1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Authenticated SMTP user IP address is checked against blacklists

Discussion in 'Plesk for Linux - 8.x and Older' started by hgmichna, Oct 4, 2008.

  1. hgmichna

    hgmichna Basic Pleskian

    24
    23%
    Joined:
    Oct 3, 2008
    Messages:
    69
    Likes Received:
    0
    Location:
    Munich, Germany
    When an SMTP user authenticates himself with his username and password, his IP address is still checked against the DNS blacklists. This prevents most users from sending any mail, if the blacklists contain a policy blacklist that checks for dial-in addresses such as DSL lines. The best example is bpl.spamhaus.org, which is also included in zen.spamhaus.org.

    The immediate workaround is to remove all such policy blacklists.

    However, the problem is more important than one first thinks, for the following reason. Quite a lot of spam and virus mails originates from botnets and infected end user computers, almost all of them connected to the Internet via some dial-in port. If Plesk makes using blacklists like pbl.spamhaus.org impossible, that increases the spam load several times, because most other spams can already be filtered by other blacklists, such as sbl-xbl.spamhaus.org.

    Lest anybody proposes to use port 587 instead of 25, that's really only doable in very small installations. You can't ask dozens of resellers and hundreds of mail users to change their SMTP port to a non-standard port. Some old or simple mail clients may not even allow the port to be changed.

    So a workaround will not do---the solution can only be to repair the defect at its root.

    Since nobody in his right mind would program intentionally to check authenticated SMTP users against IP address blacklists, and since no other SMTP server does this, we have a software fault here. If it is easy to have this fixed on port 587, then it cannot be impossible to have it fixed on port 25 as well. It would be really great to have this repaired in the next version of Plesk.

    Hans-Georg
     
  2. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    587 is not a non-standard port, it's the IANA registered port for submission: http://www.iana.org/assignments/port-numbers
     
  3. hgmichna

    hgmichna Basic Pleskian

    24
    23%
    Joined:
    Oct 3, 2008
    Messages:
    69
    Likes Received:
    0
    Location:
    Munich, Germany
    Thanks, wasn't aware of that.

    But even so I would hesitate to ask large numbers of users to change their mail client setup, only to circumvent a defect in the Plesk-controlled server.

    Why not fix this at the root of the problem? It can't be very difficult. The question is not which port the user connects to. The question is whether the user has authenticated himself. It makes no sense to check authenticated users against blacklists, and other servers don't do this either.

    Hans-Georg
     
Loading...