Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 34
  1. #11
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Its also possible they are sending on a different port, and that spamhaus is pulling your IP from the headers.
    I would just contact them and ask for details.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  2. #12
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    i contacted them but they are not responding saying "you have to check your network for any suspicious activity, we cannot provide any more details"

  3. #13
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Following is the message from spamhaus. I have masked my ip for safety.
    ===============
    Hello,

    xxx.129.240.xxx was listed in the CBL, it tried to impersonate (via SMTP
    HELO command) being a domain we know it _cannot_ be. No properly
    configured mail server does this under any circumstances.

    Most recent detection was at 2018/07/10 20:45:00 (UTC) (+/- 5 minutes)

    You will need to examine the machine for a spam trojan or open proxy.
    Up-to-date anti-virus tools are essential.

    If the IP is a NAT firewall, we strongly recommend configuring the
    firewall to prevent machines on your network connecting to the Internet
    on port 25, except for machines that are supposed to be mail servers.

    Your IP address (xxx.129.240.Xxx) is sending email in such a way as to
    strongly indicate that the IP itself is operating somes sort of spam
    package.

    This IP is impersonating (via SMTP HELO command) being a domain we know
    it _cannot_ be. No properly configured mail server does this under any
    circumstances.

    If the IP is a NAT firewall, we strongly recommend configuring the
    firewall to prevent machines on your network connecting to the Internet
    on port 25, except for machines that are supposed to be mail servers.

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,774

    Default

    That message is indicating not a unit sending spam, but a misconfigured SMTP connector.

    Your HELO response on your publicly exposed SMTP service is misconfigured.

    I'd give you specifics, but you masked your IP, I'm not sure why you'd do that... it's a public mail server, it's already exposed. Putting it here doesn't put you at more risk, it just prevents us from helping you.
    Last edited by sky-knight; 07-11-2018 at 06:34 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    202.129.240.180

  6. #16
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    yeah, you need to fix up your smtp connector configuration:

    telnet 202.129.240.180 25

    220 ****************************************************************************************
    helo mail.domain.com
    250 mail1.sanket.local Hello [216.237.4.246]


    (the point being that mail1.sanket.local is not an acceptable id string...
    it should be the correct name of the mail server as listed in your external DNS, and ideally it should match the reverse lookup of your IP address)

    in fact, on further checking, it looks like you have everything admirably correct except for your helo string:


    nslookup
    > set type=ptr
    > 202.129.240.180
    Non-authoritative answer:
    180.240.129.202.in-addr.arpa name = mail1.sanketindia.in
    > set type=mx
    > sanketindia.in
    Non-authoritative answer:
    sanketindia.in MX preference = 10, mail exchanger = mail1.sanketindia.in

    mail1.sanketindia.in internet address = 202.129.240.180


    so just set your smtp connectors (both inbound and outbound) id string to mail1.sanketindia.in and you'll be all set
    Last edited by johnsonx42; 07-11-2018 at 07:37 AM.

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,774

    Default

    Ok your SMTP Connector is responding to a HELO and EHLO with 250-mail1.sanket.local Hello [184.73.62.34].

    See that sanket.local? That is why they're pitching a fit. Reverse DNS for that IP resolves to mail1.sanketindia.in, so that's what needs to be in your helo/ehlo response.

    I don't have any more Exchange servers to just pull up and look, but if you find your default receive connector's properties on that server, there should be a box you can input the SMTP banner. It'll have the .local address in it, change it to your .in address.

    Then you can go to https://mxtoolbox.com/ stuff your IP in there and see if the SMTP banner updates correctly.

    Also, welcome to the Untangle forums where we support stuff that isn't Untangle...
    Last edited by sky-knight; 07-11-2018 at 07:49 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    hi sky-knight
    That is really great support which is not for untangle.

    Ok, i changed FQDN as you advised.
    Under Receive connectors there are total 5 items.

    Client FrontEnd MAIL1
    Client Proxy MAIL1
    Default FrontEnd MAIL1
    Default MAIL1
    Outbound Proxy Frontend MAIL1


    I made changes to following 2:
    Default FrontEnd MAIL1
    Default MAIL1

    since for rest 3 i was not sure so i kept as mail1.sanket.local

    went to mxtoolbox.com and with their "Test Email Server" Tool, i typed in sanketindia.in
    That gave couple of result but i did not find any HELO or EHLO things in there.

  9. #19
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Got following: ( SMTP Banner Check >> Reverse DNS does not match SMTP Banner)

    Connecting to 202.129.240.180

    220 ****************************************************************************************** [829 ms]
    EHLO EC2AMAZ-14J9QQI.mxtoolbox.com
    250-mail1.sanketindia.in Hello [34.224.65.83]
    250-SIZE 37748736
    250-DSN
    250 AUTH NTLM LOGIN [844 ms]
    MAIL FROM:<supertool@mxtoolbox.com>
    250 2.1.0 Sender OK [844 ms]
    RCPT TO:<test@mxtoolboxsmtpdiag.com>
    550 5.7.1 Unable to relay [5828 ms]

    LookupServerv2 10595ms

  10. #20
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Huh....some new issue.
    I was not able to type in mail1.sanketindia.in as it said "AuthMechanism attribute on a Receive Connector contains ExchangeServer"
    So i unchecked Exchange Server authentication and then it allowed me to type in mail1.sanketindia.in

    But then no user was able to send mails. When user send message they are getting message "You don't have permission to perform this action"

    So i just checked (enable) again Exchange Server Authentication and now user are able to send emails but then i had to change FQDN to mail1.sanket.local

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2