1 Topic by gav

  • gav
  • Member
  • Offline
  • Registered: 2014-04-01
  • Posts: 9

Topic: # helo abuse

Our office IP keeps getting blocked in iredadmin but and we have to manually remove it from the blacklist. I don't want to add it to the whitelist until we work out what machine is causing us to get blocked. Is there any further information logged as to what email account or mac address is causing the # helo abuse to happen?

==== Required information ====
- iRedMail version: v2.1.2 (LDAP)
- Linux/BSD distribution name and version: Cent OS 6
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: # helo abuse

On CentOS, you have to check Postfix log file (/var/log/maillog) and Fail2ban log file (/var/log/messages) to figure it out. Search IP address in these two files may give you some hints.

3 Reply by gav

  • gav
  • Member
  • Offline
  • Registered: 2014-04-01
  • Posts: 9

Re: # helo abuse

Thanks, is there a specific search you know that would work? When I enter our IP address it brings up a log of every entry, there's hundreds of thousands of lines and we try keywords like 'abuse' or 'helo abuse' it doesn't bring anything of worth up.

Regards

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: # helo abuse

Did you try searching your IP, then filter with 'helo' or 'abuse'?

This is how troubleshooting works, you have to check log files and extract useful log, then locate the problem and fix it. Be patient and please try again and again.

5 Reply by gav

  • gav
  • Member
  • Offline
  • Registered: 2014-04-01
  • Posts: 9

Re: # helo abuse

Yes I did that but it only brings up the messages I see now that I am blocked, not the cause.

6 Reply by gav

  • gav
  • Member
  • Offline
  • Registered: 2014-04-01
  • Posts: 9

Re: # helo abuse

An example

Oct 29 11:45:47 server postfix/smtpd[7317]: NOQUEUE: reject: RCPT from xx.xx-44-82.static.virginmediabusiness.co.uk[xx.xx.xx.85]: 554 5.7.1                                 <xxx@xxx.co.uk>: Recipient address rejected: Policy Rejection- Abuse. Go away.; from=<xxx@xxx.co.uk> to=<xxx@xxx.co.u                                k> proto=ESMTP helo=<[192.168.1.127]>

but nothing prior to this to suggest why it was getting blocked.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: # helo abuse

Why your client send '[xx.xx.xx.xx]' as HELO identity? All mail clients must enable SMTP authentication to send email, then HELO identity will be ignored after smtp authentication.

8 Reply by gav

  • gav
  • Member
  • Offline
  • Registered: 2014-04-01
  • Posts: 9

Re: # helo abuse

I replaced the real IP address with XX for confidentiality. I understand that SMTP authentication must be enabled but in my case it must not be enabled on one device in our building and therefore brings me back to the original question; How can I find out which device/account is causing it?

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: # helo abuse

Postfix doesn't log sasl username if you don't have SASL authentication enabled.

The better solution for you is enabling SASL authentication by default, but disable it for some clients/users/devices.