-1

since two weeks ago spamhaus kept on putting our IP address on the CSS blacklist - we've had few thing to fix from the guideline so we delisted ourselves few times after checking all the requirements.

Now after 3 times they created a ticket for our case and state that our helo response is a localhost:

Then something else is going on:

(IP, UTC timestamp, HELO value) 188.39.** 2023-05-30 18:40:00 localhost.localdomain 188.39.** 2023-05-30 07:35:00 localhost.localdomain 188.39.** 2023-05-28 07:05:00 localhost.localdomain 188.39.** 2023-05-27 22:05:00 localhost.localdomain 188.39.** 2023-05-27 17:05:00 localhost.localdomain

Note the top one is after your message claiming the HELO is correct.

Every time we have been blacklisted we checked our helo response by sending an email to helocheck@abuseat.org and response was proper FQDN with valid syntax - no error here.

Is there anyway that they could be getting the localhost.localdomain response from our IP? How do they test for HELO response, could it be firewall sending HELO?

I would appreciate any help, thank you

Backi
  • 1
  • 1
    Read your config files. We are not clairvoyant. – vidarlo May 31 '23 at 06:57
  • I can't see anything wrong with the config on a mdaemon side (HELO related), and it comes back correct with every tool i tested it with, mail-tester, helocheck. Only spamhaus is receiving this HELO, so I guess their incoming connection is different than the testing I done – Backi May 31 '23 at 07:08
  • 3
    You haven't really given enough information for any answers here. No config, no details, only som log.lines... – vidarlo May 31 '23 at 07:26
  • Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers please read word by word carefully and provide all steps – djdomi May 31 '23 at 10:12
  • Let your mail server listen to a global IP and not to localhost. – paladin May 31 '23 at 11:33
  • Has any answer solved your question? Then please accept it or your question will keep popping up here forever. Please also consider voting for useful answers. – Zac67 Jul 10 '23 at 14:30

1 Answers1

2

If your Mdaemon is configured correctly (check secondary domains as well) then something else might be using the same public IP address.

A common scenario for that is when you've got a single public IPv4 address on your router and source NAT everything through it. That way, a spam source inside your network is indistinguishable from your MTA from the outside.

You need to either

  1. separate outgoing client traffic from your mail agent by using multiple public IP addresses, or
  2. deny outgoing SMTP from your clients. It's fine to permit outgoing SMTP/MSA to port 587 (can't be used for spamming) or to port 465 for SMTPS (mostly only authenticated MSA), but not to port 25, at least not to arbitrary servers.

Option 2 is hightly recommended as you don't only save your MTA from being blacklisted but also the rest of the world from being spammed from your network.

It's also a good idea to raise an alarm when a private client tries to connect outbound to port 25: it's either someone trying to bypass your mail system or an intruder using an infected client.

Zac67
  • 10,320
  • 2
  • 12
  • 32