[SOLVED] [After upgrade 3.2] cant send mails, sender rejects (spamhaus)

Discussion in 'General' started by TerenceHill, Oct 22, 2020.

  1. TerenceHill

    TerenceHill New Member

    Since the upgrade to ispconfig 3.2
    I cannot send any mails anymore.
    It seems that my mail server does not accept the mail because my IP address (at home) is on the blacklist of Spamhaus (My ISP, Provider).

    Error Mail-log:
    Code:
    Oct 22 13:52:22 server2 postfix/submission/smtpd[16487]: NOQUEUE: reject: RCPT from ip-777-777-777-777.net[777.777.777.777]: 554 5.7.1 Service unavailable; Client host [777.777.777.777] blocked using 2nsumfdkkjwhd02.zen.dq.spamhaus.net; https://www.spamhaus.org/query/ip/777.777.777.777; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.223]>
    
    Before the update, the ip was also in spamhaus BL, but the server didn't check the sender.
    Where do I turn off the check?
    Thank you guys

    postconf -n
    Code:
    address_verify_negative_refresh_time = 60s
    address_verify_sender_ttl = 15686s
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    compatibility_level = 2
    dovecot_destination_recipient_limit = 1
    enable_original_recipient = yes
    greylisting = check_policy_service inet:127.0.0.1:10023
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    inet_protocols = all
    mailbox_size_limit = 0
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    message_size_limit = 0
    milter_default_action = accept
    milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
    milter_protocol = 6
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = server2.hostname.com, localhost, localhost.localdomain
    myhostname = server2.hostname.com
    mynetworks = 127.0.0.0/8 [::1]/128
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    non_smtpd_milters = inet:localhost:11332
    owner_request_special = no
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_s$
    readme_directory = /usr/share/doc/postfix
    recipient_delimiter = +
    relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost =
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtp_dns_support_level = dnssec
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = dane
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client 2nsumfdkkjwhd02.zen.dq.spamhaus.net, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client mail.de.bl.blockli$
    smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
    smtpd_etrn_restrictions = permit_mynetworks, reject
    smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
    smtpd_helo_required = yes
    smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, permit
    smtpd_milters = inet:localhost:11332
    smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/m$
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    tls_preempt_cipherlist = no
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = lmtp:unix:private/dovecot-lmtp
    virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
    
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It's this line:
    Code:
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client 2nsumfdkkjwhd02.zen.dq.spamhaus.net, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client mail.de.bl.blockli$
    Remove the part with: reject_rbl_client 2nsumfdkkjwhd02.zen.dq.spamhaus.net,
    More info here: https://www.howtoforge.com/hardening-postfix-for-ispconfig-3#dnsbl-dns-based-blacklistblocklist
    Another way is to whitelist your sending IP-address.
     
    TerenceHill likes this.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The uneditable rbl is a bug in 3.2, it will be fixed in 3.2.1. You can apply the fix suggested by @Taleman as a temporary workaround.

    Furthermore, @Jesse Norell mentioned the real problem ;)
     
    TerenceHill likes this.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Are you sending on port 25? Ports 465 and 587 should be used for mail submission, they don't have the rbl checks.
     
  5. TerenceHill

    TerenceHill New Member

    Thank you, worked, mails sent again.

    Thank you, i edit the main.cf and waiting for 3.2.1


    No using SSL on 993/587


    Please Tag it as [Solved]

    Thanks for helping, i wanna spend a little amount of Euros, is there a Donation Button (Patreon or similar)
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Good to hear. There is currently no donation button, but you can become a HowToForge subscriber: https://www.howtoforge.com/subscription/
     

Share This Page