1

Our server has been listed several times on CBL (see this question) because it "attempted to send email without using the HELO/EHLO command".

Grep'ing on HELO on Exim's logs, I found such suspicious (yet useful !) entries from GMail :

Remote host closed connection in response to HELO  (EHLO response was: 501-5.5.4 Empty HELO/EHLO argument not allowed, closing connection.

and whatever email provider or software :

SMTP error from remote mail server after HELO : 501 Syntax: HELO hostname

It seems to me that these errors may be the very reason for which our IP is listed on CBL.

I can't say for the GMail error yet because those messages are not in Exim's queue anymore (I will confirm as soon as I get a new one), but the other message is a bounce email, as I suspected in the other question ("retry timeout exceeded" because of non-existent address).

Now, I couldn't find confirmation online but I guess it's not normal that bounce emails have an empty HELO command, right ? So how do I configure Exim so that they don't ?

NB : I know I could just blackhole such messages, which I'll eventually try if I can't find a better solution, but it doesn't seem like the right approach.

NB2 : For "regular emails" the HELO command is already set as follow, from /etc/exim4/conf.d/main/00_local_settings :

REMOTE_SMTP_HELO_DATA=$sender_address_domain
Skippy le Grand Gourou
  • 1,145
  • 14
  • 23
  • 1
    Obviously `$sender_address_domain` is wrong :) – Michael Hampton Aug 10 '18 at 15:27
  • @MichaelHampton Oh… Indeed it's probably empty for bounce emails !!! I'll check it out, thanks (you may want to add this to your answer). – Skippy le Grand Gourou Aug 10 '18 at 15:29
  • Setting `REMOTE_SMTP_HELO_DATA` to the FQDN and `MAIN_TIMEOUT_FROZEN_AFTER=10s`, then sending an email to a non-existent user from an external email address I was able to confirm that the empty `$sender_address_domain` was indeed the issue. – Skippy le Grand Gourou Aug 10 '18 at 16:42
  • Can you just bitbucket the bounce messages? Are spam programs advanced enough to use the bounce messages to trim the list? If so, and you basically drop bad messages, you would deny them the feedback. Same concept with dropping packets at the firewall instead of bouncing them. – Jeter-work Aug 10 '18 at 18:47
  • @Xalorous As far as I'm concerned I wouldn't mind spammers using bounce feedback to remove my obsolete addresses from their list and keep my server quiet… But indeed I did consider the blackhole option, see my first NB. However I changed my mind after reading [this answer](https://serverfault.com/questions/722114/use-exim-systemfilter-to-drop-specific-incoming-and-outgoing-emails-withou-bounc/722189#722189). There *is* a slight chance that a real human actually tries to reach these addresses. – Skippy le Grand Gourou Aug 10 '18 at 19:52

1 Answers1

1

Most servers check for a valid hostname in the EHLO/HELO command. The parameter must be the FQDN of your server as it is seen on the Internet, and your forward and reverse DNS must match for that name.

For example, if your machine is named mail.example.com:

  • It must send EHLO mail.example.com. Mail servers normally do this by default (except on Debian based systems); they usually have to be explictly misconfigured to not do so (except on Debian based systems). Spammers often don't bother with EHLO or can't send a legitimate hostname.

    See here for how to configure Exim.

  • The DNS A/AAAA record for mail.example.com must have a record matching the IPv4 or IPv6 address which connected to the remote machine.

    For example:

    mail.example.com        IN      A       192.0.2.83

  • The IP address which connected to the remote machine must have a DNS PTR record with the name mail.example.com.

    For example:

    83.2.0.192.in-addr.arpa. IN      PTR     mail.example.com.

Connections which fail one or more of these checks will generally have their mail marked as spam or rejected. If your server fails any of these checks with a spamtrap, it will end up on a blackhole list.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks for your answer, but I have to point out that it is generic and doesn't address my question, which is *specifically* about bounce emails. I've edited it with my current HELO settings (Debian indeed), which [CBL helocheck](https://www.abuseat.org/helocheck.html) considers as "*valid syntax*". – Skippy le Grand Gourou Aug 10 '18 at 15:27
  • @SkippyleGrandGourou Your HELO settings are wrong. The _syntax_ might be correct, but the _content_ is wrong. As specified above in the linked configuration answer, you should be using `$primary_hostname` or specifying the hostname directly. – Michael Hampton Aug 10 '18 at 15:29
  • I have multiple domains on that server. IIRC, using the FQDN lead to issues with email checking services. – Skippy le Grand Gourou Aug 10 '18 at 15:38
  • 1
    We can't help you send spam. But we can maybe help you with broken email checking services. Whatever they said, the actual FQDN of the machine is what you need to send in HELO. Other domains go elsewhere, like the envelope sender, From:, etc. – Michael Hampton Aug 10 '18 at 15:45
  • I don't understand your first sentence, this is a legit server for legit emails. Anyway, now I remember the issue has nothing to do with email checking services but with Yahoo SPF check, about which [I already asked here](https://serverfault.com/questions/826795/spf-issue-with-different-helo-fqdn) (and you already tried to help, but of course I'd be glad if you come up with a better solution than mine, other than not bothering with Yahoo users). – Skippy le Grand Gourou Aug 10 '18 at 15:55
  • I have yet to test it, but I believe I found the ultimate correct solution and updated my answer on the other question. Thanks for pointing me the flaws in my attempts, it greatly helped. – Skippy le Grand Gourou Aug 10 '18 at 16:46
  • @SkippyleGrandGourou Other people will read this answer because they are having similar problems. Some people who edit their HELO do so because they are trying to send spam. This comment is for them. – Michael Hampton Aug 10 '18 at 16:47