1 Topic by Lexa83

  • Lexa83
  • Lexa83
  • Member
  • Offline
  • Registered: 2016-09-15
  • Posts: 66

Topic: Can't whitelist blacklisted HELO

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.5
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Ubuntu 20.04.6 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes - iRedAdmin-Pro MySQL 5.5
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

/var/log/iredapd/iredapd.log

Dec 11 17:29:59 mail iredapd [144.76.154.72] Reverse client hostname is blacklisted: .clients.your-server.de
Dec 11 17:29:59 mail iredapd [144.76.154.72] RCPT, www-data@papps01.public.zentyal.com -> MYUSER@MYDOMAIN.com, REJECT Blacklisted [sasl_username=, sender=www-data@papps01.public.zentyal.com, client_name>=static.72.154.76.144.clients.your-server.de, reverse_client_name=static.72.154.76.144.clients.your-server.de, helo=download01.public.zentyal.com, encryption_protocol=, encryption_cipher=, server_port=25, process_time=0.0028s]

====
I've been trying without success to whitelist this blacklisted sender. Here is the current HELO order of my postfix main.cf file

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
#    check_helo_access hash:/etc/postfix/helo_access
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    reject_invalid_helo_hostname

and here is how I have listed it in helo_access.pcre

/\.clients\.your-server\.de$/ OK
/\.zentyal\.com$/ OK

Yes, I have restarted postfix (and iredapd for good measure)
Any ideas what I'm doing wrong?

Thank you kindly in advance!!
-Lexa

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Pavel Zhe (edited by Pavel Zhe 2023-12-12 20:51:23)

  • Pavel Zhe
  • Member
  • Offline
  • Registered: 2023-12-12
  • Posts: 28

Re: Can't whitelist blacklisted HELO

Lexa83 wrote:

and here is how I have listed it in helo_access.pcre

/\.clients\.your-server\.de$/ OK
/\.zentyal\.com$/ OK

Yes, I have restarted postfix (and iredapd for good measure)
Any ideas what I'm doing wrong?

Thank you kindly in advance!!
-Lexa

Do you assumed helo_access.pcre or sender_access.pcre ?

it's iredapd block, not postfix

Dec 11 17:29:59 mail iredapd [144.76.154.72] Reverse client hostname is blacklisted: .clients.your-server.de

do you have 'wblist_rdns' plugin enabled in /opt/iredapd/settings.py ?

3 Reply by Lexa83

  • Lexa83
  • Lexa83
  • Member
  • Offline
  • Registered: 2016-09-15
  • Posts: 66

Re: Can't whitelist blacklisted HELO

Pavel Zhe wrote:

do you have 'wblist_rdns' plugin enabled in /opt/iredapd/settings.py ?

Yes I do, it is the first plugin listed.

# Enabled plugins.
plugins = ["wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy", "sql_ml_access_policy"]

4 Reply by Pavel Zhe (edited by Pavel Zhe 2023-12-13 00:55:18)

  • Pavel Zhe
  • Member
  • Offline
  • Registered: 2023-12-12
  • Posts: 28

Re: Can't whitelist blacklisted HELO

Lexa83 wrote:
Pavel Zhe wrote:

do you have 'wblist_rdns' plugin enabled in /opt/iredapd/settings.py ?

Yes I do, it is the first plugin listed.

# Enabled plugins.
plugins = ["wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy", "sql_ml_access_policy"]

Remove it from this list for test temporarily and check log again
(Restart iredapd required)

5 Reply by Lexa83

  • Lexa83
  • Lexa83
  • Member
  • Offline
  • Registered: 2016-09-15
  • Posts: 66

Re: Can't whitelist blacklisted HELO

Pavel Zhe wrote:
Lexa83 wrote:
Pavel Zhe wrote:

do you have 'wblist_rdns' plugin enabled in /opt/iredapd/settings.py ?

Yes I do, it is the first plugin listed.

# Enabled plugins.
plugins = ["wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy", "sql_ml_access_policy"]

Remove it from this list for test temporarily and check log again
(Restart iredapd required)

Yes, removing the wblist_rdns plugin temporarily did let the email come through. Is there a way to whitelist certain senders for that plug in?

6 Reply by Pavel Zhe (edited by Pavel Zhe 2023-12-13 15:02:55)

  • Pavel Zhe
  • Member
  • Offline
  • Registered: 2023-12-12
  • Posts: 28

Re: Can't whitelist blacklisted HELO

Lexa83 wrote:

Yes, removing the wblist_rdns plugin temporarily did let the email come through. Is there a way to whitelist certain senders for that plug in?

Manging iRedAPD lists described at _ttps://docs.iredmail.org/manage.iredapd.html#manage-whiteblacklists
(replace _ with h)

for manage rdns lists you probably need to do some SQL console work, as it described in iredapd/plugins/wblist_rdns.py

Connect to SQL server as iredapd user, select iredapd database, then print table 'wblist_rdns'
(i use PostgreSQL)

iredapd=> select * from wblist_rdns;
 id |             rdns              | wb
----+-------------------------------+----
  1 | .dynamic.163data.com.cn       | B
  2 | .cable.dyn.cableonline.com.mx | B
  3 | .dyn.user.ono.com             | B
  4 | .static.skysever.com.br       | B
  5 | .castelecom.com.br            | B
  6 | .clients.your-server.de       | B
(6 rows)

iredapd=>

your problem domain has id = 6, so

iredapd=> update wblist_rdns set wb='W' where id = '6';
UPDATE 1
iredapd=> select * from wblist_rdns;
 id |             rdns              | wb
----+-------------------------------+----
  1 | .dynamic.163data.com.cn       | B
  2 | .cable.dyn.cableonline.com.mx | B
  3 | .dyn.user.ono.com             | B
  4 | .static.skysever.com.br       | B
  5 | .castelecom.com.br            | B
  6 | .clients.your-server.de       | W
(6 rows)

7 Reply by dave.opc

  • dave.opc
  • Member
  • Offline
  • Registered: 2019-07-08
  • Posts: 101

Re: Can't whitelist blacklisted HELO

i suggest, that admins of the domains (sender) should configure their mail servers accordingly and set Reverse DNS entry, so their mails won't get rejected and blocked by other mail servers.

8 Reply by Pavel Zhe

  • Pavel Zhe
  • Member
  • Offline
  • Registered: 2023-12-12
  • Posts: 28

Re: Can't whitelist blacklisted HELO

dave.opc wrote:

i suggest, that admins of the domains (sender) should configure their mail servers accordingly and set Reverse DNS entry, so their mails won't get rejected and blocked by other mail servers.

You are right, but it's not always possible. As for me, that's not a goot idea to supply mail server with predefined own custom blacklists.