Plesk 10.4.4 Update#12: Postfix does not accept outgoing messages

[robin24]

Hello all,
I am running a fresh installation of Plesk 10.4.4 Update#12 on my Debian 6.0 server. So far, Postfix works without any problems. However, when I enable DNS blacklisting in the server-wide Mail settings and specify an entry as follows: zen.spamhaus.org
sending Mail via Postfix and authenticated relaying always fails, with the Mail client stating that sending the message was not possible. On the server, this always creates a new entry in the /var/log/mail.err file which looks like this:


Jan 23 20:57:44 server /usr/lib/plesk-9.0/psa-pc-remote[4080]: Message aborted.

I've tried restarting the server several times, but with no success. However, disabling DNSBL filtering fixed the problem immediately. Please, can someone here give me any instructions on how to solve this problem and still use DNS blacklisting?
Thanks a lot for any advice!
Robin

 

[robin24]

Hi again,
OK, getting closer to solving my problem here, I think. I just tried sending a message via the SMTP server using Telnet as follows:

220 mydomain.org ESMTP Postfix (Debian/GNU)
helo test.mydomain.org
250 mydomain.org
auth login
[Base64-encoded stuff removed]
235 2.7.0 Authentication successful
mail from: [email protected]
250 2.1.0 Ok
rcpt to: [email protected]
554 5.7.1 Service unavailable; Client host [my.external.IP.address] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xxx
quit
221 2.0.0 Bye
Connection closed by foreign host.

So, it seems that even *after* authentication, the server actually uses the spam blacklist against the Mail client (mailbox user) trying to send a message through the server. Obviously, that's not what I want - I want Postfix to only check *incoming* messages against the DNSBl, but not my clients which establish authenticated connections to the server in order to transfer messages.
Is there any way I can do this, or is this function only meant to be used for Mail exchangers that only receive incoming messages? I still have Spam Assassin which seems to work great, but that only processes messages after they have been received and does not reject them right away when a record is found in a spam blacklist...
Thanks for any help!!!
Robin

 

[Thomas Becker]

Hello robin24,
open /etc/postfix/main.cf and search for "smtpd_client_restrictions = " and insert after that "permit_sasl_authenticated".

For example:
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org

Then reload Postfix:
/etc/init.d/postfix reload

Greets

 

[VyReN LLC]

Correct me if I'm wrong here, but isn't that the intended behavior of zen.spamhaus.org? I believe we get the exact same result using zen, so we use sbl. & xbl. (Not pbl.)
From http://www.spamhaus.org/zen/index.lasso

Caution: Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for anything other than checking IP addresses that hand off to your mailservers.

 

[Thomas Becker]

You dont want to block clients when they are authenticated at the server for sending mails. Without permit_sasl_authenticated the clients that are using port 25 or 465 are blocked because they are checked using zen.spamhaus.org or others. This is not what you want, right?

Only clients or servers that aren't authenticated should be checked against your DNSBL

 

[argonius]

changes will be lost

if i am right, that these changes will be lost if i make some changes in plesk ui? for example changing the blacklists..

fr
argonius

 

[Thomas Becker]

I did not check that but if it is deleted by changing something in Plesk please create a bug report. It should then definitely be changed by the Plesk team.

Either way it's maybe better to create a bug report because according to my opinion Plesk should set the 'permit_sasl_authenticated'.

 

[mconstable]

Please excuse my naivety but how would one go about creating an official Bug Report for this issue, and others?

 

[robin24]

I don't think you can... I might be wrong here, but even if there is a way of filing a bug report I honestly don't think that anyone will care about it. Like I said in a previous thread, I've now migrated from Plesk to Froxlor, which is open source, much, much more flexible and is easy to fix in case something goes wrong. As for the blacklist issue, I was able to set this up on my new server without any issue whatsoever. The solution here would be to simply put in permit_sasl_authenticated *before* the blacklist definition. In such a case, you can use zen.spamhaus.org or even pbl.spamhaus.org explicitly if you want to. It's blatantly simple - Postfix works through these restrictions top to bottom, so if permit_sasl_authenticated appears before the blacklist Postfix simply doesn't care about that anymore, since any mail clients will have passed SASL authentication already, and are thus permitted to send whatever they want.
Personally, I find it *very* disturbing that Plesk makes such mistakes, to me that just shows that its developers don't give a f**k how the appropriate daemons have to be configured so that they work properly. As long as they start up and seem to do their job in one way or another, Parallels considers the job done. I've spent some time going through the syslog of my server when it was still running Plesk, and in there I found errors / warnings that I had never seen before. Yes, I did use Plesk for a while and actually liked it in the beginning, but man, I'm so extremely glad that my Plesk time is in the past by now and that I've actually found a system that is lightweight, highly customizable and which actually works. Yes, I know some companies use Plesk because it implements a whole lot of features, includes a payment gateway and Site Builder and can be administered using an iOS app. However, I seriously feel sorry for sys admins who have to deal with Plesk and all its shortcomings and pitfalls on a regular basis. Personally speaking, I'm glad I was able to migrate away from Plesk in no time - and I'm never, never going to turn back to Plesk, therere are just too many other good control panels out there, made by developers who actually show their commitment and highlight the importance of their clients - neither of which I could say about Plesk or Parallels in general.

 

[mconstable]

I hear you and totally agree in the short few weeks I've been using Plesk. I wish I could join you on the Froxlor forums as another keen user but I must have a billing solution that works on Debian... and that sums up my position. Well, WHMCS will work on Debian (maybe even Archlinux!!!) but cPanel won't. One of the most serious short comings is the lack of native English language by Parallels support staff. I'm sure it negatively impacts the overall support and development cycle and creates a lot of frustration on both ends. My only confidence with Plesk is that if the company wants a viable profitable product then they MUST improve it or keep losing marketshare to the alternatives... and yes, one day, even the open source alternatives will become good enough and then bye bye Plesk, and cPanel for that matter.

If Parallels had a clue then they would open source all of Plesk, put it on Github, employ some native English staffers, and just sell annual support contracts. Perhaps use the Trolltech/Qt model, say, give away a strict AGPLv3 version (they own the code so they license any which way) and sell a commercially licensed GPL-free version, and support for either. Let the "community" do all the devel work and focus on world class support staff instead.

Yeah right, in my dreams. Like I say, I wish I could join you on the Froxlor forums :-(

 

[robin24]

Hey, wow, what you're saying there would just be too good to be true, really! But yeah, we both know this probably isn't going to happen anytime soon, certainly not as long as people are still willing to pay for Plesk licenses, which in my opinion are hopelessly overpriced. I've never dealt with Parallel's support stuff, but for some reason it doesn't surprise me that their support team sucks as much as their software does. I mean, they honestly don't seem to care about their users, or their community at all. Let's be honest, this thread isn't exactly "Plesk friendly" at all, it's turned into both of us discussing our frustration with both Parallels and Plesk. However, neither the forum moderators nor any other Parallels staff have intervened in any way, no pointers to where you could file a bug report, no suggested fixes for our issues, the thread hasn't even been closed or deleted... Why not? Probably the answer is that they simply don't care. Yeah, I do understand your frustration about having to use Plesk only because of its payment gateway. However, you could have a look at http://www.licensecube.com - they sell licenses for various control panels (including CPanel and Plesk), but they also provide licenses for billing systems such as ClientExec or Blesta so you might want to have a look!
Also, there are some other new commercial panels that are gaining some popularity now, one being called DirectAdmin and the other is ISPManager. I haven't dealt with them personally just yet (and probably won't anytime soon as I'm totally happy with my system as it is right now) and I don't know if they have billing systems on board, but maybe you'll want to check them out as well
Anyways, if you end up turning over to Froxlor at some point and need any help / info or just to let me know, feel free to message me if you like!
For now, well, good luck with Plesk - may the experience not be all that painful and only last as shortly as possible!!!