Plesk 12.x / Linux :: Recurring Listing On CBL For Using Several Different EHLO / HELO Names
Jan 14, 2015
I've been plagued by CBL listing for quite some time now, on a linux server with Plesk 12.After months of a fierce fight against every possible malware on the about 120 various websites on this server, extensively monitoring clients emails, enabling restrictive policies and finally even hiring a private security firm to investigate the problems further, we were sure that not a single spam message was sent by our server in any way.
So we finally contacted CBL, exposed the issue and got this answer:The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive.During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible machine name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail servers if the IP address is a NAT firewall with multiple mail servers behind it). 54.194.XX.XXX was found to be using several different EHLO/HELO names during multiple connections on or about:
The names seen included: xxx1.xx, xxx2.xx, xxx3.xx, xxx4.xx, xx.xxx5.xx, veniceberg.com..Note that the above list may include one or more names that are not fully qualified DNS names (FQDNs). Host names (ie: Windows node names) without a dot are not FQDNs.
The final possibility is that 54.194.XX.XXX is not a NAT firewall, and is instead a single box with many domains provisioned on it, some that send email directly, setting the HELO as the sending domain. If this is the case, to prevent a relisting we strongly recommend setting the mail software on the box so that a single identifying name is used in outbound SMTP connections mail software on the box so that a single identifying name is used in outbound SMTP connections. As an alternate workaround, you can configure the mail software to relay its outbound email through an intermediate mail server. Even a co-resident mail server package (such as IIS on Windows) will do fine.
This pointed me to this Plesk Mail setting (not sure if this selection is the default). Now we are waiting a few days to see if changing to "Send from domain IP addresses" solves the issue. I think this is a kind of issue which deserves attention by Parallels to avoid other users go trough our fatiguing ordeals. If this setting is responsible for getting servers blacklisted, it should be highly discouraged.
I formatted my server and installed CENTOS 7 and PLESK 12. I have problems with cbl.abuseat.org. My ip enters in blacklist. I sent email to the support of abuseat.org and abuseat reply:
Please fix your HELO strings.
I check the my configuration and I think is correct:
- Reverse lookup is ok - Hostname is ok (server.domain.tld)
But I have the file in /etc/sysconfig/network empty. There is only written: # Created by anaconda
Also, is correct the my etc/hosts file?
127.0.0.1 server.domain.tld server localhost4 localhost4.localdomain4 :: 1 server.domain.tld server localhost6 localhost6.localdomain6
Seems this started when upgrading to a version of 12. It was working a few days ago and only seems to affect mailing lists. I found a google Cached thread here where Igor was assisting some folks as late as Aug 4 and referenced this was "reported to development (PPP-10678 for your reference)" it seems the forums on Parallels changed or something because several Google links are not working and resulting in having to used cached results for the two links below.
I am able to disable SPF and the e-mails go through just fine however this was working with SPF enabled before a recent upgrade.
Page 1 [URL] ....
Page 2 [URL] ....
This is the error message displayed in /var/log/maillog Sep 24 01:38:35 controlpanel postfix/smtpd[3725]: connect from localhost[127.0.0.1] Sep 24 01:38:35 controlpanel postfix/smtpd[3725]: D565017C013E: client=localhost[127.0.0.1] Sep 24 01:38:35 controlpanel greylisting filter[3899]: Starting greylisting filter...
Initially I was able to connect via FTP. Then all of a sudden I started getting 550 SSL/TLS required on the control channel. Why did it suddenly required SSL/TLS when I did not do anything extra?
Now when I'm trying to connect via FTPES using FileZilla (tried both active and passive) on Linux Mint Debian, I'm getting the error below. I'm really stumped. I have tried to Allow incoming from all on port 49152-65534/tcp via Plesk firewall, but still no go.
The worst thing now is, I can't even get FTP to work anymore. Of course I would prefer to have TLS working.
Status:Connection established, waiting for welcome message... Response:220 ProFTPD 1.3.5 Server (ProFTPD) [206.106.213.243] Command:AUTH TLS
Today I try to fit all FW rules to my need. After i blocked the traffic "allow other incoming traffic" in the Plesk FW i dont get folders listed via FTP. The FTP client connect to my server, but listing content times out. After allow other traffic the content get listed. The rule "Allow FTP connections" ist in all enabled all the time.
I enabled plesk firewall to my ip now I cant seem retrieve directory listing. I've done the same with ssh that works fine.
Response:230 User logged in Command:OPTS UTF8 ON Response:200 UTF8 set to on Status:Connected Status:Retrieving directory listing... Command:PWD Response:257 "/" is the current directory Command:TYPE I Response:200 Type set to I Command:PASV Response:227 Entering Passive Mode Command:MLSD Error:Connection timed out Error:Failed to retrieve directory listing
After upgrading to Plesk 12, I switched on email sending limit to 50 emails per hour per account and also changed mail config to start using domain names in SMTP and less than 12 hours later became blacklisted by CBL - hotmail and live rely on this blacklist - ; the argument was we were sending bots and malware. This server has been under ASL since over a year now and we are positive its clean; still we did a full scan and nothing came up and none of the mail accounts were even close to sending 50 emails per hour. Being sure we were not sending spam nor malware contacted CBL and got whitelisted ..... for less than 24 hours. This happened three days in a row until we switched back to the previous mail settings where domains are not used in SMTP greeting and since then, we haven't had any trouble with CBL. how can we prevent being blacklisted while using domain names in SMTP greetings?
I keep getting this error once in a while for my forum.
Quote:
SQL ERROR [ mysql4 ]
User xxxxx_xxxx has already more than 'max_user_connections' active connections [1203]
An sql error occurred while fetching this page. Please contact an administrator if this problem persists.
I've contact support team from my Hosting provider and they have help me to increase the value of max_user_connection to 50. I have made to understand by them that this problem can be resolved by using VPS or Dedicated server. As a newbie, I just want some assurance would the problem permanently resolve if I'm using VPS or Dedicated server? Which one should I use? VPS or dedicated server?
I'm having a recurring issue where someone is getting a script into /tmp, taking down the webserver and setting up their stupid IRC bot on port 80. It's annoying because thus far I have not been able to track them down. As soon as it happens I'm combing through the logs trying to find out what PHP script (probably PHPBB or something like it from one of my customers) is letting them through but there is nothing in the logs. I've had this happen before but usually there's some trace in the logs like some ASCII encoded string. Right now I just have little to nothing to go on and it's quite annoying. I've combed all over the net but found next to nothing. RKHunter doesn't even know it exists.
I recently got a Windows VPS to run a few applications 24/7. I generally login to the VPS during the day, via Remote Desktop, to review these applications..
However, I frequently have issues. Sometimes, I forget to log out and I will be terminated with a "the remote computer terminated the connection" and then I won't be able to re-login to the VPS. Sometimes I click the X on the Remote Desktop and then when I try to re-connect, I get the same error. Once I got the error "the remote connection has timed out. please try re-connecting to the remote computer again "
And the worse part is that the Remote Desktop can't be restarted alone.. my host has to restart my Windows every time - so my applications go down.
Is it me or is the VPS not supposed to act like this? Why is Remote Desktop so touchy?
I was told by the host that I should always use the Log Off.. however, if I do then Windows says that it will close all my applications.. I don't get any option to Log Off without closing the apps.. so I have to end up using the X.
- Disk Space 10GB - Bandwidth 800GB - Dedicated RAM 256MB - Shared Dual Quad Core XEON CPUs - Windows 2003 Server
Having an issue creating a brand in PPA 11.5. After configuring the brand, all tasks complete okay. After opening up the website, i receive the following error:
Bad Gateway: Web server received an invalid response while acting as a gateway or proxy server.
Web Server at branded.name.com
I have tested this on
PPA version 11.5 Update #02 and PPA version 11.5 Update #03
Still not working. In both cases I re-created the brand.
I was trying to change "Register Domain Names button URL". URL...But after changing the "Register Domain Names button URL" the CLI file (%plesk_ cli %interface_template.exe) got corrupted somehow and now i get this error "invalid application".Is there a place where i can get a copy of this file ?
Problem: I am using to my Centos/Exim/Cpanel server to relay emails. The person who receives my email sees a helo that captures my ISP IP address and lastly the mail server for my domain along with its IP.
My ISP (Verizon) IP is constantly being flagged as a spam source by a variety of RBL's.
My domains have never sent spam and I only send a low volume of emails.
How can I remove my ISP helo IP address from being added to my outgoing email so that the only IP is the IP of domain sending the email?
Example Header:
Quote:
Received: from c-99-172-221-252.hlvd.va.verizon.net ([99.172.221.252]:3389 helo=[127.0.0.1]) <-- remove this part by server.myserver.com with esmtpa (Exim 4.69) (envelope-from <email@mydomain.com>) id 1MLoYc-0004Ol-20 for friend@hotmail.com; Tue, 30 Jun 2009 21:24:18 -0400
I am on a VPS and set everything up myself. When I try and email a friend, I get it bounced back with the following message (with his email filtered):
<<< 550-5.7.1 {mx078} Sorry, your helo has been denied. <<< 550 5.7.1 [url] 550 5.1.1 <**********@gmx.co.uk>... User unknown
I'm pretty sure the user isn't unknown, I have checked and it is his email address. Can anyone tell me what is wrong, and if the problem is on my end or his, and if my end how I might go about fixing it?
!verify = helo !verify = reverse_host_lookup in exim acl and drop message if helo is not passed. But one issue is this validates for users even having account in the server and trying to send mail using server account to someone else
I want to put validation for only incoming mails "to" this server
What i dont want is to validate the mails that authenticated smtp users send
I have a dedicated linux/cpanel server running various websites with the shared ip and one website with a dedicated ip.
But when sending mail through sendmail from the dedicated ip website the ip in the helo greeting is not matching the ip of the sender, it is using the main shared ip rather than the dedicated ip which is producing a 550 error from some receiving mail servers. I have racked my brains trying to figure this out and was wondering if anyone else has/had a similar experience and found a solution.
By the way the helo greeting sent in mail from the shared ip websites is fine...
I seem to be having a problem with domain forwarding in cPanel.
I have 3 cPanel accounts:
1) foobar.com.np with a POP3 account and forwarders for info@foobar.com.np. Works fine.
2) foobar.com with domain forwarding to foobar.com.np. Works fine too when I send an email to info@foobar.com.
3) foo.com.np with domain forwarding to foobar.com.np. Doesn't work! When I send a message to info@foo.com.np I get the following message in my Exim log:
Code: 2007-11-29 04:11:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IxgMm-0007DW-0m 2007-11-29 04:11:32 1IxgMm-0007DW-0m ** info@foo.com.np R=lookuphost T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<noreply@********.com> SIZE=2059: host foo.com.np [74.86.*.*]: 554 5.7.1 Helo invalid(forged) 2007-11-29 04:11:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1IxgMm-0007DW-0m 2007-11-29 04:11:32 1IxgMm-0007Da-Bd <= <> R=1IxgMm-0007DW-0m U=mailnull P=local S=2006 T="Mail delivery failed: returning message to sender" 2007-11-29 04:11:32 1IxgMm-0007DW-0m Completed ... As you can see, this domain forwarder is not functioning like the other one (foobar.com) since the domain forwarder for foobar.com DOES actually work:
Code: 2007-11-29 03:58:21 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IxgA0-0002Gs-Vb 2007-11-29 03:58:21 1IxgA0-0002Gs-Vb => info <info@foobar.com> R=virtual_user T=virtual_userdelivery 2007-11-29 03:58:22 1IxgA0-0002Gs-Vb => *******@gmail.com <info@foobar.com> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.133.27] 2007-11-29 03:58:22 1IxgA0-0002Gs-Vb -> *******@gmail.com <info@foobar.com> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.133.27] 2007-11-29 03:58:22 1IxgA0-0002Gs-Vb Completed It looks like Exim doesn't know that emails sent to info@foo.com.np should be a local delivery. I checked the file "/etc/vdomainaliases/foo.com.np" and it says:
Im trying to troubleshoot the exim install that was included with cpanel. I read that the helo response being localhost instead of a fully qualified domain can lead to mail be directed to the bulk mail folder.
Looking at the mail headers, this is indeed set this way:
Received: from www.mydomain.com ([my_ip_addr] helo=localhost)
How is this response determined and how can I have it be a fully qualified domain name instead?
#Server PHP - hosts php and handles apache/mysql requests. #Server 2 - handles mail and dns requests.
Yesterday we moved mail from # server 2 to a new mail server, a cPanel one, all mailboxes are created, users can send and recieve email using webmail, mail clients, etc.
But.. while trying to send mails using PHP authenticated from the #Server PHP/Apache/MySQL , we got this error from the mail servers:
Code: We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. SMTP -> FROM SERVER: SMTP -> FROM SERVER: SMTP -> ERROR: HELO not accepted from server: SMTP -> get_lines(): $data was "" SMTP -> get_lines(): $str is "220-srv247.serverhost.com This was working when mails were recieved/sent in Sendmail (an Ensim box), now with Exim 4.x on a cPanel box we got this issue.
Already added IP address from #server php into all Exim whitelists, also added the IP to /etc/alwaysrely, but didn't help.
Im using RHE 5.2 on the mail server and latest Release build.
I am having a very weird problem with virtuozzo. I created about 8 VPS in my server. But when i logged into the server after two days, I could find that some of the VPS i had created disappeared. And the ones that still listed, were in the mounted state.
I have no idea of what is happening with the server. To list all the VPS back i had to log into the base node and restart service vz.
I don log into the virtuozzo very often, but whenever i log into the panel after some time ( a day or two) this is what happens.
I need to move clients over to the new VPS, but the issue is causing a lot of worry for me. What if this happens once i move the client over. I cannot always go restarting th vz.
My server has been formated it has two drives. I have my back up on the second drives. What is the command I use to list the drives and how to mount the second drive.
