• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

email issues : rbl & email address syntax

L

ltastet

Guest
Hi,

i've installed plesk 8.6.0 for linux and i'm facing many issues :
a) rbl & auth : many customers are using my server to send email (with smtp auth enabled) , but it seems that authenticated users are checked too via rbl , so they can't send email because they are sending email from dynamic ips listed in rbl . For me, this behaviour is not normal, authenticated users should not be checked via rbl

b) email address syntax : if you read rdc 822 , it says :
An atom is a sequence of printable ASCII characters except space or any of the following:
()<>@,;:\".[]
Positively speaking, this means that the valid constituents of an atom are the following:

!"#$%&'*+-/0123456789=?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ^_
`abcdefghijklmnopqrstuvwxyz{|}~


1) if i try to create an email account like john's.email@domain, plesk refuses , it says that the syntax is not correct
2) if i try to create an alias (may be an email account too ?) like double..dotted@domain , plesk refuses to, for the same reason

does anyone has allready face theses issues ?

many thanks to people who will answer

best regard,

Laurent Tastet
 
To resolve your first issue, simply enable the sumbmission port in Plesk (and then in your firewall if need be). Then ask your customers to use port 587 instead of port 25 for smtp.

Since the submission port REQUIRES authentication, no rbls are checked against and all will be well.
Port 25 will continue to check against rbls.

Many many ISPs are blocking port 25 anyway, so this is not a bad thing.

For your second problem, for whatever reason, dots are not permitted in mailnames.

To get around the problem, create an address without the dot, then simply manually rename the address in /var/qmail/mailnames/ to give it a dot. It works. I've used this trick several times. Obviously you can't then change settings on the domain via plesk but it is a good work-around for people who absolutely HAVE to have dots.

You very rarely find them these days.

Faris.
 
thanks for your help

Hi,

many thanks for taking the time to answer to my issues ...

I've finally setup an alternative smpt port to my server for this customer (i don't know to activate the submission port, my plesk interface is in french and I don't know how it is named in french)


for the manual changes of email addresses & aliases, it's such a mess that we can't do this in the control panel ...

best regards

Laurent
 
Authenticated users are checked against DNS blacklists

To resolve your first issue, simply enable the sumbmission port in Plesk (and then in your firewall if need be). Then ask your customers to use port 587 instead of port 25 for smtp.

Since the submission port REQUIRES authentication, no rbls are checked against and all will be well.
Port 25 will continue to check against rbls.

Faris,

thanks for the workaround, but it's really only usable in very small installations. You can't ask dozens of resellers and hundreds of mail users to change their SMTP port to a non-standard port. Some mail clients may not even allow the port to be changed.

So a workaround will not do---it would be better to repair the defect that authenticated SMTP users are undesirably checked against IP blacklists.

It is more important than one first thinks, for the following reason. Quite a lot of spam and virus mails originates from botnets and infected end user computers, almost all of them connected to the Internet via some dial-in port. If Plesk makes using blacklists like pbl.spamhaus.org impossible, that would increase the spam load several times, because most other spams are already filtered by other blacklists, such as sbl-xbl.spamhaus.org.

Since nobody in his right mind would program this defect intentionally, we have a software fault here, and if it is easy to have this fixed on port 587, then it cannot be difficult to have it fixed on port 25 as well.

Meanwhile I'd be very grateful for a manual workaround for port 25, in my case probably in the qmail configuration. Since I'm not a Linux expert, I would appreciate some step-by-step instructions.

Hans-Georg
 
Gods, yes, it could be a bit of a nightmare to get everybody to switch at once!
And yes, Parallels needs to update the way the rbls get processed (i.e. bypass if there's authyentication). It is something that would be relatively easy to do. But they didn't.

However, port 587 is not non-standard. It is standard. Very standard. Within a few years all your users will have to switch, because all sensible ISPs will have blocked port 25 for anything other than their own SMTP servers. If all ISPs did this today, 80% of the spam being sent would stop (until the spammers re-programmed their spambots, but that's another story! I'm sure there are other flaws in my argument too)

OK, if you want a solution that allows you to continue to use port 25, but if the user authenticates they will bypass the rbls, then simply (and I mean simply) install spamdyke (www.spamdyke.org). It will take about 5 minutes to download and compile, then 5 minutes to create a config file for it that matches your needs, and another 3 minutes to "install" (copy one file somewhere, then modify another file, then restart xinetd).

Here are outline instructions, just so you see how easy it can be:

So, download from www.spamdyke.org
tar -xvzf thefileyoudownloaded
cd thedirectorycreated
cd spamdyke
./configure
make
cp spamdyke /usr/local/bin

mkdir /etc/spamdyke.d

create a file called spamdyke.conf and put it in /etc/spamdyke.d/
spamdyke.conf should have the following contents:

log-level=info
local-domains-file=/var/qmail/control/rcpthosts

#general options:
idle-timeout-secs=60
greeting-delay-secs=5


#general rejection options
reject-empty-rdns
reject-unresolvable-rdns
reject-missing-sender-mx

#dns blacklists
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
dns-blacklist-entry=dnsbl.sorbs.net
dns-blacklist-entry=bogons.cymru.com

#tls stuff
tls-certificate-file=/var/qmail/control/servercert.pem


#this is the end of the file. More instructions now. don't put them in the file!:


Now make a backup copy of /etc/xinetd.d/smtp_psa in case of disaster:
cp /etc/xinetd.d/smtp_psa /root/smtp_psa

Now edit the server_args line in /etc/xinetd.d/smtp_psa so it looks like this:

server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.d/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true


(all that should be on one line)

Notice - no rbl stuff in there! That's now handled by spamdyke.

Now restart xinetd

service xinetd restart

Now watch your qmail log to make sure all is well:

tail -f /usr/local/psa/var/log/maillog

And while you do that, try sending an email using authentication. Make sure it works.
Keep watching the maillog

If disaster strikes (it should not), copy your backup smtp_psa back to its original location and restart xinetd and you are back to where you started.

** The only thing this will NOT do is work with pop-before-relay. You will have to get those people to use port 587 or something. That can't be helped unfortunately.

** Also these instructions are for Centos/RedHat/Fedora type OSes. Not Ubuntu/debian/whatever

** Better instructions can be found elsewhere (on this forum for that matter).

** Use at your own risk - this is meant as a quick and dirty guide. I have not checked what I've typed for accuracy. I'm only trying to explain how easy it is.

Faris.
 
Authenticated users are checked against DNS blacklists

Gods, yes, it could be a bit of a nightmare to get everybody to switch at once!
And yes, Parallels needs to update the way the rbls get processed (i.e. bypass if there's authyentication). It is something that would be relatively easy to do. But they didn't. ...

Faris,

thanks a lot for your good advice! Installing a whole new program just to fix a small mistake in the mail configuration seems heavy though. I'll ponder it for a little longer.

Any experience with the Plesk people? Do they talk?

Hans-Georg
 
thanks for your advices & help

sorry to get back so late, but I wish to thank people for taking time to answer to my questions ...
I've finally set up the submission port , and ask my customers to change the port number , and everything seems to work fine. But I see i'm not the only one to get this issue, and really surprised that nobody faced this issue before (I'm not using plesk since a long time)

but, concerning parallels software, I would really appreciate that they do make changes for the future versions of plesk for the auth & rbl mecanism :
- for example, some customers can be firewalled and only smtp port allowed
- installing an unsupported software (I mean not supported by plesk) for this little bug is not a good solution

many thanks again

Laurent Tastet
 
Hi,

For this case (or if you find another bug or would like to submit feature request) the best way to get it addressed is to create a ticket (if you have support) or email to [email protected] with detailed problem description.
 
Back
Top