Zimbra server blacklisted
-
- Posts: 46
- Joined: Sat Sep 13, 2014 3:24 am
Zimbra server blacklisted
Recently my Zimbra server has been crashed and I managed to host it in another machine. After changing to a new server, my ip is blacklisted in spamhaus.org. The message shown is as below.
Results of Lookup
111.xx.xx.xxis listed
This IP address was detected and listed 125 times in the past 28 days, and 9 times in the past 24 hours. The most recent detection was at Thu Nov 16 13:15:00 2017 UTC +/- 5 minutes
This IP address was self-removed 2 times in the past week.
This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.
111.xxx.xx.xxwas found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".
I havent made any changes in the network and in the router configuration. Once again I checked the router configuration and blocked all other connections except mail server from outside.
I think that this may be related to DNS issues. So I again the verified the server configuration and found that named was not functioning properly due to some permission issue. After changing the permission it worked well.
The output of my server config is below.
[root@pop ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
#127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.10.13 pop.xxx.com pop
###::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@pop ~]# dig xxxx.com mx
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> xxx.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57027
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;xxx.com. IN MX
;; ANSWER SECTION:
xxxx.com. 86400 IN MX 10 pop.xxxx.com.
;; AUTHORITY SECTION:
xxxx.com. 86400 IN NS pop.xxxx.com.
;; ADDITIONAL SECTION:
pop.xxxx.com. 86400 IN A 192.168.10.13
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 16 22:05:01 2017
;; MSG SIZE rcvd: 76
[root@pop ~]# cat /etc/resolv.conf
search xxxx.com
nameserver 127.0.0.1
# Generated by NetworkManager
#search xxx.com
#nameserver 192.168.10.13
[root@pop ~]# dig xxx.com any
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> xxxx.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;xxx.com. IN ANY
;; ANSWER SECTION:
xxx.com. 86400 IN SOA pop.xxx.com. admin.xxx.com. 42 28800 14400 604800 86400
xxx.com. 86400 IN NS pop.xxx.com.
xxx.com. 86400 IN MX 10 pop.xxx.com.
xxx.com. 86400 IN A 192.168.10.13
;; ADDITIONAL SECTION:
pop.xxx.com. 86400 IN A 192.168.10.13
;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 16 22:06:26 2017
;; MSG SIZE rcvd: 134
[root@pop ~]# host $(hostname)
pop.xxx.com has address 192.168.10.13
I have strucked in this blacklist. Pllease guide me to resolve this.
Thanks in advance.
Zimbra version is
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
Results of Lookup
111.xx.xx.xxis listed
This IP address was detected and listed 125 times in the past 28 days, and 9 times in the past 24 hours. The most recent detection was at Thu Nov 16 13:15:00 2017 UTC +/- 5 minutes
This IP address was self-removed 2 times in the past week.
This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.
111.xxx.xx.xxwas found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".
I havent made any changes in the network and in the router configuration. Once again I checked the router configuration and blocked all other connections except mail server from outside.
I think that this may be related to DNS issues. So I again the verified the server configuration and found that named was not functioning properly due to some permission issue. After changing the permission it worked well.
The output of my server config is below.
[root@pop ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
#127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.10.13 pop.xxx.com pop
###::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@pop ~]# dig xxxx.com mx
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> xxx.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57027
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;xxx.com. IN MX
;; ANSWER SECTION:
xxxx.com. 86400 IN MX 10 pop.xxxx.com.
;; AUTHORITY SECTION:
xxxx.com. 86400 IN NS pop.xxxx.com.
;; ADDITIONAL SECTION:
pop.xxxx.com. 86400 IN A 192.168.10.13
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 16 22:05:01 2017
;; MSG SIZE rcvd: 76
[root@pop ~]# cat /etc/resolv.conf
search xxxx.com
nameserver 127.0.0.1
# Generated by NetworkManager
#search xxx.com
#nameserver 192.168.10.13
[root@pop ~]# dig xxx.com any
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> xxxx.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;xxx.com. IN ANY
;; ANSWER SECTION:
xxx.com. 86400 IN SOA pop.xxx.com. admin.xxx.com. 42 28800 14400 604800 86400
xxx.com. 86400 IN NS pop.xxx.com.
xxx.com. 86400 IN MX 10 pop.xxx.com.
xxx.com. 86400 IN A 192.168.10.13
;; ADDITIONAL SECTION:
pop.xxx.com. 86400 IN A 192.168.10.13
;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 16 22:06:26 2017
;; MSG SIZE rcvd: 134
[root@pop ~]# host $(hostname)
pop.xxx.com has address 192.168.10.13
I have strucked in this blacklist. Pllease guide me to resolve this.
Thanks in advance.
Zimbra version is
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
Re: Zimbra server blacklisted
The simple answer is that you're hosting something that's sending spam or you're acting as an open relay (you can check that on the internet), it's most likely that Spamhaus is correct. unfortunately you've also obfuscated too much information to provide any useful information with which anyone could offer you advice. You're going to have to do some diggingf and find out the cause of your problem, I'd suggest you start by looking at logfiles and daily mail report to see if there are any unusual peaks in mail sending or unknown users sending mail.
BTW, you also posted this:
BTW, you also posted this:
Is this ciorrect? If it is you need to fix it ASAP.ask2me0077 wrote:111.xxx.xx.xxwas found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".
-
- Posts: 46
- Joined: Sat Sep 13, 2014 3:24 am
Re: Zimbra server blacklisted
Today I checked the issue by sending a mail to abuseat.org as mentioned in the spamhause site. The mail got rejected with the following reasons.
The mail system
<helocheck@abuseat.org>: host mail.abuseat.org[54.93.50.35] said: 550 *** The
HELO for IP address 117.xx.xx.201 xx 'pop.xxx.com' (valid syntax) ***
(in reply to RCPT TO command)
I think that the reply(HELO) should be in the format xxx.com(ie my domain) instead of pop.domain.com.
So think that there may be some split dns issues.
The mail system
<helocheck@abuseat.org>: host mail.abuseat.org[54.93.50.35] said: 550 *** The
HELO for IP address 117.xx.xx.201 xx 'pop.xxx.com' (valid syntax) ***
(in reply to RCPT TO command)
I think that the reply(HELO) should be in the format xxx.com(ie my domain) instead of pop.domain.com.
So think that there may be some split dns issues.
-
- Posts: 46
- Joined: Sat Sep 13, 2014 3:24 am
Re: Zimbra server blacklisted
No way.
while using telnet Iam getting the following error
root@pop ~]# telnet pop.xxx.com 25
Trying 192.168.11.13...
Connected to pop.xxx.com.
Escape character is '^]'.
220 pop.xxx.com ESMTP Postfix
mail from:admin@xxx.com
503 5.5.1 Error: send HELO/EHLO first
while using telnet Iam getting the following error
root@pop ~]# telnet pop.xxx.com 25
Trying 192.168.11.13...
Connected to pop.xxx.com.
Escape character is '^]'.
220 pop.xxx.com ESMTP Postfix
mail from:admin@xxx.com
503 5.5.1 Error: send HELO/EHLO first
-
- Posts: 46
- Joined: Sat Sep 13, 2014 3:24 am
Re: Zimbra server blacklisted
can you give some clue to resolve this?
Sorry to say that Iam a nooby in this area.
Sorry to say that Iam a nooby in this area.
Re: Zimbra server blacklisted
Did you read the following error message?ask2me0077 wrote:No way.
while using telnet Iam getting the following error
You certainly hadn't done what it said needs to be done.ask2me0077 wrote:503 5.5.1 Error: send HELO/EHLO first
Re: Zimbra server blacklisted
This type of question has been asked and answered many times here and on the internet, seriously a quick internet search for the type of operation you testing will do wonders: https://www.startpage.com/do/dsearch?qu ... ge=englishask2me0077 wrote:can you give some clue to resolve this?
Sorry to say that Iam a nooby in this area.
-
- Posts: 46
- Joined: Sat Sep 13, 2014 3:24 am
Re: Zimbra server blacklisted
Dear Phoneix
Again sorry to disturb you.
Checked the link but couldnt identify the issue. Changed DNS settings but still not working
the output of telnet is
telnet pop.xx.com 25
Trying 192.168.10.13...
Connected to pop.ksfe.com.
Escape character is '^]'.
220 pop.xx.com ESMTP Postfix
EHLO pop.xx.com
250-pop.xx.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <admin@xx.com>
250 2.1.0 Ok
RCPT TO: <xxx@gmail.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 76B10843601
To solve the503 5.5.1 Error: send HELO/EHLO first
Secondly tried this also
zmprov mcf zimbraMtaMyHostname pop.xxxx.com
and restarted zimbra.
But no progress.
Again verified the mailserver with mxtoolbox and the output is
SMTP Reverse DNS Mismatch OK - 117.240.231.201 resolves to pop.xxx.com
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 1.167 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 4.105 seconds - Good on Transaction Time
Session Transcript:
Connecting to 107.xx.xx.xx<br /> <br /> 220 pop.xxx.com ESMTP Postfix [861 ms]<br /> EHLO PWS3.mxtoolbox.com<br /> 250-pop.xxx.com<br /> 250-PIPELINING<br /> 250-SIZE 10240000<br /> 250-VRFY<br /> 250-ETRN<br /> 250-STARTTLS<br /> 250-ENHANCEDSTATUSCODES<br /> 250-8BITMIME<br /> 250 DSN [883 ms]<br /> MAIL FROM:<supertool@mxtoolbox.com><br /> 250 2.1.0 Ok [887 ms]<br /> RCPT TO:<test@example.com><br /> 554 5.7.1 <test@example.com>: Relay access denied [886 ms]<br /> <br />PWS3v2 8259ms<br />
It seems that everything is fine.
Its a production machine. It would be helpful if there is any clue.
My problem is Iam getting correct output whicle checking the DNS and hostname.
Again sorry to disturb you.
Checked the link but couldnt identify the issue. Changed DNS settings but still not working
the output of telnet is
telnet pop.xx.com 25
Trying 192.168.10.13...
Connected to pop.ksfe.com.
Escape character is '^]'.
220 pop.xx.com ESMTP Postfix
EHLO pop.xx.com
250-pop.xx.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <admin@xx.com>
250 2.1.0 Ok
RCPT TO: <xxx@gmail.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 76B10843601
To solve the503 5.5.1 Error: send HELO/EHLO first
Secondly tried this also
zmprov mcf zimbraMtaMyHostname pop.xxxx.com
and restarted zimbra.
But no progress.
Again verified the mailserver with mxtoolbox and the output is
SMTP Reverse DNS Mismatch OK - 117.240.231.201 resolves to pop.xxx.com
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP Banner Check OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 1.167 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 4.105 seconds - Good on Transaction Time
Session Transcript:
Connecting to 107.xx.xx.xx<br /> <br /> 220 pop.xxx.com ESMTP Postfix [861 ms]<br /> EHLO PWS3.mxtoolbox.com<br /> 250-pop.xxx.com<br /> 250-PIPELINING<br /> 250-SIZE 10240000<br /> 250-VRFY<br /> 250-ETRN<br /> 250-STARTTLS<br /> 250-ENHANCEDSTATUSCODES<br /> 250-8BITMIME<br /> 250 DSN [883 ms]<br /> MAIL FROM:<supertool@mxtoolbox.com><br /> 250 2.1.0 Ok [887 ms]<br /> RCPT TO:<test@example.com><br /> 554 5.7.1 <test@example.com>: Relay access denied [886 ms]<br /> <br />PWS3v2 8259ms<br />
It seems that everything is fine.
Its a production machine. It would be helpful if there is any clue.
My problem is Iam getting correct output whicle checking the DNS and hostname.
Re: Zimbra server blacklisted
Dear all
I experienced this too blacklisted with those:
RATS NoPtr
SORBS SPAM
UCPROTECTL1
need some advice on this as google cant give me some
thank you
I experienced this too blacklisted with those:
RATS NoPtr
SORBS SPAM
UCPROTECTL1
need some advice on this as google cant give me some
thank you
Re: Zimbra server blacklisted
The problem is that you've given no details of why you're blacklisted. You say google has given you no information well, how about this: https://www.startpage.com/do/dsearch?qu ... ge=english
Reading the SpamRATS web page will tell you there's no reverse DNS for your server, that's required for a mail server and will give you lots of problems. You'll need to get the reverse DNS fixed, you do that by asking your ISP provider to set your reverse DNS to the correct setting.
Reading the SpamRATS web page will tell you there's no reverse DNS for your server, that's required for a mail server and will give you lots of problems. You'll need to get the reverse DNS fixed, you do that by asking your ISP provider to set your reverse DNS to the correct setting.