problem -
Mail handler 'limit-out' said: REPLY:554:5.7.0 Your message could not be sent. The user is not allowed to send email.
Any further ideas?
Thanks,
Greg.

 

[abdi]

A further update on this... an end-user reported that they couldn't send emails from their webmail client. I logged in and tried to send an email - I received this error -

SMTP Error: [451] 4.7.1 Service unavailable - try again later

I checked the logs and found this -

Just be sure the user hadn't exceeded there hourly maximum ...

 

[gregconway]

Thanks for the suggestion but sadly no, nobody has exceeded their subscription.
The issue (I guess) is that these SSH accounts do not actually belong to a subscription, so I presume it won't show up within the stats anywhere.
I guess this is what the "allow scripts and users to use sendmail" tag is for (or supposed to be for) but that's been enabled all the way along and doesn't seem to be doing what it should.
Does anybody have any further suggestions? Is there any way I could trace what's happening beyond what's appearing in /var/log/maillog?
Thanks,
Greg.

 

[gregconway]

Just to clarify something in case it helps... non-SU users aren't allowed to send email but root can send emails without any issues.

 

[abdi]

Hi Gregy,

Can you please try whitelisting your system users with this command and let me know if that resolves the issue?

/usr/local/psa/admin/sbin/mailmng-outgoing --add-to-whitelist --sysuser=sysuser

 

[gregconway]

Hi Abdi,
Thanks for the response.
Yes that has worked. I've whitelisted 1 user on 4 x servers and now that user can send email on each of them again.
I've also tested the webmail user that was having issues and whilst he couldn't send email initially he could after a few tries. Switching outgoing mail control back on initially didn't help, and now he can send emails even with it switched on. I'm starting to wonder if this is greylisting-related but that's another story!!
So is there any way to whitelist all SSH users in this fashion?
Thanks,
Greg.

 

[abdi]

whitelist all SSH users

Am not sure this is possible, I my self haven't done it before. You can try finding more command params with

/usr/local/psa/admin/sbin/mailmng-outgoing --help

Any one else or plesk team member can advice here

 

[gregconway]

Thanks again abdi. I did actually continue with this yesterday, found the --help parameter, and also the --show-whitelist parameter...

/usr/local/psa/admin/sbin/mailmng-outgoing --show-whitelist
drweb
popuser
postfix
psaadm
root
<my ssh users removed>

...which I thought was interesting considering there is a "Allow scripts and users to use Sendmail" switch.

Igor what is the score here? Do I need to whitelist all my ssh users or should the switch work and it's broken in some way?

Thanks.

 

[trialotto]

@gregconway,

Your issue can be the result of a myriad of factors.

In the meantime, you have been testing and changing a lot, so this will not make any resolution of the issue(s) more easy.

In summary, you stated

a) in the first post:

Mail handler 'limit-out' said: REPLY:554:5.7.0 Your message could not be sent. The user is not allowed to send email. With outgoing mail control switched off they can send email just fine.

This was concerning outgoing mail restrictions.

For the sake of further resolution of the issue, leave the outgoing mail restriction disabled.

This implies that your actual issue is to be defined by:

With outgoing mail control switched on my non-plesk users created under SSH receive this error when trying to email out -

In this statement of yours, your problem is restricted to "non-plesk users, including SSH users, cannot send mail"

Actually, this is logical behaviour in the default settings of Plesk:

1 - mail is allowed: by default, it is not a disabled function in php.ini,
2 - mail is send in a "normal" fashion: by default, mail is being send via the mail server (postfix/qmail), except when calling the PHP (internal) function mail() in a script,
3 - the mail() function uses a (Plesk) "wrapper" to send mail via the mail server,

and it must be clear by now that

- see point 2: plesk users are allowed to send mail by default,
- see point 3: the "allow scripts and users to use sendmail" switch activates the wrapper.

However, this does not imply that all calls to a mail() function will result in sending mail: authentication is still required AND proper mail configuration has to be in place.

I will return to the above.

b) in the second post:

Just to elaborate further.... root can send emails but other SSH users cannot. I have tried adding a [email protected] mail account to the self-entitled "control" domain on each server (which I added a root@ user for long ago) but that hasn't solved it.

The root user can always call the mail() function, it is not required to add a specific domain with a [email protected] account (i.e. mailbox).

However, in your case, the creation of the account/mailbox ascertains that mail is delivered by the mail server, i.e. mail is delivered without any issues.

Why does adding "[email protected]" not have the similar result, i.e. a success in delivering mail?

Now I can continue what I have stopped to discuss in point a: there are two reasons for that, being

- calling a mail() function in a script will not result in authentication: the mail() function does not send as "[email protected]", AND/OR
- the presence of an existing (non-Plesk) user forces the mail() function to use the /usr/sbin/sendmail or /usr/lib/sendmail binary.

In general, enabling the "allow scripts and users to use sendmail" switch would do the trick.

However, in your case, a (new and/or completely different) problem arises, as I will explain below.

c) in the third post:

I still get "Mail handler 'limit-out' said: REPLY:554:5.7.0 Your message could not be sent. The user ... is not allowed to send email."

Again, this is concerning message limit outage.

Now you (also) introduce something completely different: a potential greylisting problem.

We will ignore the alleged greylisting problem, since it all boils down to the issue, related to message limit outages.

And that is BAD, since it indicates that a lot of mail traffic has been passing your server, simply via the mail server itself.

That is normally an indication of a "hack and spam attack", mostly done with a call to mail() functions.

In short, at this moment in time, it should not be adviceable to enable the "allow scripts and users to use sendmail".

However, it can also be the case that your mail server is being overloaded with bounce messages, due message delivery failure.

For the sake of further testing and discussion: clean up the message queue, delete all messages (note that you have to filter out specific, relevant messages, do not delete them).

d) in the fourth post:

A further update on this... an end-user reported that they couldn't send emails from their webmail client. I logged in and tried to send an email - I received this error - SMTP Error: [451] 4.7.1 Service unavailable - try again later ....

This does not really alter anything, it certainly does not change the ISSUES on hand: your mail service is down, due to an overload.

e) in another post (lost count of the posts):

I guess this is what the "allow scripts and users to use sendmail" tag is for (or supposed to be for) but that's been enabled all the way along and doesn't seem to be doing what it should.

Yes, indeed, scripts are allowed to send mail, which causes the issue of your mail server overloading and not working properly.

Again, flush the queue.

f) in another post:

I've also tested the webmail user that was having issues and whilst he couldn't send email initially he could after a few tries. Switching outgoing mail control back on initially didn't help, and now he can send emails even with it switched on. I'm starting to wonder if this is greylisting-related but that's another story!! So is there any way to whitelist all SSH users in this fashion?

Indeed, it has nothing to do with grey listing, your mail server is simply overloaded, due to some elaborate hack OR your own doing (testing too much, augmented with other mails).

And no, you would not want to whitelist SSH users:

- only one SSH user should be present: a root uses (anything else would be unsafe)
- whitelisting the root user is completely not necessary (by default, the root user is allowed to send mails via scripts, no action has to be taken)
- whitelisting other SSH users is really "wrong" (your system will be very vulnerable, if other SSH users exist and/or if they are whitelisted)

In short, try to discard as many SSH users as you can.

g) and that is it, all relevant remarks from your posts are given.


It should be duly noted that you are looking for the wrong answer to the wrong question.

Just do the following:

- clean the complete mail queue,
- restart the mail server,
- check traffic: it is very likely that your mail server is being hacked and/or relaying (often malicious) mail traffic,

and that is it.

It can be the case that the problem (of not being able to send mail) re-occurs, but that will then be due to

A - a potential hack, hidden in some code somewhere, using the mail() function (to solve this: deactivate the "allow scripts and users to use sendmail" switch. If spikes in mail traffic still occur, than one of your accounts (mail, SSH and/or other types of accounts) is very likely to be hacked)

B - misconfiguration of the script actually calling the mail() function (note: this happens all the time, just have a look into the various error logs, to identify the script)

C - misconfiguration of mail server settings, for instance having "double accounts" (see point b).

In general, I would advice you to take actions in the order described above, from point A to C.

Regards.......

 

[gregconway]

Time has been very limited for me but I thought I'd report back that I appear to have fixed this problem...

"A further update on this... an end-user reported that they couldn't send emails from their webmail client. I logged in and tried to send an email - I received this error -
SMTP Error: [451] 4.7.1 Service unavailable - try again later"

...which was the fifth post on this thread.

I have found that within /etc/postfix/main.cf the following is set -

non_smtpd_milters =

so I have amended this to -

non_smtpd_milters = inet:localhost:12768

and restarted postfix. This has fixed the webmail send problem.

I've examined 3 x plesk servers so far and found it's the same on each of them, so it looks like a Plesk issue rather than a rogue configuration change I made.

I have been able to re-enable outgoing mail control on the server where I had to disable it with no further issues reported (so far).

So this plus the response from @abdi (14th post on this thread - thanks again!) means this thread is actually resolved, bar a response from @IgorG/Odin to the question I asked in the 17th post here -

Igor what is the score here? Do I need to whitelist all my ssh users or should the switch work and it's broken in some way?

Also it would be useful to know whether the main.cf "error" is indeed an error and whether it will be fixed in a future release?

Thanks,

Greg.

 

[trialotto]

@gregconway,

For the time being, it is simply best to comment out the line "non_smptpd_milters" (in main.cf).

Normally, there is more required than "only" setting the value of the non_smptpd_milters to inet:localhost:12768 (for instance, in the case a socket has to be specified).

The "commenting out" solution also works fine for the original problem.

In addition, allowing SSH users to send mail with the sendmail script is not adviceable: security issues will arise (for instance, heavy spamming from your server becomes possible).

In short, if you have any non-root users that really require mail functions (and that is often not the case), just add those users to a group allowed to execute the sendmail script.

Regards...