Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th July 2006, 04:34
nenad nenad is offline
Senior Member
 
Join Date: Nov 2005
Location: Novi Sad, Serbia
Posts: 416
Thanks: 13
Thanked 5 Times in 5 Posts
Default #5.1.1 SMTP; 550 Your HELO name for IP address 1.2.4.6 was "smtp"

Hi,

today I found that my server is (was) blacklisted due to "spam" (which is not the case) or trojan (which is not the case) or misconfiguration of smtp server.

How to exactly chechk what they are atlking about??

This is the answer that I received from http://cbl.abuseat.org

(After I complained they removed me from their blacklist, but I would like to prevent such cases, especially becuse besides my IP is smell network, not single machine)

Which config files shuld I check to see if there is a problem with "localhost.localdomain" as HELLO string?
---------------------------------------------------------------------------

Quote:
The IP 87.116.136.92 was detected most recently at:

2006:07:02 ~02:00 UTC+/- 15 minutes

sending email in such a way as to strongly indicate that the IP itself
was operating an open http or socks proxy, or a trojan spam package.

You will need to examine the machine for a spam trojan or open
proxy. Up-to-date anti-virus tools are essential.

If the IP is a NAT firewall, we strongly recommend configuring the
firewall to prevent machines on your network connecting to the Internet
on port 25, except for machines that are supposed to be mail servers.

Note: 87.116.136.92 was found to be using the following name during
connections:

localhost.localdomain

Which is an illegal name according to the RFC2821 SMTP mail
protocol standards. RFC2821 requires that the machines claim names
that are a fully qualified domain names or IP addresses enclosed
in square brackets.

You will need to investigate why this is happening, and stop it from
doing that.

This is usually a spamware/trojan infection. In the off chance
that it isn't, we recommend you examine your mail server configuration
and ensure that your mail server is using an appropriate domain name.

One way of testing whether your mail server is misconfigured
is to send an email through it to helocheck@cbl.abuseat.org. You will
get a virtually immediate rejection. Examine the error message,
and you should see something like:

#5.1.1 SMTP; 550 Your HELO name for IP address 1.2.4.6 was "smtp"

It should be the fully qualified domain name for your mail server.
Like "mail.example.com". If it's localhost.domain, or things without
".", this is what you need to fix.

Variations on "localhost" at best suggest that you're running
relatively old mail server software that hasn't been configured.

Apparently old versions of sendmail (particularly those on Linux),
and the Perl Net::SMTP module default to this value, and need
to be configured properly.

Information on configuring sendmail can be found here:

http://cbl.abuseat.org/sendmailhelp.html

More information on these detections can be found here:

http://cbl.abuseat.org/lh.html

Apparently the "MXLookup" plugin for SpamPal helos as localhost.
Turn it off until you can get a fixed version. It is unknown
as yet whether a fixed version is available.

The Perl "CheckUser" module
(http://search.cpan.org/src/ILYAM/Mai...1/CheckUser.pm)
defaults to improper "HELO" and "MAIL FROM" strings: "localhost.localdomain"
and "check@user.com" respectively. The former is illegal, the latter
impersonates user.com - they probably don't like that. [Besides, by not
using your own domain, some spam filters will lie to your RCPT TO.]

You will need to change $Helo_Domain = to be "<DNS name of your server>"
and change $Sender_Addr to be something in _your_ domain (ie: "check@<mydomain>").

If you're using fetchmail: older versions of fetchmail almost always
use "localhost". The latest version (as of 2006/02/22 is 6.3.2) will
use "localhost" if the gethostname() function fails. You should upgrade
to the latest version, and make sure that gethostname() returns the
fully qualified domain name of your machine - which will probably
involve mucking about with /etc/hosts and sethostname/setdomainname.
If all else fails, hack the source.

If you're running Smartmax Mailmax, please let us know.

Useful links:

http://www.ftc.gov/secureyourserver/
http://spamlinks.net (see "Securing your System" and "proxies")
http://www.fr2.cyberabuse.org/?page=abuse-proxy

For more information on securing NAT firewalls/gateways, please
see http://cbl.abuseat.org/nat.html




I've removed the entry from the list.

It may take a few hours to propogate to the public nameservers.

WARNING: the CBL WILL relist this IP if the underlying issues are not
resolved, and the CBL detects the same thing again.



-- Jay, CBL Team
As far as I understand those things my server has valid HELLO string, or it does't ?

Quote:
Reporting-MTA: dns; server201.web-hosting.co.yu
X-Postfix-Queue-ID: A9684BB53E
X-Postfix-Sender: rfc822; nenad@web-hosting-solutions.biz
Arrival-Date: Sun, 9 Jul 2006 03:19:30 +0200 (CEST)

Final-Recipient: rfc822; helocheck@cbl.abuseat.org
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mail.cbl.abuseat.org[216.168.28.54] said:
550-Your HELO name for IP address 87.116.136.92 was 550
"server201.web-hosting.co.yu" (in reply to RCPT TO command)
__________________
Nenad Bulatovic
---------------
Debian Lenny & ISPConfig 3
Reply With Quote
Sponsored Links
  #2  
Old 10th July 2006, 09:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

What's the output of
Code:
telnet localhost 25
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 10th July 2006, 10:18
nenad nenad is offline
Senior Member
 
Join Date: Nov 2005
Location: Novi Sad, Serbia
Posts: 416
Thanks: 13
Thanked 5 Times in 5 Posts
 
Default

server201:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server201.web-hosting.co.yu ESMTP Postfix (Debian/GNU)

-------------------------------------------------------------------

In the meanwhile, they replied to me. On my network there was one PC infected with trojan, malware whatever, so it was resolved during last 24hrs.

They confirmed that this:
Quote:
Reporting-MTA: dns; server201.web-hosting.co.yu
X-Postfix-Queue-ID: A9684BB53E
X-Postfix-Sender: rfc822; nenad@web-hosting-solutions.biz
Arrival-Date: Sun, 9 Jul 2006 03:19:30 +0200 (CEST)

Final-Recipient: rfc822; helocheck@cbl.abuseat.org
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mail.cbl.abuseat.org[216.168.28.54] said:
550-Your HELO name for IP address 87.116.136.92 was 550
"server201.web-hosting.co.yu" (in reply to RCPT TO command)
is prefectly good regarding to what is expected from host to reply in HELO statemet
__________________
Nenad Bulatovic
---------------
Debian Lenny & ISPConfig 3
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 13:20


All times are GMT +2. The time now is 23:47.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.