Mail sending blocked by authenticated user due to dnsbl

[Infern1]

Describe the bug Sending a mail from mobile is blocked due to dnsbl.

To Reproduce Send mail from smartphone on the AT&T / Vodafone network in Netherlands. When I'm connected to the mobile network and try to send a mail this blocked due to the mail is seen as coming from dnsbl. I did check the IP : 109.38.148.204 which is indeed listed at zen.spamhaus.org. However cannot really influence which IP I get from my mobile provider..

Expected behavior Authenticated users should somehow be able to send mail, since they cannot really influence the IP they are send from.

Maybe it is more Haraka, please let me know if I should place it there.

Jul 25 11:20:01 haraka haraka[54171]: [NOTICE] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [core] connect ip=109.38.148.204 port=1399 local_ip=172.16.15.9 local_port=587
Jul 25 11:20:01 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [karma] score: 0, history: 0
Jul 25 11:20:01 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [p0f] os="Mac OS X " distance=13 total_conn=1
Jul 25 11:20:01 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [fcrdns] fail:has_rdns
Jul 25 11:20:03 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [dnsbl] fail:zen.spamhaus.org
Jul 25 11:20:03 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [geoip] EU, NL, NH, Amsterdam, 3km
Jul 25 11:20:04 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [helo.checks] helo_host: smtpclient.apple, pass:match_re, bare_ip, dynamic, big_co(not), valid_hostname, host_mismatch, fail:rdns_match, forward_dns(no IP match)
Jul 25 11:20:04 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [spf] identity=helo ip=109.38.148.204 domain="smtpclient.apple" mfrom=<postmaster@smtpclient.apple> result=None
Jul 25 11:20:04 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [spf] scope: helo, result: None, domain: smtpclient.apple
Jul 25 11:20:04 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [tls] secured: cipher=TLS_AES_256_GCM_SHA384 version=TLSv1.3 verified=false
Jul 25 11:20:04 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [core]  hook=unrecognized_command plugin=tls function=upgrade_connection params=STARTTLS retval=OK msg=""
Jul 25 11:20:06 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [helo.checks] helo_host: smtpclient.apple, pass:match_re, bare_ip, dynamic, big_co(not), valid_hostname, host_mismatch, literal_mismatch, fail:rdns_match, forward_dns(no IP match)
Jul 25 11:20:10 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [core]  hook=unrecognized_command plugin=karma function=hook_unrecognized_command params=AUTH retval=DENY msg="very bad karma score: -10"
Jul 25 11:20:10 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [core] client half closed connection ip=109.38.148.204
Jul 25 11:20:10 haraka haraka[54171]: [INFO] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [karma] score: -10, history: 0, awards: 086,116,133, fail:cmd:(AUTH,PLAIN AHJvYkBic2RmcmVha3MubmwAd29mcmVha3NJdA==)
Jul 25 11:20:10 haraka haraka[54171]: [NOTICE] [4FDEED83-FDCF-4DE6-8AD6-717223A9481C] [core] disconnect ip=109.38.148.204 rdns=NXDOMAIN helo=smtpclient.apple relay=N early=N esmtp=Y tls=Y pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="500 very bad karma score: -10" time=9.04

[msimerson]

Easy solution: use port 465 (instead of 587 + STARTTLS). It's faster and you don't have to EHLO twice to start up the connection.

[Infern1]

Sorry to say, however switching to port 465 doesn't make any change. Tried it right away, however did not work. Just lacking some feedback and logging information. Will do ASAP

[msimerson]

Well that's odd. I've been using port 587 (and more recently 465) to relay from mobile and desktop clients for literally decades. It has always worked for me in Haraka and it still does.

[johannes73]

Thanks for the tip of changing to 465. We had the same problem this year with clients sending mail from dynamic IPs in Sweden and Germany, using port 587. Users were not able to send because of DNSBL "spam" class for their IP, even though they authenticated. Sometimes I myself could not send from mobile. I guess it could maybe be a result of more IPs listed on some DNSBLs. After changing to 465 I have not had the problem. For the users using 587 we raised the karma limit for haraka, which ended user complaints, but I guess also will let more spam through. Thanks again.

[msimerson]

Fun facts

• most dialup / cable / dynamic IPs have been listed on DNSBLs forever (spamhaus)
• port 465 works better / faster than 587 because only one EHLO
• if DNS or rDNS for the client IP is badly configured, karma might slow down the connection
  • this is good for spam prevention, annoying for relaying users who haven't AUTHed yet
• if karma does interfere with the connection, bump up the successful AUTH score in karma.ini

[johannes73]

Yes, in karma.ini I raised the AUTH score, and also lowered the "negative" threshold:

[result_awards]
#162 = auth                | pass    | match  | auth      |  18  | Authentication success
162 = auth                | pass    | match  | auth      |  50  | Authentication success

[thresholds]
; negative: the threshold below which a connection is denied/rejected
;           Be conservative to avoid false positives!
#negative=-8
negative=-18