Help with setting up smtp for multiple client domains

[tonybikini]

Hello guys,

I need help to set-up my clients websites to be able to send outgoing emails from their websites as i don't find the needed information online. It seems it should be an easy fix, but i am doing something wrong somewhere.

Each wordpress instance under each directadmin clients virtual hosts, has a contact form that should be sending mail to the clients emails, through smtp. The mail servers work properly, and are hosted through mxroute email servers which are remote and separate to my main domain servers. They used to work and run properly on multiple plesk servers, but I just migrated to a new server under directadmin with debian 12 for a better VPS and easier management at a lower cost. Everything is set-up fine, except for emails.

My issue rises inside my directadmin main domain servers which seem to block outgoing smtp connections. I have CSF turned on. here's what inside the etc/csf/csf.conf:

# Allow incoming TCP ports

TCP_IN = "35000:35999,20,21,22,25,53,853,80,110,143,443,465,587,993,995,2222"

# Allow outgoing TCP ports


TCP_OUT = "143,20,21,22,25,53,853,80,110,113,443,465,587,993,995,2222"

Concerning smtp:

SMTP_BLOCK = "1"

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device

SMTP_ALLOWLOCAL = "1"

# This option redirects outgoing SMTP connections destined for remote servers
# for non-bypass users to the local SMTP server to force local relaying of
# email. Such email may require authentication (SMTP AUTH)

SMTP_REDIRECT = "0"

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on

SMTP_PORTS = "25,465,587"

Which seem to be the correct ports and config as i've searched elsewhere on these forums and internet. MXroute email service uses ports 465 for ssl and 587 for TCL.

However, inside my wp forms smtp plugin ( WP Mail SMTP ), i am not able to send outgoing mail to my webmail servers on mxroute on either ssl or tcl. i keep having these error logs:

Params:
Mailer: smtp
Constants: No
ErrorInfo: SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server SMTP code: 111 Additional SMTP info: Connection refused
Host: ******.******.*** // (hidden here for security purposes, the host does show up correctly in my actual file)
Port: 465
SMTPSecure: ssl
SMTPAutoTLS: bool(true)
SMTPAuth: bool(true)
Server:
OpenSSL: OpenSSL 3.0.14 4 Jun 2024

Debug:
Email Source: WP Mail SMTP
Mailer: Other SMTP
SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server SMTP code: 111 Additional SMTP info: Connection refused

SMTP Debug:
2024-09-05 19:55:35 Connection: opening to ssl://****.****.***:465, timeout=30, options=array()

2024-09-05 19:55:35 Connection failed. Error #2: stream_socket_client(): Unable to connect to ssl://****.****.***:465 (Connection refused) [/home/user/domains/userdomain.com/public_html/wp-includes/PHPMailer/SMTP.php line 408]

2024-09-05 19:55:35 SMTP ERROR: Failed to connect to server: Connection refused (111)

SMTP Error: Could not connect to SMTP host. Failed to connect to server

I have a smtp code: 111 issue showing up with connection refused. It says it's a stream socket client issue at line 408 under my wordpress website smtp.php file.

here's the content of line 408 about stream_socket_client, which seem fine:

$connection = stream_socket_client(
$host . ':' . $port,
$errno,
$errstr,
$timeout,
STREAM_CLIENT_CONNECT,
$socket_context
);

It seems to me that it would be some issue inside directadmin that doesn't allow the outgoing connection, or some wordpress config which would interrupt the connection as it wouldn't find the host. But i never had to fiddle in the wp config files and they used to work on the previous servers, so i don't think i would have to edit this. Correct me if i'm wrong, but I really think it has something to do with directadmin configuration.

Otherwise, i've seen some information about updating the /etc/exim.conf file of the root server. I've checked through it and it seems there is indeed some smtp configuration going on, but not sure about how i would go about setting-up that file for multiple domains and different users under different domains securely, so they're properly set-up.

Any help on this will be appreciated! Hopefully I can get my forms and outgoing emails working again this weekend.

Cheers

 

[tonybikini]

Update:

The fix was super simple. After more investigation, i just needed to edit the "SMTP_ALLOWUSER" csf.conf :

SMTP_ALLOWUSER = "user1,user2,user3,user4"

where user1 , user2, user 3, etc are your directadmin clients usernames that you want to be allowed to send outgoing mail out from the server. So no need to change anything else to the basic config to keep it secure.

 

[Richard G]

The fix was super simple. After more investigation, i just needed to edit the "SMTP_ALLOWUSER" csf.conf :

So if you have 100 clients you have to set 100 names in there. That is not the normal way to work and wrong solution to be used.

Normally all clients are allowed to use SMTP connections anyway, so you most likely have the option "use this server to handle users mail" or something still selected on the MX page of the users. Or some other configuration issue.

Anyway, it's loads of work to specificy all users. I would suggest to set it back to the default setting and then just change:
SMTP_BLOCK = 1
to
SMTP_BLOCK = 0
and restart csf and lfd and you also have te problem fixed without the need of specifying every user i the allow list.

Again, should work out of the box without the need to change any of these settings, so to me it sounds something else is not correctly setup anyway.

 

[tonybikini]

So if you have 100 clients you have to set 100 names in there. That is not the normal way to work and wrong solution to be used.

Normally all clients are allowed to use SMTP connections anyway, so you most likely have the option "use this server to handle users mail" or something still selected on the MX page of the users. Or some other configuration issue.

Anyway, it's loads of work to specificy all users. I would suggest to set it back to the default setting and then just change:
SMTP_BLOCK = 1
to
SMTP_BLOCK = 0
and restart csf and lfd and you also have te problem fixed without the need of specifying every user i the allow list.

Again, should work out of the box without the need to change any of these settings, so to me it sounds something else is not correctly setup anyway.

thanks i appreciate your advice, but isn'T putting smtp_block to 0 a security risk? Or i'm overthinking it? Because that's what i thought of doing initially, however i've seen on this same forum it wouldn't be recommended? Or am i wrong?

 

[Ohm J]

becarefully, "SMTP_BLOCK" might rewrite back to "1" when updating directadmin,
so you must go change setting in custombuild UI from "csf=yes" to "csf=no", this will stop directadmin from rewrite config.



###note, SMTP_BLOCK option just block user from using external smtp service.

 

[Richard G]

becarefully, "SMTP_BLOCK" might rewrite back to "1" when updating directadmin,

Shouldn't do it as it doesn't touch other settings either. But one can better be safe than sorry that's true.

###note, SMTP_BLOCK option just block user from using external smtp service.

That's what it says, but I wonder how it can be that there are normal no issues with external smtp service like from Gmail or Outlook 365 if customers have that as external mail server?
I've got it to 1 and still have customers using external mailservers like Gmail and Outlook for outgoing and incoming mail. However, might be because they don't use contact forms on their sites, not sure about that at the moment.

 

[Ohm J]

@Richard G
you can testing ON,OFF by using non-root user and telnet to outside smtp service.


if they using external mail server, so incoming will go directly to external mail service.

 

[Richard G]

by using non-root user

How do I do that? Because when I su to a user, and then do a "whoami" the result is I'm still root.
I presume that is because nobody on our servers have SSH access except root? Default DA install?

 

[Ohm J]

I never su - from root to other user, because I always open ssh for my normal user to create background processing.

Below command should access user with same permission.

su -s user1

 

[Richard G]

should access user with same permission.

Nope.
su: failed to execute admin: No such file or directory

I seem to have troubles, now I just used direct login via SSH for admin and session is opened and closed directly, no matter what I do.
So I see the login, it stays, but no prompt. As soon as I type something, it reloads the login.
Log says this:

Sep  7 15:42:52 server26 sshd[3548302]: pam_unix(sshd:session): session opened for user admin(uid=1000) by admin(uid=0)
Sep  7 15:42:52 server26 sshd[3548302]: pam_unix(sshd:session): session closed for user admin

Admin is in sshd_config as "AllowUsers" and does have SSH enabled in the package.
Always worked with su several years ago, normally I don't need to use this.

 

[Richard G]

Found it, can do it like this:
su - "admin" -s /bin/bash

Just no clue as to why it doesn't work anymore via an SSH client.
But I could test now. So indeed with the SMTPBLOCK off it's working correctly.

So my solution in post #3 was correct, to just set it to 0.

 

[tonybikini]

Found it, can do it like this:
su - "admin" -s /bin/bash

Just no clue as to why it doesn't work anymore via an SSH client.
But I could test now. So indeed with the SMTPBLOCK off it's working correctly.

So my solution in post #3 was correct, to just set it to 0.

No implication to just set it to 0? It only affect users already installed on the server, and no chance some external person could do anything?

 

[Richard G]

No implication to just set it to 0?

That was why I was testing with @Ohm J because I was wondering about that too.
As far as I can see, the only implication would be that if an account would get hacked, the hackers can use an external mailserver via smtp. In fact everything on the server can (also daemons for example).
However, most hackers are using php mail to send their spam via scripts or whatever. So it doesn't seem to really cause issues.

It's not like you suddenly have an open relay or something like that.

If you don't need it, I would keep the block active. If you do have some users requiring external smtp, then you can either disable it or to be more secure if it's only a few user, add the specific users as you did in post #2 (don't forget to restart csf/lfd afterwards) so only these users have the rights.

 

[tonybikini]

That was why I was testing with @Ohm J because I was wondering about that too.
As far as I can see, the only implication would be that if an account would get hacked, the hackers can use an external mailserver via smtp. In fact everything on the server can (also daemons for example).
However, most hackers are using php mail to send their spam via scripts or whatever. So it doesn't seem to really cause issues.

It's not like you suddenly have an open relay or something like that.

If you don't need it, I would keep the block active. If you do have some users requiring external smtp, then you can either disable it or to be more secure if it's only a few user, add the specific users as you did in post #2 (don't forget to restart csf/lfd afterwards) so only these users have the rights.

I see, thank you! As you pointed if an user gets hacked, even with my method, they would have access to external smtp. So both ways would be the same, i'll probably just disable the smtp block for the long run. Thank you!