Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Problem Sending Email via Any Email Client / iPhone
- Thread starter pierre88
- Start date
I'm using Mail client of OSX, that is what i captured with tail -f /usr/local/psa/var/log/maillog
Oct 21 11:16:48 postfix/smtpd[710]: connect from unknown[81.xx.xx.xx]
Oct 21 11:16:48 postfix/smtpd[710]: NOQUEUE: reject: RCPT from unknown[81.xx.xx.xx]: 554 5.7.1 Service unavailable; Client host [81.xx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=81.xx.xx.xx; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.2.5.86]>
Oct 21 11:16:48 postfix/smtpd[710]: disconnect from unknown[81.xx.xx.xx]
Oct 21 11:16:48 /usr/lib64/plesk-9.0/psa-pc-remote[13007]: Message aborted.
Oct 21 11:16:48 postfix/smtpd[710]: connect from unknown[81.xx.xx.xx]
Oct 21 11:16:48 postfix/smtpd[710]: NOQUEUE: reject: RCPT from unknown[81.xx.xx.xx]: 554 5.7.1 Service unavailable; Client host [81.xx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=81.xx.xx.xx; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.2.5.86]>
Oct 21 11:16:48 postfix/smtpd[710]: disconnect from unknown[81.xx.xx.xx]
Oct 21 11:16:48 /usr/lib64/plesk-9.0/psa-pc-remote[13007]: Message aborted.
i'm using Mail client of OSX, that it's what i captured with tail -f /usr/local/psa/var/log/maillog:
Oct 21 11:16:46 postfix/smtpd[710]: connect from unknown[81.xx.xx.xx]
Oct 21 11:16:46 postfix/smtpd[710]: NOQUEUE: reject: RCPT from unknown[81.xx.xx.xx]: 554 5.7.1 Service unavailable; Client host [81.xx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=81.xx.xx.xx; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.2.5.86]>
Oct 21 11:16:46 postfix/smtpd[710]: disconnect from unknown[81.xx.xx.xx]
Oct 21 11:16:46 /usr/lib64/plesk-9.0/psa-pc-remote[13007]: Message aborted.
Oct 21 11:16:46 postfix/smtpd[710]: connect from unknown[81.xx.xx.xx]
Oct 21 11:16:46 postfix/smtpd[710]: NOQUEUE: reject: RCPT from unknown[81.xx.xx.xx]: 554 5.7.1 Service unavailable; Client host [81.xx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=81.xx.xx.xx; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.2.5.86]>
Oct 21 11:16:46 postfix/smtpd[710]: disconnect from unknown[81.xx.xx.xx]
Oct 21 11:16:46 /usr/lib64/plesk-9.0/psa-pc-remote[13007]: Message aborted.
Don't use zen.spamhaus.org as blackhole protection as it (stupidly, imho) also blocks OUTGOING email.
many private customers and many mobile companies use dynamic IPs which most of the times are blacklisted and your own customers will get rejected by the server this way and they will lose email from other people who are under the same circumstances.
i suggest not to use ANY of the blackhole protections and disable them. use greylisting + spf + spamassassin instead (and that is far from perfect also ...)
many private customers and many mobile companies use dynamic IPs which most of the times are blacklisted and your own customers will get rejected by the server this way and they will lose email from other people who are under the same circumstances.
i suggest not to use ANY of the blackhole protections and disable them. use greylisting + spf + spamassassin instead (and that is far from perfect also ...)
burnley
Regular Pleskian
pierre88, Sven L., compromising the quality of service offered to the customers by allowing for more spam to slip through the cracks isn't a very clever option. Using blackhole lists to protect against port 25 abuse is just fine, if you want to offer SMTP authentication support for your customers you should reconfigure Postfix to skip RBL checks for the SMTP authenticated customers. You should read about smtpd_client_restrictions in http://www.postfix.org/postconf.5.html and http://www.postfix.org/SMTPD_ACCESS_README.html
burnley, if you read my previous post again, you'll see that our sending customers are not the only problem here.
those blackhole lists (specially zen. which is over-agressive) have made us lose many emails originating from other people with dynamic IPs.
95% of spanish households and 100% of spanish 3G and 4G mobile phones are dynamic IPs and from that huge %, more than half of the IPs have been or are currently on a spammer blacklist.
you can paint it like you want, but losing incoming email is unacceptable.
rather let a little more spam slip through, which will be sorted by greylisting and spamassassin than setting up blackhole lists and lose incoming valid email.
those blackhole lists (specially zen. which is over-agressive) have made us lose many emails originating from other people with dynamic IPs.
95% of spanish households and 100% of spanish 3G and 4G mobile phones are dynamic IPs and from that huge %, more than half of the IPs have been or are currently on a spammer blacklist.
you can paint it like you want, but losing incoming email is unacceptable.
rather let a little more spam slip through, which will be sorted by greylisting and spamassassin than setting up blackhole lists and lose incoming valid email.
burnley
Regular Pleskian
Sven L., I think I read your post properly and I also think that there's some confusion / misunderstanding here about how the email systems are supposed to work, who is supposed to connect to SMTP port 25, how should RBL configuration be integrated in a working environment and so on.
Simply put: no residential client or mobile device should be able to connect to arbitrary hosts on port 25 to initiate SMTP sessions. In fact, there are multiple ISPs & telecom providers all over the world who are actively blocking 25/tcp outbound connections initiated by their customers to external hosts. The customers are supposed to be able to connect on port 25 to their providers SMTP servers. However, most providers are still allowing outbound connections to ports 587 (aka submission, most enforcing TLS encryption) and / or 465 (aka smtps, or SMTP over SSL) where RBLs aren't used for filtering by the email servers, but the emails are only relayed for the authenticated users. Have you ever asked yourself why providers like Gmail, Yahoo or GoDaddy offer access to ports 465 or 587, or both for their SMTP services?
You were losing residential and mobile customers because you didn't have the SMTP services configured properly. You can still use 25 for your customers (although this way you're risking to lose the ones who can NOT connect on port 25), but you can bypass RBL checks for the authenticated sessions. Again, please read the links from my previous post.
Simply put: no residential client or mobile device should be able to connect to arbitrary hosts on port 25 to initiate SMTP sessions. In fact, there are multiple ISPs & telecom providers all over the world who are actively blocking 25/tcp outbound connections initiated by their customers to external hosts. The customers are supposed to be able to connect on port 25 to their providers SMTP servers. However, most providers are still allowing outbound connections to ports 587 (aka submission, most enforcing TLS encryption) and / or 465 (aka smtps, or SMTP over SSL) where RBLs aren't used for filtering by the email servers, but the emails are only relayed for the authenticated users. Have you ever asked yourself why providers like Gmail, Yahoo or GoDaddy offer access to ports 465 or 587, or both for their SMTP services?
You were losing residential and mobile customers because you didn't have the SMTP services configured properly. You can still use 25 for your customers (although this way you're risking to lose the ones who can NOT connect on port 25), but you can bypass RBL checks for the authenticated sessions. Again, please read the links from my previous post.
Burnley,
Many servers work this way (plesk servers with default settings does this):
when a customer sends an email, that email is sent as if it was the end user's IP, instead the server IP (don't ask me why, ask parallels).
example: all emails that are sent though my server, are using their local own IP, except if they use webmail or web forms, then the email is "from" the servers IP
so, maybe you do live in a perfect utopian world or country, where everyone who sends email has a nice clean static IP. but I am telling you, that is NOT the case here in Spain. far from it!
not only do private homes and 3G mobile ISP use crappy dynamic blacklisted IPs, but most of the small business have dynamic IPs too!
and then I get calls telling me "hey why did that customer/provider of mine reject my email"? and i check it and have to tell em "because you reseted your router this weekend and the new IP you have is on blacklists all over the world, stop being cheap and get a static IP" which costs 6-15€/month depending on provider and that's money small business here just don't want to pay. in case you didn't know, there's an economic crisis going on.
I can only control what's going on on my server, but there are way too many other servers that are wrongly configured or have blacklisted IPs. and the communication from server to server is on port 25 afaik, and blackhole lists apply there.
example:
1) someone with dynamic, blacklisted IP sends an email.
2) his server accept it and relays it with the dynamic, blacklisted IP as source
3) the email reaches my SMTP server on port 25
4) with blackhole on, this email is LOST
(***)
Which is unacceptable
I am using plesk for around 10 years now. I am certainly no internal expert like Abdi and I might not know 100% of all the stuff... but I can tell you that I have extensive experience on what I can and what I can NOT do, having a customer-base in a country that ourselves consider "pais de chichinabo tercer mundista de mie<self-censored>" (basically "bullcrap")
And losing one single email because of using blackholes is NOT acceptable. thx to greylisting and spamassassin spam that ends up in the final mailbox is less than 0,5%
(***)
If you can tell me how to configure my server, to enable blackhole lists and not lose a SINGLE VALID EMAIL from senders that might be in a blacklist because their server sucks, their ISP sucks or whatever and without having to call my customers and reconfigure over 1000 iPhones and Outlooks manually to change a port. please be my guest, enlighten me and I will apply it ASAP.
Many servers work this way (plesk servers with default settings does this):
when a customer sends an email, that email is sent as if it was the end user's IP, instead the server IP (don't ask me why, ask parallels).
example: all emails that are sent though my server, are using their local own IP, except if they use webmail or web forms, then the email is "from" the servers IP
so, maybe you do live in a perfect utopian world or country, where everyone who sends email has a nice clean static IP. but I am telling you, that is NOT the case here in Spain. far from it!
not only do private homes and 3G mobile ISP use crappy dynamic blacklisted IPs, but most of the small business have dynamic IPs too!
and then I get calls telling me "hey why did that customer/provider of mine reject my email"? and i check it and have to tell em "because you reseted your router this weekend and the new IP you have is on blacklists all over the world, stop being cheap and get a static IP" which costs 6-15€/month depending on provider and that's money small business here just don't want to pay. in case you didn't know, there's an economic crisis going on.
I can only control what's going on on my server, but there are way too many other servers that are wrongly configured or have blacklisted IPs. and the communication from server to server is on port 25 afaik, and blackhole lists apply there.
example:
1) someone with dynamic, blacklisted IP sends an email.
2) his server accept it and relays it with the dynamic, blacklisted IP as source
3) the email reaches my SMTP server on port 25
4) with blackhole on, this email is LOST
(***)
Which is unacceptable
I am using plesk for around 10 years now. I am certainly no internal expert like Abdi and I might not know 100% of all the stuff... but I can tell you that I have extensive experience on what I can and what I can NOT do, having a customer-base in a country that ourselves consider "pais de chichinabo tercer mundista de mie<self-censored>" (basically "bullcrap")
And losing one single email because of using blackholes is NOT acceptable. thx to greylisting and spamassassin spam that ends up in the final mailbox is less than 0,5%
(***)
If you can tell me how to configure my server, to enable blackhole lists and not lose a SINGLE VALID EMAIL from senders that might be in a blacklist because their server sucks, their ISP sucks or whatever and without having to call my customers and reconfigure over 1000 iPhones and Outlooks manually to change a port. please be my guest, enlighten me and I will apply it ASAP.
Last edited:
