Postfix: mails sent through sendmail binary are blocked because of wrong HELO

[BastienV]

Hi.
My server is using Centos 6.5
I updated from Plesk 11.5 to 12 last week and postfix to 2.8.17.
Since then, all mails sent using the sendmail binary (notifications, mail forwards...) are being rejected with a wrong HELO hostname: localhost.
It seems that sendmail is using locahost as a HELO tag which is not accepted.

Thank you in advance for your help

Here is the following error:

Jun 23 14:23:20 ns395167 plesk sendmail[29817]: handlers_stderr: SKIP
Jun 23 14:23:20 ns395167 plesk sendmail[29817]: SKIP during call 'check-quota' handler
Jun 23 14:23:20 ns395167 postfix/pickup[29480]: B94BC6AA20A6: uid=0 from=<[email protected]>
Jun 23 14:23:20 ns395167 postfix/cleanup[29507]: B94BC6AA20A6: message-id=<[email protected]>
Jun 23 14:23:20 ns395167 greylisting filter[29824]: Starting greylisting filter...
Jun 23 14:23:20 ns395167 greylisting filter[29824]: Wrong HELO hostname: localhost
Jun 23 14:23:20 ns395167 /usr/lib64/plesk-9.0/psa-pc-remote[29457]: handlers_stderr: REJECT
Jun 23 14:23:20 ns395167 /usr/lib64/plesk-9.0/psa-pc-remote[29457]: REJECT during call 'grey' handler
Jun 23 14:23:20 ns395167 /usr/lib64/plesk-9.0/psa-pc-remote[29457]: Message aborted.
Jun 23 14:23:20 ns395167 postfix/cleanup[29507]: B94BC6AA20A6: milter-reject: DATA from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Jun 23 14:23:20 ns395167 postfix/cleanup[29507]: B94BC6AA20A6: to=<[email protected]>, orig_to=<[email protected]>, relay=none, delay=0.12, delays=0.12/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Jun 23 14:23:20 ns395167 postfix/cleanup[29502]: C594B6AA20A8: message-id=<[email protected]>
Jun 23 14:23:20 ns395167 postfix/bounce[29506]: B94BC6AA20A6: sender non-delivery notification: C594B6AA20A8
Jun 23 14:23:20 ns395167 postfix/qmgr[29481]: C594B6AA20A8: from=<>, size=2211, nrcpt=1 (queue active)
Jun 23 14:23:20 ns395167 postfix/cleanup[29502]: CFFE56AA2094: message-id=<[email protected]>
Jun 23 14:23:20 ns395167 postfix/local[29721]: C594B6AA20A8: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=0.08, delays=0.04/0/0/0.04, dsn=2.0.0, status=sent (forwarded as CFFE56AA2094)
Jun 23 14:23:20 ns395167 postfix/qmgr[29481]: CFFE56AA2094: from=<>, size=2361, nrcpt=1 (queue active)
Jun 23 14:23:20 ns395167 postfix/qmgr[29481]: C594B6AA20A8: removed
Jun 23 14:23:20 ns395167 postfix-local[29825]: postfix-local: from=MAILER-DAEMON, [email protected], dirname=/var/qmail/mailnames
Jun 23 14:23:20 ns395167 postfix-local[29825]: Unable to get sender domain by sender mailname
Jun 23 14:23:20 ns395167 dk_check[29826]: DK_STAT_NOSIG: No signature available in message
Jun 23 14:23:20 ns395167 postfix-local[29825]: handlers_stderr: PASS
Jun 23 14:23:20 ns395167 postfix-local[29825]: PASS during call 'dd52-domainkeys' handler
Jun 23 14:23:20 ns395167 postfix/pipe[29508]: CFFE56AA2094: to=<[email protected]>, orig_to=<[email protected]>, relay=plesk_virtual, delay=0.1, delays=0.04/0/0/0.06, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jun 23 14:23:20 ns395167 postfix/qmgr[29481]: CFFE56AA2094: removed

Here is my postconf -n content:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10240000
mydestination = localhost.$mydomain, localhost, localhost.localdomain
myhostname = ns395167.ip-176-31-117.eu
mynetworks = 127.0.0.0/8 [::1]/128 176.31.117.106/32 [2001:41d0:8:3c6a::1]/128, 50.57.69.12/32
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:127.0.0.1:12768 unix:/var/spool/postfix/ctmilter/ctmilter.sock
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.8.17/README_FILES
sample_directory = /usr/share/doc/postfix-2.8.17/samples
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client xbl.spamhaus.org, reject_rbl_client b.barracudacentral.org
smtpd_milters = inet:127.0.0.1:12768 unix:/var/spool/postfix/ctmilter/ctmilter.sock
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = , hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30

My system hostname seems correct:

hostname -f
ns395167.ip-176-31-117.eu
hostname
ns395167.ip-176-31-117.eu

 

[BastienV]

With the help of someone from serverfaut (http://serverfault.com/a/607284/227525) I understood that the error is coming from this line:

non_smtpd_milters = inet:127.0.0.1:12768 unix:/var/spool/postfix/ctmilter/ctmilter.sock

This is then blocking as specified here:

/usr/lib64/plesk-9.0/psa-pc-remote[29457]: handlers_stderr: REJECT

If I comment the line in main.cf then emails stent from sendmail binary are going through.
I don't know what can be the consequences of this action though. So I would appreciate if someone can help me.

This also confirms that this bug is related to upgrade from Plesk 11.5 to Plesk 12.0!

Thank you.

 

[AlexsanderR]

Hi,

I'm facing the same issue.

If you deactivate the SPF spam protection it will work. But it is not acceptable, right?!

It worked fine on 11.5, therefore I think it is a bug from version 12, too.

Please, can anyone from Parallels take a look on it?

Thanks!

 

[IgorG]

1. GL handled do not allow to use HELO localhost.
2. This is because the local mail has a specific marker which indicates that the mail goes inside mail server. And GL handler doesn't check such type of email.
3. If SMTP session was unauthorized or created outside, then for this session it is not possible to use HELO localhost - it is very similar to spam. As result - this HELO is forbidden.

You sent email locally by SMTP with HELO localhost in session.
We need to know who sent this email, which process, what sort of content there?

 

[AlexsanderR]

Hi,

Thank you a lot your quick answer.

In my case this is a Word Press standard sendmail box for our contact which account is hosted at the same server. I didn't see some configuration on WP for using specific HELO, but found something on internet about it:

http://serverfault.com/questions/205271/how-to-specify-outgoing-helo-with-sendmail

It seems the problem is the sendmail configuration, but I didn't test it.
For previous Plesk version 11.5 I've the SPF protection activated and it didn't cause such issue.

Those are my logs, pretty similar to the original issue described on this thread:

Jun 24 20:43:51 pp1 spf filter[18608]: Wrong HELO hostname: localhost
Jun 24 20:43:51 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[9822]: handlers_stderr: REJECT
Jun 24 20:43:51 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[9822]: REJECT during call 'spf' handler
Jun 24 20:43:51 pp1 postfix/cleanup[18573]: A16A4616EB: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Jun 24 20:43:51 pp1 postfix/cleanup[18573]: A16A4616EB: to=<[email protected]>, relay=none, delay=0.55, delays=0.55/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Jun 24 20:43:51 pp1 postfix/cleanup[18610]: D50BA616EC: message-id=<[email protected]>
Jun 24 20:43:52 pp1 postfix/bounce[18609]: A16A4616EB: sender non-delivery notification: D50BA616EC
Jun 24 20:43:52 pp1 postfix/qmgr[10948]: D50BA616EC: from=<>, size=2310, nrcpt=1 (queue active)
Jun 24 20:43:52 pp1 postfix/smtpd[18568]: warning: valid_hostname: misplaced delimiter: .
Jun 24 20:43:52 pp1 postfix/smtpd[18568]: connect from unknown[108.174.63.53]
Jun 24 20:43:52 pp1 postfix/error[18611]: D50BA616EC: to=<[email protected]>, relay=none, delay=0.6, delays=0.24/0/0/0.36, dsn=5.0.0, status=bounced (User unknown in virtual alias table)
Jun 24 20:43:52 pp1 postfix/qmgr[10948]: D50BA616EC: removed

Thank you again for your help.

 

[IgorG]

Maybe it will help? http://wordpress.org/plugins/wp-mail-smtp/

 

[AlexsanderR]

Hi,

It seems it worked with WP! Thanks!

But there is another issue with internal emails.

This message is periodically generated by plesk server indicating domains with exceeded quota.
And and I'm not getting it anymore on admin email account which is located at the same server, as well.

Please, how to get it working again?

Jun 25 01:20:55 pp1 plesk sendmail[27698]: Error during 'check-quota' handler
Jun 25 01:20:55 pp1 courier-imapd: LOGOUT, ip=[::ffff:72.249.77.101], rcvd=15, sent=368
Jun 25 01:20:55 pp1 postfix/pickup[30782]: 15C18616FE: uid=0 from=<root>
Jun 25 01:20:55 pp1 postfix/cleanup[27705]: 15C18616FE: message-id=<[email protected]>
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: handlers_stderr: SKIP
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: SKIP during call 'check-quota-permanent' handler
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: handlers_stderr: SKIP
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: SKIP during call 'limit-out' handler
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: handlers_stderr: SKIP
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: SKIP during call 'check-quota' handler
Jun 25 01:20:55 pp1 spf filter[27712]: Starting spf filter...
Jun 25 01:20:55 pp1 spf filter[27712]: Wrong HELO hostname: localhost
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: handlers_stderr: REJECT
Jun 25 01:20:55 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: REJECT during call 'spf' handler
Jun 25 01:20:55 pp1 postfix/cleanup[27705]: 15C18616FE: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Jun 25 01:20:55 pp1 postfix/cleanup[27705]: 15C18616FE: to=<[email protected]>, orig_to=<root>, relay=none, delay=0.19, delays=0.19/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Jun 25 01:20:55 pp1 postfix/cleanup[27714]: 3250261701: message-id=<[email protected]>
Jun 25 01:20:55 pp1 postfix/bounce[27713]: 15C18616FE: sender non-delivery notification: 3250261701

 

[antonio_toni]

Same problem as AlexsanderR. any solution?

 

[AlexsanderR]

Hi,

Sorry, false alarm. It is possible to send an email by the SMTP test box on WP (after configuring the host and an authenticated email account to send), but the issue remains the same with the messages sent from the contact page.

Logs from last attempt after WP SMTP plugin installed and configured:

Jun 25 08:53:16 pp1 spf filter[23561]: Starting spf filter...
Jun 25 08:53:16 pp1 spf filter[23561]: Wrong HELO hostname: localhost
Jun 25 08:53:16 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: handlers_stderr: REJECT
Jun 25 08:53:16 pp1 /usr/lib64/plesk-9.0/psa-pc-remote[26104]: REJECT during call 'spf' handler
Jun 25 08:53:16 pp1 postfix/cleanup[23402]: DD161617A1: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<[email protected]> to=<[email protected]>
Jun 25 08:53:17 pp1 postfix/cleanup[23402]: DD161617A1: to=<[email protected]>, relay=none, delay=0.25, delays=0.25/0/0/0, dsn=5.7.1, status=bounced (Command rejected)
Jun 25 08:53:17 pp1 postfix/cleanup[23563]: 13751617A2: message-id=<[email protected]>
Jun 25 08:53:17 pp1 postfix/bounce[23562]: DD161617A1: sender non-delivery notification: 13751617A2
Jun 25 08:53:17 pp1 postfix/qmgr[26128]: 13751617A2: from=<>, size=2313, nrcpt=1 (queue active)
Jun 25 08:53:17 pp1 postfix/error[23564]: 13751617A2: to=<[email protected]>, relay=none, delay=0.15, delays=0.08/0/0/0.07, dsn=5.0.0, status=bounced (User unknown in virtual alias table)
Jun 25 08:53:17 pp1 postfix/qmgr[26128]: 13751617A2: removed

 

[AlexsanderR]

Hi guys,

Sorry, my test was too quick. My form was using php method. It works with the WP form plugin installed + the SMTP plugin.

However, issue with generated emails from Plesk Server is still the same. It is blocking its own emails.

 

[AlexsanderR]

HI,

Automatic answer and forwarding e-mails present the same issue.
I'm going to disable SPF protection until we have a fix for that.

 

[BastienV]

For me it seems obvious that something is wrong since the upgrade as all mails sent from the server using the sendmail binary are being rejected: wordpress, prestashop, mail redirection, plesk notification etc...
There is something very bad hapenning here and you should better taked a serious look at it now.
Disabling SPF protection is not acceptable and switching from sendmail to php or external smtp service is not acceptable and would not cover plesk mails (notifications and mail forwarding).

Thanks in advance for a quick and definitive fix.

 

[Lloyd_mcse]

Yeah +1 on this..

Ubuntu 12.04.4 LTS
Plesk 12.0.18 #5

Health Monitor email is blocked, and the cause seems to be psa-spf.
Watchdog email is sent fine.

 

[igor.A.]

could you show me the output of the following commands:

# /usr/local/psa/admin/bin/mail_handlers_control --list
# readlink -f `which sendmail`
# dpkg -l  (for .deb like OS) 
# rpm -qa (for .rpm like OS)

 

[AlexsanderR]

Hi Igor,

Results attached.

Thanks!

 

[Lloyd_mcse]

Here's mine...

I hope it helps

Kind regards

Lloyd

 

[igor.A.]

remove whole non_smtpd_milters from postfix main.cf in case you do not use commtouch.
If you would like to use commtouch then you can remove only "inet:127.0.0.1:12768" from non_smtpd_milters.
restart postfix.

 

[AlexsanderR]

Hi Igor,

Commtouch was removed from server but it seems the uninstalling procedure forgot to change those lines(smtpd_milters configuration, as well). I suggest it to be informed to development.

Again. Thanks a lot your help!

 

[igor.A.]

reported to development (PPP-10678 for your reference)

 

[MG_Sky_Georg]

Hi i have still the problem, that php->sendmail won't work, owncloud/contact forms can't send mails.

i have attached a file with my main.cf and the commands of this thread,

i've got no idea, how to fix this problem, it occured since my update to plesk 12

Greetings and thanks a lot for your help View attachment log.txt