0

spamhaus.org is blocking our IP because we send mail using multiples domain names from a single IP.

The message is

A device (computer, server, mobile phone, etc), or an app on a device that is using aaa.bbb.ccc.ddd is infected, badly misconfigured, or compromised. It is making SMTP connections with multiple unrelated HELO values on port 25.

The most recent detection was on: May 18 2022, 10:20:00 UTC (+/- 5 minutes). The observed HELO values were xxx yyy zzz ,...

We have a lot of different domains for emails (one customer = one domain), and all the emails are sent from the same IP (Multiples different server using the same internet gateway).

How should we handle this use case ? We currently use exim4 as a mailserver on the multiples servers.

anx
  • 6,875
  • 4
  • 22
  • 45
Jean
  • 123
  • 6
  • 3
    No, it isn't. There are *myriads* of mail systems that handle multiple domains. Spamhaus never blocked anyone just for that. How *exactly* looks your Spamhaus blocking message/reason? – Nikita Kipriyanov May 18 '22 at 14:12
  • 1
    If that alone were Spamhaus's reason, every major email service provider would be blocked immediately. Do these domains have valid SPF records permitting your IP to send emails on their behalf? – ceejayoz May 18 '22 at 14:17
  • I added the Spamhaus blocking message. Yes, these domains have valid SPF records. – Jean May 18 '22 at 14:48
  • Just writing that the tag `spam-marked` includes two canonical Q/A in its full description there: https://serverfault.com/tags/spam-marked/info which might already include some checks to do. – A.B May 18 '22 at 14:50
  • See [this Spamhaus page](https://www.spamhaus.org/faq/section/Hacked...%20Here%27s%20help) specifically. – ceejayoz May 18 '22 at 15:47
  • Does this answer your question? [How to send emails and avoid them being classified as spam?](https://serverfault.com/questions/48428/how-to-send-emails-and-avoid-them-being-classified-as-spam) – tripleee May 24 '22 at 03:57
  • 1
    Hello, I accepted Nikita Kipriyanov's answer, because that's exactly the problem I had. The canonical question you linked shows multiples possibilities, one among them is the solution I looked for. I think it will be easier for future users to read this answer, using the specific description of my use case. – Jean May 24 '22 at 07:02

1 Answers1

6

You configured it to present different HELO names for each served domain? That's really a bad idea. That is why Spamhaus is angry to you.

  • Your server should have certain FQDN, at least for the mail service, let's say mail.example.org;
  • set up that FQDN name as the single constant HELO name, which is always presented by the MTA, no matter which domain's mail it is delivering now;
  • that name should have A or AAAA records that resolve to the server IP address, for example, mail.example.org. A 192.0.2.1;
  • the server uses this or some other IP address when makes outgoing connections. The reverse DNS lookup of that outgoing IP address should point to this same FQDN, for example, 1.2.0.192.in-addr.arpa. PTR mail.example.org.;
  • ideally, enable STARTTLS and use SSL certificate that is valid for this FQDN, e.g. CN=mail.example.org or SAN field contains DNS:mail.example.org or DNS:*.example.org.

And then you specify this FQDN in the MX record of served domains, like this: example.com. MX 10 mail.example.org. (don't forget to set up SPF, DKIM, DMARC records too).

Notice, you can not have multiple PTR records for a single IP address; technically you can, but that won't work as you might expect. Some DNS servers check these three items (HELO, forward DNS query for the HELO name and reverse DNS query for your IP) to match and block messages if they don't. This partially answers why you shouldn't change HELO name for each message.

(It's essentially the same as this answer in the linked "Canonical question")

Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39
  • Thank you, we fixed it by setting the same HELO FQDN on our multiples servers. The FQDN now matches the DNS for this server. (related FAQ : "Correct HELO/DNS/rDNS alignment for domain example.com:") At the same time, Spamhaus removed our IP from the blocked-list. I'll wait until tomorrow, and will accept this answer. Thanks again. – Jean May 19 '22 at 09:17
  • Excellent answer! A minor notice: I think that there should always be a SAN matching the CN nowadays. – Esa Jokinen May 24 '22 at 07:31