I formatted my server and installed CENTOS 7 and PLESK 12. I have problems with cbl.abuseat.org. My ip enters in blacklist. I sent email to the support of abuseat.org and abuseat reply:
Please fix your HELO strings.
I check the my configuration and I think is correct:
- Reverse lookup is ok
- Hostname is ok (server.domain.tld)
But I have the file in /etc/sysconfig/network empty. There is only written: # Created by anaconda
Also, is correct the my etc/hosts file?
127.0.0.1 server.domain.tld server localhost4 localhost4.localdomain4
:: 1 server.domain.tld server localhost6 localhost6.localdomain6
I've been plagued by CBL listing for quite some time now, on a linux server with Plesk 12.After months of a fierce fight against every possible malware on the about 120 various websites on this server, extensively monitoring clients emails, enabling restrictive policies and finally even hiring a private security firm to investigate the problems further, we were sure that not a single spam message was sent by our server in any way.
So we finally contacted CBL, exposed the issue and got this answer:The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive.During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible machine name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail servers if the IP address is a NAT firewall with multiple mail servers behind it). 54.194.XX.XXX was found to be using several different EHLO/HELO names during multiple connections on or about:
The names seen included: xxx1.xx, xxx2.xx, xxx3.xx, xxx4.xx, xx.xxx5.xx, veniceberg.com..Note that the above list may include one or more names that are not fully qualified DNS names (FQDNs). Host names (ie: Windows node names) without a dot are not FQDNs.
The final possibility is that 54.194.XX.XXX is not a NAT firewall, and is instead a single box with many domains provisioned on it, some that send email directly, setting the HELO as the sending domain. If this is the case, to prevent a relisting we strongly recommend setting the mail software on the box so that a single identifying name is used in outbound SMTP connections mail software on the box so that a single identifying name is used in outbound SMTP connections. As an alternate workaround, you can configure the mail software to relay its outbound email through an intermediate mail server. Even a co-resident mail server package (such as IIS on Windows) will do fine.
This pointed me to this Plesk Mail setting (not sure if this selection is the default). Now we are waiting a few days to see if changing to "Send from domain IP addresses" solves the issue. I think this is a kind of issue which deserves attention by Parallels to avoid other users go trough our fatiguing ordeals. If this setting is responsible for getting servers blacklisted, it should be highly discouraged.
Seems this started when upgrading to a version of 12. It was working a few days ago and only seems to affect mailing lists. I found a google Cached thread here where Igor was assisting some folks as late as Aug 4 and referenced this was "reported to development (PPP-10678 for your reference)" it seems the forums on Parallels changed or something because several Google links are not working and resulting in having to used cached results for the two links below.
I am able to disable SPF and the e-mails go through just fine however this was working with SPF enabled before a recent upgrade.
Page 1 [URL] ....
Page 2 [URL] ....
This is the error message displayed in /var/log/maillog Sep 24 01:38:35 controlpanel postfix/smtpd[3725]: connect from localhost[127.0.0.1] Sep 24 01:38:35 controlpanel postfix/smtpd[3725]: D565017C013E: client=localhost[127.0.0.1] Sep 24 01:38:35 controlpanel greylisting filter[3899]: Starting greylisting filter...
If in this post there is security information I have reveiled I hope you will tell me
After a couple of hours where someone tried to login to root and Directadmin using ssh, i closed ssh and made some minor changes to the security.
I turned on the automatic add ip if login failed 3 times, in DirectAdmin.
I dont know why I was banned cause I DID NOT use wrong login???
My other users of the server also got banned, and they say they did not use wrong pass either?
SO how do I unban me so I can acces DirectAdmin again?
And as if that was not enough, because Im soooo good at this... while I was at it I stopped SSL cause I got following error and I dont really need it, I think -------------------------STARThttpd_error_log [Sat Dec 15 03:38:22 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting [Sat Dec 15 03:58:32 2007] [notice] caught SIGTERM, shutting down [Sat Dec 15 03:58:34 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!? [Sat Dec 15 03:58:34 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!? [Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: www.belove.updownloading.com:443 (/usr/local/directadmin/data/users/belove/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: www.fusion-planet.updownloading.com:443 (/usr/local/directadmin/data/users/iceangel89/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: www.nicheserver.com:443 (/usr/local/directadmin/data/users/nicsad/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:34 2007] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [Sat Dec 15 03:58:34 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Sat Dec 15 03:58:34 2007] [warn] module php5_module is already loaded, skipping [Sat Dec 15 03:58:35 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!? [Sat Dec 15 03:58:35 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!? [Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: www.belove.updownloading.com:443 (/usr/local/directadmin/data/users/belove/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: www.fusion-planet.updownloading.com:443 (/usr/local/directadmin/data/users/iceangel89/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: www.nicheserver.com:443 (/usr/local/directadmin/data/users/nicsad/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48) [Sat Dec 15 03:58:35 2007] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [Sat Dec 15 03:58:35 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8b DAV/2 PHP/5.2.4 configured -- resuming normal operations [Sat Dec 15 03:58:48 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml [Sat Dec 15 03:58:49 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml [Sat Dec 15 03:59:10 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml [Sat Dec 15 03:59:11 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml [Sat Dec 15 03:59:12 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml -------------------------END httpd_error_log
I have also posted this on DirectAdmin's forum, but because Im really nervous and dont know when they will answer I posted here too, cause this forum is used more
Server configuration Linux CentOS5 DirectAdmin Processor Name Intel(R) Xeon(R) CPU 3050 @ 2.13GHz Vendor ID GenuineIntel Processor Speed (MHz) 2133.507 Processor Name Intel(R) Xeon(R) CPU 3050 @ 2.13GHz Vendor ID GenuineIntel Processor Speed (MHz) 2133.507 Total Memory 2075520 kB Free Memory 57004 kB - (Every time I cant access the websites, it is this low, then when I can access the websites again its around 500mb) Total Swap Memory 4192956 kB Free Swap Memory 4192888 kB Apache 2.2.6 Running DirectAdmin 1.31.0 Running Exim 4.67 Running MySQL 5.0.45 Running Named 9.3.3rc2 Running ProFTPd 1.3.1 Running sshd *** Stopped *** (I stopped it because my websites dont need it, in logs I could see that some sites, I dont know, were trying to acces it?) vm-Pop3d 1.1.7f-DA-2 Running
I've an interesting issue here. A client of mine was apparently banned from one of my servers and the problem has been narrowed down to the APF. What's odd is that he's not listed on /etc/apf/deny_hosts.rules file, nor is his IP blocked by iptables.
But, as soon as the APF is enabled he can't access anything on the server! This is very random, I've been using APF for just over a year now and I've never had a problem like this. But who's to say it's not happening to others as well?
I can't seem to access my server. I can get in through a proxy but not with my own IP. I can't log in through SSH to find out what's going on because I'm banned. I manage my own machines at the moment, so no I can't really contact my host.
Since some days I have a problem with apf: It can't BAN one of the Ip from file deny_hosts.rules. Other IP's are correctly banned. Of course in apf log are:
apf(28474): {trust} deny all to/from 88.84.141.233
but this ip still have access to my server and scan my ports. I have this problem after editing internals/rab.ports (I added some ports to RAB_PSCAN_LEVEL_2). I don't know how can I fix this problem.
Topic should have title: APF can't block one of the banned IP.
After four month they banned my account, When I talked to them they said we banned your account for tow days because we Suspicion about you and I waited them for tow days but nothing new, after that I sent all my evidences to them, the passport picture, driver's license, ID's card and Visa Card picture from front and back.
NOW!
I don't know the reason for banned my account, why they banned me?
My story starts with my getting burned by fumiNET (the first *grrr*)...
Burstnet reactivates my server (for an additional payment of course). The server seems fine but I thought that I might do better with a BurstNET reseller (better service). So...
I sign up with a reseller, and since I got my new server I've been plagued with email bounces, rejections, etc. Seems that my server (via the reseller) was supplied with a bunch of banned IPs (in other words, crap IPs). (the second *grrrr*)
I've reported to the providers abuse department, but was told that I have to handle this. (third *grrrr* - or is it just continued from the second?)
I've had it. I'm ready to fold up shop. As it is the sites keep me busy - but then...
- I get screwed by fumiNET (losing a big chunk of money) - the hassle of trying to get my fumiNET server back up (thanks BurstNET) - transferring to the reseller for better service, and finding out that perhaps BurstNET service was better than the reseller's
I'm open if anyone has suggestions. Some that I've come up with myself...
- finding yet another server provider (recommendations welcome) - drinking large quantities of Guinness (worth it regardless) - pulling the plug on the server and getting shared hosting to hold some minimal content - forgetting the whole damn thing and getting a job as a [pick one]: store clerk, street cleaner, used car salesman
Have been receiving the following warnings for more than a day. Does BFD auto execute a permanent ban or do I have to do it myself? If so, how? Also, I did a whois, found out the service provider, and sent an email regarding abuse. I have yet to receive a reply.
I was wondering since its a HK IP, do I have to send the message in chinese? Would anyone be kind enough to do so?
Quote:
Banned the following ip addresses on Thu Sep 13 16:32:01 SGT 2007
when you add a banned ip to APF it doesnt show anything when the user visits the site, just a blank page. is there anyway to set up a page such as "You IP Address has been banned,
Problem: I am using to my Centos/Exim/Cpanel server to relay emails. The person who receives my email sees a helo that captures my ISP IP address and lastly the mail server for my domain along with its IP.
My ISP (Verizon) IP is constantly being flagged as a spam source by a variety of RBL's.
My domains have never sent spam and I only send a low volume of emails.
How can I remove my ISP helo IP address from being added to my outgoing email so that the only IP is the IP of domain sending the email?
Example Header:
Quote:
Received: from c-99-172-221-252.hlvd.va.verizon.net ([99.172.221.252]:3389 helo=[127.0.0.1]) <-- remove this part by server.myserver.com with esmtpa (Exim 4.69) (envelope-from <email@mydomain.com>) id 1MLoYc-0004Ol-20 for friend@hotmail.com; Tue, 30 Jun 2009 21:24:18 -0400
I am on a VPS and set everything up myself. When I try and email a friend, I get it bounced back with the following message (with his email filtered):
<<< 550-5.7.1 {mx078} Sorry, your helo has been denied. <<< 550 5.7.1 [url] 550 5.1.1 <**********@gmx.co.uk>... User unknown
I'm pretty sure the user isn't unknown, I have checked and it is his email address. Can anyone tell me what is wrong, and if the problem is on my end or his, and if my end how I might go about fixing it?
!verify = helo !verify = reverse_host_lookup in exim acl and drop message if helo is not passed. But one issue is this validates for users even having account in the server and trying to send mail using server account to someone else
I want to put validation for only incoming mails "to" this server
What i dont want is to validate the mails that authenticated smtp users send
I have a dedicated linux/cpanel server running various websites with the shared ip and one website with a dedicated ip.
But when sending mail through sendmail from the dedicated ip website the ip in the helo greeting is not matching the ip of the sender, it is using the main shared ip rather than the dedicated ip which is producing a 550 error from some receiving mail servers. I have racked my brains trying to figure this out and was wondering if anyone else has/had a similar experience and found a solution.
By the way the helo greeting sent in mail from the shared ip websites is fine...
I seem to be having a problem with domain forwarding in cPanel.
I have 3 cPanel accounts:
1) foobar.com.np with a POP3 account and forwarders for info@foobar.com.np. Works fine.
2) foobar.com with domain forwarding to foobar.com.np. Works fine too when I send an email to info@foobar.com.
3) foo.com.np with domain forwarding to foobar.com.np. Doesn't work! When I send a message to info@foo.com.np I get the following message in my Exim log:
Code: 2007-11-29 04:11:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IxgMm-0007DW-0m 2007-11-29 04:11:32 1IxgMm-0007DW-0m ** info@foo.com.np R=lookuphost T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<noreply@********.com> SIZE=2059: host foo.com.np [74.86.*.*]: 554 5.7.1 Helo invalid(forged) 2007-11-29 04:11:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1IxgMm-0007DW-0m 2007-11-29 04:11:32 1IxgMm-0007Da-Bd <= <> R=1IxgMm-0007DW-0m U=mailnull P=local S=2006 T="Mail delivery failed: returning message to sender" 2007-11-29 04:11:32 1IxgMm-0007DW-0m Completed ... As you can see, this domain forwarder is not functioning like the other one (foobar.com) since the domain forwarder for foobar.com DOES actually work:
Code: 2007-11-29 03:58:21 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IxgA0-0002Gs-Vb 2007-11-29 03:58:21 1IxgA0-0002Gs-Vb => info <info@foobar.com> R=virtual_user T=virtual_userdelivery 2007-11-29 03:58:22 1IxgA0-0002Gs-Vb => *******@gmail.com <info@foobar.com> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.133.27] 2007-11-29 03:58:22 1IxgA0-0002Gs-Vb -> *******@gmail.com <info@foobar.com> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.133.27] 2007-11-29 03:58:22 1IxgA0-0002Gs-Vb Completed It looks like Exim doesn't know that emails sent to info@foo.com.np should be a local delivery. I checked the file "/etc/vdomainaliases/foo.com.np" and it says:
Im trying to troubleshoot the exim install that was included with cpanel. I read that the helo response being localhost instead of a fully qualified domain can lead to mail be directed to the bulk mail folder.
Looking at the mail headers, this is indeed set this way:
Received: from www.mydomain.com ([my_ip_addr] helo=localhost)
How is this response determined and how can I have it be a fully qualified domain name instead?
#Server PHP - hosts php and handles apache/mysql requests. #Server 2 - handles mail and dns requests.
Yesterday we moved mail from # server 2 to a new mail server, a cPanel one, all mailboxes are created, users can send and recieve email using webmail, mail clients, etc.
But.. while trying to send mails using PHP authenticated from the #Server PHP/Apache/MySQL , we got this error from the mail servers:
Code: We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. SMTP -> FROM SERVER: SMTP -> FROM SERVER: SMTP -> ERROR: HELO not accepted from server: SMTP -> get_lines(): $data was "" SMTP -> get_lines(): $str is "220-srv247.serverhost.com This was working when mails were recieved/sent in Sendmail (an Ensim box), now with Exim 4.x on a cPanel box we got this issue.
Already added IP address from #server php into all Exim whitelists, also added the IP to /etc/alwaysrely, but didn't help.
Im using RHE 5.2 on the mail server and latest Release build.
