1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

email issues : rbl & email address syntax

Discussion in 'Plesk for Linux - 8.x and Older' started by ltastet, Sep 27, 2008.

  1. ltastet

    ltastet Guest

    0
     
    Hi,

    i've installed plesk 8.6.0 for linux and i'm facing many issues :
    a) rbl & auth : many customers are using my server to send email (with smtp auth enabled) , but it seems that authenticated users are checked too via rbl , so they can't send email because they are sending email from dynamic ips listed in rbl . For me, this behaviour is not normal, authenticated users should not be checked via rbl

    b) email address syntax : if you read rdc 822 , it says :
    An atom is a sequence of printable ASCII characters except space or any of the following:
    ()<>@,;:\".[]
    Positively speaking, this means that the valid constituents of an atom are the following:

    !"#$%&'*+-/0123456789=?
    @ABCDEFGHIJKLMNOPQRSTUVWXYZ^_
    `abcdefghijklmnopqrstuvwxyz{|}~


    1) if i try to create an email account like john's.email@domain, plesk refuses , it says that the syntax is not correct
    2) if i try to create an alias (may be an email account too ?) like double..dotted@domain , plesk refuses to, for the same reason

    does anyone has allready face theses issues ?

    many thanks to people who will answer

    best regard,

    Laurent Tastet
     
  2. faris

    faris Guest

    0
     
    To resolve your first issue, simply enable the sumbmission port in Plesk (and then in your firewall if need be). Then ask your customers to use port 587 instead of port 25 for smtp.

    Since the submission port REQUIRES authentication, no rbls are checked against and all will be well.
    Port 25 will continue to check against rbls.

    Many many ISPs are blocking port 25 anyway, so this is not a bad thing.

    For your second problem, for whatever reason, dots are not permitted in mailnames.

    To get around the problem, create an address without the dot, then simply manually rename the address in /var/qmail/mailnames/ to give it a dot. It works. I've used this trick several times. Obviously you can't then change settings on the domain via plesk but it is a good work-around for people who absolutely HAVE to have dots.

    You very rarely find them these days.

    Faris.
     
  3. ltastet

    ltastet Guest

    0
     
    thanks for your help

    Hi,

    many thanks for taking the time to answer to my issues ...

    I've finally setup an alternative smpt port to my server for this customer (i don't know to activate the submission port, my plesk interface is in french and I don't know how it is named in french)


    for the manual changes of email addresses & aliases, it's such a mess that we can't do this in the control panel ...

    best regards

    Laurent
     
  4. hgmichna

    hgmichna Basic Pleskian

    24
    23%
    Joined:
    Oct 3, 2008
    Messages:
    69
    Likes Received:
    0
    Location:
    Munich, Germany
    Authenticated users are checked against DNS blacklists

    Faris,

    thanks for the workaround, but it's really only usable in very small installations. You can't ask dozens of resellers and hundreds of mail users to change their SMTP port to a non-standard port. Some mail clients may not even allow the port to be changed.

    So a workaround will not do---it would be better to repair the defect that authenticated SMTP users are undesirably checked against IP blacklists.

    It is more important than one first thinks, for the following reason. Quite a lot of spam and virus mails originates from botnets and infected end user computers, almost all of them connected to the Internet via some dial-in port. If Plesk makes using blacklists like pbl.spamhaus.org impossible, that would increase the spam load several times, because most other spams are already filtered by other blacklists, such as sbl-xbl.spamhaus.org.

    Since nobody in his right mind would program this defect intentionally, we have a software fault here, and if it is easy to have this fixed on port 587, then it cannot be difficult to have it fixed on port 25 as well.

    Meanwhile I'd be very grateful for a manual workaround for port 25, in my case probably in the qmail configuration. Since I'm not a Linux expert, I would appreciate some step-by-step instructions.

    Hans-Georg
     
  5. faris

    faris Guest

    0
     
    Gods, yes, it could be a bit of a nightmare to get everybody to switch at once!
    And yes, Parallels needs to update the way the rbls get processed (i.e. bypass if there's authyentication). It is something that would be relatively easy to do. But they didn't.

    However, port 587 is not non-standard. It is standard. Very standard. Within a few years all your users will have to switch, because all sensible ISPs will have blocked port 25 for anything other than their own SMTP servers. If all ISPs did this today, 80% of the spam being sent would stop (until the spammers re-programmed their spambots, but that's another story! I'm sure there are other flaws in my argument too)

    OK, if you want a solution that allows you to continue to use port 25, but if the user authenticates they will bypass the rbls, then simply (and I mean simply) install spamdyke (www.spamdyke.org). It will take about 5 minutes to download and compile, then 5 minutes to create a config file for it that matches your needs, and another 3 minutes to "install" (copy one file somewhere, then modify another file, then restart xinetd).

    Here are outline instructions, just so you see how easy it can be:

    So, download from www.spamdyke.org
    tar -xvzf thefileyoudownloaded
    cd thedirectorycreated
    cd spamdyke
    ./configure
    make
    cp spamdyke /usr/local/bin

    mkdir /etc/spamdyke.d

    create a file called spamdyke.conf and put it in /etc/spamdyke.d/
    spamdyke.conf should have the following contents:

    log-level=info
    local-domains-file=/var/qmail/control/rcpthosts

    #general options:
    idle-timeout-secs=60
    greeting-delay-secs=5


    #general rejection options
    reject-empty-rdns
    reject-unresolvable-rdns
    reject-missing-sender-mx

    #dns blacklists
    dns-blacklist-entry=zen.spamhaus.org
    dns-blacklist-entry=bl.spamcop.net
    dns-blacklist-entry=dnsbl.sorbs.net
    dns-blacklist-entry=bogons.cymru.com

    #tls stuff
    tls-certificate-file=/var/qmail/control/servercert.pem


    #this is the end of the file. More instructions now. don't put them in the file!:


    Now make a backup copy of /etc/xinetd.d/smtp_psa in case of disaster:
    cp /etc/xinetd.d/smtp_psa /root/smtp_psa

    Now edit the server_args line in /etc/xinetd.d/smtp_psa so it looks like this:

    server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.d/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true


    (all that should be on one line)

    Notice - no rbl stuff in there! That's now handled by spamdyke.

    Now restart xinetd

    service xinetd restart

    Now watch your qmail log to make sure all is well:

    tail -f /usr/local/psa/var/log/maillog

    And while you do that, try sending an email using authentication. Make sure it works.
    Keep watching the maillog

    If disaster strikes (it should not), copy your backup smtp_psa back to its original location and restart xinetd and you are back to where you started.

    ** The only thing this will NOT do is work with pop-before-relay. You will have to get those people to use port 587 or something. That can't be helped unfortunately.

    ** Also these instructions are for Centos/RedHat/Fedora type OSes. Not Ubuntu/debian/whatever

    ** Better instructions can be found elsewhere (on this forum for that matter).

    ** Use at your own risk - this is meant as a quick and dirty guide. I have not checked what I've typed for accuracy. I'm only trying to explain how easy it is.

    Faris.
     
  6. hgmichna

    hgmichna Basic Pleskian

    24
    23%
    Joined:
    Oct 3, 2008
    Messages:
    69
    Likes Received:
    0
    Location:
    Munich, Germany
    Authenticated users are checked against DNS blacklists

    Faris,

    thanks a lot for your good advice! Installing a whole new program just to fix a small mistake in the mail configuration seems heavy though. I'll ponder it for a little longer.

    Any experience with the Plesk people? Do they talk?

    Hans-Georg
     
  7. ltastet

    ltastet Guest

    0
     
    thanks for your advices & help

    sorry to get back so late, but I wish to thank people for taking time to answer to my questions ...
    I've finally set up the submission port , and ask my customers to change the port number , and everything seems to work fine. But I see i'm not the only one to get this issue, and really surprised that nobody faced this issue before (I'm not using plesk since a long time)

    but, concerning parallels software, I would really appreciate that they do make changes for the future versions of plesk for the auth & rbl mecanism :
    - for example, some customers can be firewalled and only smtp port allowed
    - installing an unsupported software (I mean not supported by plesk) for this little bug is not a good solution

    many thanks again

    Laurent Tastet
     
  8. levelup

    levelup Guest

    0
     
    is really useful for me
     
  9. ziba@

    ziba@ Guest

    0
     
    Hi,

    For this case (or if you find another bug or would like to submit feature request) the best way to get it addressed is to create a ticket (if you have support) or email to bugreport@parallels.com with detailed problem description.
     
Loading...