Zimbra server blacklisted

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Zimbra server blacklisted

Post by ask2me0077 »

Recently my Zimbra server has been crashed and I managed to host it in another machine. After changing to a new server, my ip is blacklisted in spamhaus.org. The message shown is as below.

Results of Lookup

111.xx.xx.xxis listed

This IP address was detected and listed 125 times in the past 28 days, and 9 times in the past 24 hours. The most recent detection was at Thu Nov 16 13:15:00 2017 UTC +/- 5 minutes

This IP address was self-removed 2 times in the past week.

This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.

111.xxx.xx.xxwas found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".

I havent made any changes in the network and in the router configuration. Once again I checked the router configuration and blocked all other connections except mail server from outside.
I think that this may be related to DNS issues. So I again the verified the server configuration and found that named was not functioning properly due to some permission issue. After changing the permission it worked well.
The output of my server config is below.

[root@pop ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
#127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.10.13 pop.xxx.com pop
###::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

[root@pop ~]# dig xxxx.com mx

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> xxx.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57027
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;xxx.com. IN MX

;; ANSWER SECTION:
xxxx.com. 86400 IN MX 10 pop.xxxx.com.

;; AUTHORITY SECTION:
xxxx.com. 86400 IN NS pop.xxxx.com.

;; ADDITIONAL SECTION:
pop.xxxx.com. 86400 IN A 192.168.10.13

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 16 22:05:01 2017
;; MSG SIZE rcvd: 76


[root@pop ~]# cat /etc/resolv.conf
search xxxx.com
nameserver 127.0.0.1
# Generated by NetworkManager
#search xxx.com
#nameserver 192.168.10.13
[root@pop ~]# dig xxx.com any

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> xxxx.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;xxx.com. IN ANY

;; ANSWER SECTION:
xxx.com. 86400 IN SOA pop.xxx.com. admin.xxx.com. 42 28800 14400 604800 86400
xxx.com. 86400 IN NS pop.xxx.com.
xxx.com. 86400 IN MX 10 pop.xxx.com.
xxx.com. 86400 IN A 192.168.10.13

;; ADDITIONAL SECTION:
pop.xxx.com. 86400 IN A 192.168.10.13

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 16 22:06:26 2017
;; MSG SIZE rcvd: 134

[root@pop ~]# host $(hostname)
pop.xxx.com has address 192.168.10.13

I have strucked in this blacklist. Pllease guide me to resolve this.

Thanks in advance.

Zimbra version is
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra server blacklisted

Post by phoenix »

The simple answer is that you're hosting something that's sending spam or you're acting as an open relay (you can check that on the internet), it's most likely that Spamhaus is correct. unfortunately you've also obfuscated too much information to provide any useful information with which anyone could offer you advice. You're going to have to do some diggingf and find out the cause of your problem, I'd suggest you start by looking at logfiles and daily mail report to see if there are any unusual peaks in mail sending or unknown users sending mail.

BTW, you also posted this:
ask2me0077 wrote:111.xxx.xx.xxwas found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".
Is this ciorrect? If it is you need to fix it ASAP.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Re: Zimbra server blacklisted

Post by ask2me0077 »

Today I checked the issue by sending a mail to abuseat.org as mentioned in the spamhause site. The mail got rejected with the following reasons.

The mail system

<helocheck@abuseat.org>: host mail.abuseat.org[54.93.50.35] said: 550 *** The
HELO for IP address 117.xx.xx.201 xx 'pop.xxx.com' (valid syntax) ***
(in reply to RCPT TO command)
I think that the reply(HELO) should be in the format xxx.com(ie my domain) instead of pop.domain.com.
So think that there may be some split dns issues.
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Re: Zimbra server blacklisted

Post by ask2me0077 »

No way.
while using telnet Iam getting the following error

root@pop ~]# telnet pop.xxx.com 25
Trying 192.168.11.13...
Connected to pop.xxx.com.
Escape character is '^]'.
220 pop.xxx.com ESMTP Postfix
mail from:admin@xxx.com
503 5.5.1 Error: send HELO/EHLO first
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Re: Zimbra server blacklisted

Post by ask2me0077 »

can you give some clue to resolve this?
Sorry to say that Iam a nooby in this area.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra server blacklisted

Post by phoenix »

ask2me0077 wrote:No way.
while using telnet Iam getting the following error
Did you read the following error message?
ask2me0077 wrote:503 5.5.1 Error: send HELO/EHLO first
You certainly hadn't done what it said needs to be done.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra server blacklisted

Post by phoenix »

ask2me0077 wrote:can you give some clue to resolve this?
Sorry to say that Iam a nooby in this area.
This type of question has been asked and answered many times here and on the internet, seriously a quick internet search for the type of operation you testing will do wonders: https://www.startpage.com/do/dsearch?qu ... ge=english
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
ask2me0077
Posts: 46
Joined: Sat Sep 13, 2014 3:24 am

Re: Zimbra server blacklisted

Post by ask2me0077 »

Dear Phoneix
Again sorry to disturb you.
Checked the link but couldnt identify the issue. Changed DNS settings but still not working
the output of telnet is
telnet pop.xx.com 25
Trying 192.168.10.13...
Connected to pop.ksfe.com.
Escape character is '^]'.
220 pop.xx.com ESMTP Postfix
EHLO pop.xx.com
250-pop.xx.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <admin@xx.com>
250 2.1.0 Ok
RCPT TO: <xxx@gmail.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test

.
250 2.0.0 Ok: queued as 76B10843601

To solve the503 5.5.1 Error: send HELO/EHLO first
Secondly tried this also
zmprov mcf zimbraMtaMyHostname pop.xxxx.com
and restarted zimbra.
But no progress.

Again verified the mailserver with mxtoolbox and the output is

SMTP Reverse DNS Mismatch OK - 117.240.231.201 resolves to pop.xxx.com
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 1.167 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 4.105 seconds - Good on Transaction Time
Session Transcript:
Connecting to 107.xx.xx.xx<br /> <br /> 220 pop.xxx.com ESMTP Postfix [861 ms]<br /> EHLO PWS3.mxtoolbox.com<br /> 250-pop.xxx.com<br /> 250-PIPELINING<br /> 250-SIZE 10240000<br /> 250-VRFY<br /> 250-ETRN<br /> 250-STARTTLS<br /> 250-ENHANCEDSTATUSCODES<br /> 250-8BITMIME<br /> 250 DSN [883 ms]<br /> MAIL FROM:<supertool@mxtoolbox.com><br /> 250 2.1.0 Ok [887 ms]<br /> RCPT TO:<test@example.com><br /> 554 5.7.1 <test@example.com>: Relay access denied [886 ms]<br /> <br />PWS3v2 8259ms<br />

It seems that everything is fine.
Its a production machine. It would be helpful if there is any clue.
My problem is Iam getting correct output whicle checking the DNS and hostname.
tteerite
Posts: 1
Joined: Sun Sep 01, 2019 9:52 pm

Re: Zimbra server blacklisted

Post by tteerite »

Dear all

I experienced this too blacklisted with those:

RATS NoPtr
SORBS SPAM
UCPROTECTL1

need some advice on this as google cant give me some

thank you
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra server blacklisted

Post by phoenix »

The problem is that you've given no details of why you're blacklisted. You say google has given you no information well, how about this: https://www.startpage.com/do/dsearch?qu ... ge=english

Reading the SpamRATS web page will tell you there's no reverse DNS for your server, that's required for a mail server and will give you lots of problems. You'll need to get the reverse DNS fixed, you do that by asking your ISP provider to set your reverse DNS to the correct setting.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Post Reply