• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Authenticated SMTP user IP address is checked against blacklists

hgmichna

Basic Pleskian
When an SMTP user authenticates himself with his username and password, his IP address is still checked against the DNS blacklists. This prevents most users from sending any mail, if the blacklists contain a policy blacklist that checks for dial-in addresses such as DSL lines. The best example is bpl.spamhaus.org, which is also included in zen.spamhaus.org.

The immediate workaround is to remove all such policy blacklists.

However, the problem is more important than one first thinks, for the following reason. Quite a lot of spam and virus mails originates from botnets and infected end user computers, almost all of them connected to the Internet via some dial-in port. If Plesk makes using blacklists like pbl.spamhaus.org impossible, that increases the spam load several times, because most other spams can already be filtered by other blacklists, such as sbl-xbl.spamhaus.org.

Lest anybody proposes to use port 587 instead of 25, that's really only doable in very small installations. You can't ask dozens of resellers and hundreds of mail users to change their SMTP port to a non-standard port. Some old or simple mail clients may not even allow the port to be changed.

So a workaround will not do---the solution can only be to repair the defect at its root.

Since nobody in his right mind would program intentionally to check authenticated SMTP users against IP address blacklists, and since no other SMTP server does this, we have a software fault here. If it is easy to have this fixed on port 587, then it cannot be impossible to have it fixed on port 25 as well. It would be really great to have this repaired in the next version of Plesk.

Hans-Georg
 
Thanks, wasn't aware of that.

But even so I would hesitate to ask large numbers of users to change their mail client setup, only to circumvent a defect in the Plesk-controlled server.

Why not fix this at the root of the problem? It can't be very difficult. The question is not which port the user connects to. The question is whether the user has authenticated himself. It makes no sense to check authenticated users against blacklists, and other servers don't do this either.

Hans-Georg
 
Back
Top