Recipient in CC receives the email but not the real recipient under the same domain

[chronic]

I would like to report this strange anomaly with an email from a customer.

An address external to the server that I will call [email protected] writes to an email address on my server [email protected], and also cc's another user under the same domain, [email protected], but only [email protected] receives the email from [email protected], while [email protected] which is the real recipient receives nothing.

If I analyze the logs I only find traces of the message received from [email protected] in /var/log/exim/mainlog, no reference to [email protected] in /var/log/exim/mainlog, /var/log/exim /rejectlog or /var/log/exim/paniclog.

This strangeness has been happening for a few days now, and I'm honestly missing something. What may have happened? Where can I look to investigate? How can I better analyze what is happening? Can anyone give me some suggestions?

Thank you

 

[ericosman]

Does this happen with all mail? Or only a certain external email address?
What if you do the same with a gmail or hotmail address to your server?

And what if you login as admin --> Admin Tools --> Email tracking

Does it show there?

 

[chronic]

Does this happen with all mail? Or only a certain external email address?
What if you do the same with a gmail or hotmail address to your server?

And what if you login as admin --> Admin Tools --> Email tracking

Does it show there?

No it only happens from a specific address of an external domain to the server, otherwise there is no problem with any other external domain.

The only thing I noticed now is that the sender's mail server is blacklisted on Spamhaus ZEN and UCEPROTECTL2 and UCEPROTECTL3, and this would make sense, but I still don't understand why there is no trace in the rejectlog and why the email arrives to the user in CC and not to the recipient of the email, even though they belong to the same domain.

 

[ericosman]

Well, i guess the problem is with the senders mail server then, strange indeed that the CC shows up.

 

[chronic]

Well, i guess the problem is with the senders mail server then, strange indeed that the CC shows up.

That's exactly what I think too, but the difficult part is explaining it to the customer, who tells me, why does my colleague receive it and I don't?

 

[ericosman]

Because it slipped through the security, and you will take a look into it ;-)
Besides that, for most end users it's all magic haha.

Yes, still weird. But what if the sender put's both in the CC ?

 

[chronic]

So in reality in the example I put only one CC address but there were two, and the only logical thing for me but I don't know if it is logical for the server, is that only the first address in alphabetical order received it, while the other two, the real recipient, and the second CC address receive nothing. So [email protected] received it, while [email protected] and [email protected] did not.

Since I also have some active blocklists in the firewall file /etc/csf/csf.blocklists, I thought about those too, but I didn't find a match for the sender's server IP and I also repeat that I don't understand why the email to an address arrives and the other two don't.

 

[ericosman]

Do you run Rspamed by any chance?

 

[chronic]

No, I use spamassassin and I also checked any filters but nothing

 

[ericosman]

And what if you login as admin --> Admin Tools --> Email tracking

 

[chronic]

I have an old lifetime license, can't track emails

 

[Richard G]

and this would make sense, but I still don't understand why there is no trace in the rejectlog

Indeed, but at least it should also be shown in the Exim's mainlog. There should be traces from [email protected] so if that also non-existing that would be very strange.

No odd paniclog entry's?

As for the blacklists, only the Spamhaus ZEN should be important, you can ignore the UCEPROTECT lists, they are kind of scammers and almost nobody uses them anymore.
However if mail was blocked because of the RBL's then normally all mail should be blocked, so receiver and cc's on local server.

 

[chronic]

Indeed, but at least it should also be shown in the Exim's mainlog. There should be traces from [email protected] so if that also non-existing that would be very strange.

No odd paniclog entry's?

As for the blacklists, only the Spamhaus ZEN should be important, you can ignore the UCEPROTECT lists, they are kind of scammers and almost nobody uses them anymore.
However if mail was blocked because of the RBL's then normally all mail should be blocked, so receiver and cc's on local server.

Yes, in /var/log/exim/mainlog I find references to the email address [email protected] only for the user [email protected] and nothing more, as if it had never reached the server. Yet if I see the header of the email received from [email protected] there are the other two addresses, that of the recipient and the other CC


I don't use UCEPROTECT but when I checked the IP on the blacklists this was also found

 

[Richard G]

Hmmz... this is very odd that it's not visible in the mainlog but it's visible in the header of the alex mail.
This gives the impression that for some reason alex is the adressee and the others are CC.

Do you have customisations made for exim?

I guess we need to ask some specialist on this matter. @mxroute do you have any clue on the cause of this odd behaviour or lack of log from Exim?

 

[chronic]

No, no exim customization, only in exim.strings.conf.custom the list of customized rbls, the rest is all directadmin default