0

spamhaus.org is blocking our IP because we send mail using multiples domain names from a single IP.

The message is

A device (computer, server, mobile phone, etc), or an app on a device that is using aaa.bbb.ccc.ddd is infected, badly misconfigured, or compromised. It is making SMTP connections with multiple unrelated HELO values on port 25.

The most recent detection was on: May 18 2022, 10:20:00 UTC (+/- 5 minutes). The observed HELO values were xxx yyy zzz ,...

We have a lot of different domains for emails (one customer = one domain), and all the emails are sent from the same IP (Multiples different server using the same internet gateway).

How should we handle this use case ? We currently use exim4 as a mailserver on the multiples servers.

anx
  • 10,888
Jean
  • 133

1 Answers1

8

You configured it to present different HELO names for each served domain? That's really a bad idea. That is why Spamhaus is angry to you.

  • Your server should have certain FQDN, at least for the mail service, let's say mail.example.org;
  • set up that FQDN name as the single constant HELO name, which is always presented by the MTA, no matter which domain's mail it is delivering now;
  • that name should have A or AAAA records that resolve to the server IP address, for example, mail.example.org. A 192.0.2.1;
  • the server uses this or some other IP address when makes outgoing connections. The reverse DNS lookup of that outgoing IP address should point to this same FQDN, for example, 1.2.0.192.in-addr.arpa. PTR mail.example.org.;
  • ideally, enable STARTTLS and use SSL certificate that is valid for this FQDN, e.g. CN=mail.example.org and SAN field contains DNS:mail.example.org or DNS:*.example.org.

And then you specify this FQDN in the MX record of served domains, like this: example.com. MX 10 mail.example.org. (don't forget to set up SPF, DKIM, DMARC records too).

Notice, you can not have multiple PTR records for a single IP address; technically you can, but that won't work as you might expect. Some mail servers check these three items (HELO, forward DNS query for the HELO name and reverse DNS query for your IP) to match and block messages if they don't. This partially answers why you shouldn't change HELO name for each message.

Aubs
  • 128
Nikita Kipriyanov
  • 15,624