Hi !
My YunoHost server
Hardware: VPS bought online
YunoHost version: 11.2.10.3 (stable)
I have access to my server : Through SSH && through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain: I added some iptables rules to allow outgoing port 25 to ‘postfix’ user only (still don’t know if that was necessary but it works !)
Description of my issue
My IP was blacklisted by Spamhaus. I run Yunohost on a VPS from OVH
SpamHaus wrote :
<My IP> is making SMTP connections with HELO values that indicate a problem, usually a spambot but can also be caused by a misconfiguration.
Technical information
The most recent connections we have seen:
(IP, UTC timestamp, HELO value)
<My IP> 2024-03-21 23:00:00 comcast.net
Notable things about the HELOs:
They are often dynamic-looking rDNS, and claim to be from geographically very different networks
They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
From my understanding of the situation, they think a spambot uses my IP, trying to identify as comcast . net but that’s obviously a lie. So they put my IP on a blacklist.
(I tried to grep comcast in every log file I could find, but got nothing.)
along with other explanations, I found this :
If you are running your own mail server, please contact your ISP for help with getting
set up on an appropriate static IP and valid DNS/rDNS for that purpose,
to configure SMTP authentication on port 587,
and then to limit outbound port 25 only to the use of that server.
So I decided to take care of this, and did everything they mentioned. Not knowing if that was what they really meant, I added iptables rules to block outbound port 25 for everything except user ‘postfix’.
It all works fine and I’m not blacklisted anymore \o/
BUt
since then
- the diagnosis tells me that port 25 is blocked.
I can ignore this. I think that the diagnosis is not run by user postfix, so this is understandable. A little bit annoying but I can live with it. - the automatic diagnosis email looks like this :
Subject: Cron <root@xxxxxxx> : YunoHost Automatic Diagnosis; sleep $((RANDOM%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
Body : Running the automatic diagnosis failed miserably
here is the output of yunohost diagnosis run --email --debug
root@xxxxxxxx:~# yunohost diagnosis run --email --debug
173 DEBUG initializing base actions map parser for cli
174 DEBUG loading actions map
175 DEBUG building parser...
179 DEBUG building parser took 0.003s
180 DEBUG acquiring lock...
197 DEBUG lock has been acquired
198 DEBUG loading python module yunohost.diagnosis took 0.001s
198 DEBUG processing action [3041044.1]: yunohost.diagnosis.run with args={'categories': [], 'force': False, 'except_if_never_ran_yet': False, 'email': True}
199 DEBUG Running diagnosis for basesystem ...
199 DEBUG Loading diagnoser basesystem
251 DEBUG Using cached results for meltdown checker, from /tmp/yunohost-meltdown-diagnosis
509 DEBUG Updating cache /var/cache/yunohost/diagnosis/basesystem.json
512 SUCCESS Everything looks OK for Base system!
513 DEBUG Running diagnosis for ip ...
513 DEBUG Loading diagnoser ip
670 DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
805 DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
809 DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
918 DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
927 DEBUG Updating cache /var/cache/yunohost/diagnosis/ip.json
929 SUCCESS Everything looks OK for Internet connectivity!
930 DEBUG Running diagnosis for dnsrecords ...
930 DEBUG Loading diagnoser dnsrecords
1065 DEBUG initializing ldap interface
1067 DEBUG Diagnosing DNS conf for lewagondufaget.org
1090 DEBUG Fetching IP from https://ip.yunohost.org
1093 DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
1193 DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
1195 DEBUG IP fetched: xxx.xxx.xx.xx
1201 DEBUG Fetching IP from https://ip6.yunohost.org
1203 DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
1279 DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
1282 DEBUG IP fetched: <My IP>
1941 DEBUG Formating result in 'export' mode
1946 DEBUG Formating result in 'export' mode
1950 DEBUG Formating result in 'export' mode
3517 DEBUG Updating cache /var/cache/yunohost/diagnosis/dnsrecords.json
3521 SUCCESS Everything looks OK for DNS records!
3521 DEBUG Running diagnosis for ports ...
3521 DEBUG Loading diagnoser ports
3648 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
3864 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
3871 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4101 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
4105 DEBUG Updating cache /var/cache/yunohost/diagnosis/ports.json
4113 SUCCESS Everything looks OK for Ports exposure!
4115 DEBUG Running diagnosis for web ...
4115 DEBUG Loading diagnoser web
4152 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4356 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4359 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4589 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4614 DEBUG Starting new HTTP connection (1): 135.125.161.248:80
4617 DEBUG http://135.125.161.248:80 "HEAD / HTTP/1.1" 302 0
4618 DEBUG Updating cache /var/cache/yunohost/diagnosis/web.json
4620 SUCCESS Everything looks OK for Web!
4620 DEBUG Running diagnosis for mail ...
4620 DEBUG Loading diagnoser mail
4632 DEBUG Running check_outgoing_port_25
5672 DEBUG Running check_ehlo
5674 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
5843 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
5848 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
6821 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
6825 DEBUG Running check_fcrdns
7103 DEBUG Running check_blacklist
20814 DEBUG Running check_queue
20832 DEBUG Updating cache /var/cache/yunohost/diagnosis/mail.json
20835 SUCCESS Everything looks OK for Email! (+ 2 ignored issue(s))
20836 DEBUG Running diagnosis for services ...
20836 DEBUG Loading diagnoser services
21722 DEBUG Updating cache /var/cache/yunohost/diagnosis/services.json
21726 SUCCESS Everything looks OK for Services status check!
21727 DEBUG Running diagnosis for systemresources ...
21727 DEBUG Loading diagnoser systemresources
21738 DEBUG Updating cache /var/cache/yunohost/diagnosis/systemresources.json
21741 SUCCESS Everything looks OK for System resources!
21742 DEBUG Running diagnosis for regenconf ...
21742 DEBUG Loading diagnoser regenconf
21777 DEBUG Updating cache /var/cache/yunohost/diagnosis/regenconf.json
21779 SUCCESS Everything looks OK for System configurations!
21779 DEBUG Running diagnosis for apps ...
21779 DEBUG Loading diagnoser apps
21919 DEBUG Updating cache /var/cache/yunohost/diagnosis/apps.json
21921 SUCCESS Everything looks OK for Applications!
21935 WARNING To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues --human-readable' from the command-line.
21935 DEBUG action [3041044.1] executed in 21.737s
21936 DEBUG lock has been released
Should I remove the iptables rules ?
Should I go on like this ? (after all everything runs fine except automatic diagnosis, my emails are all sent and everything is perfect with DKIM SPF etc)
Should I try to have the diagnosis run differently ?
Thank you all for your expertise and your advice !
Bonjour !
Mon serveur YunoHost
Matériel: VPS acheté en ligne
Version de YunoHost: 11.2.10.3 (stable)
J’ai accès à mon serveur : En SSH et Par la webadmin
Êtes-vous dans un contexte particulier ou avez-vous effectué des modifications particulières sur votre instance ? : oui
Si oui, expliquer: j’ai ajouté des règles iptables pour bloquer le port 25 sortant et n’autoriser que le user ‘postfix’ à l’utiliser (je ne sais pas si c’était nécessaire mais ça fonctionne sans souci)
Description du problème
Mon IP était blacklistée par Spamhaus. (Je fais tourner Yunohost sur un VPS chez OVH)
L’explication de SpamHaus :
<Mon IP> is making SMTP connections with HELO values that indicate a problem, usually a spambot but can also be caused by a misconfiguration.
Technical information
The most recent connections we have seen:
(IP, UTC timestamp, HELO value)
<Mon IP> 2024-03-21 23:00:00 comcast.net
Notable things about the HELOs:
They are often dynamic-looking rDNS, and claim to be from geographically very different networks
They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
Donc si je comprends bien, on soupçonne un spambot d’utiliser mon IP pour spammer en se faisant passer pour comcast . net, et on blackliste l’IP en question.
dans le texte d’explications et de préconisations j’ai trouvé ceci :
If you are running your own mail server, please contact your ISP for help with getting
set up on an appropriate static IP and valid DNS/rDNS for that purpose,
to configure SMTP authentication on port 587,
and then to limit outbound port 25 only to the use of that server.
Sans être complètement certain de ce que ça voulait dire exactement dans le cas d’un VPS, j’ai décidé d’aller jusqu’au bout des préconisations et d’ajouter des règles iptables pour bloquer le port 25 sortant et ne le débloquer que pour le user ‘postfix’ (et puis allez, je voulais essayer d’y arriver et voir ce que ça donnait !)
J’y suis donc parvenu sans problème, et d’ailleurs je ne suis plus blacklisté \o/
Seulement, depuis ça…
- Le diagnostic me signale que le port 25 est bloqué.
Je peux ignorer ça, ça n’est pas très grave. Je suppose que le diagnostic n’est pas éxécuté par postfix (mais par root ?), donc ça coince, c’est compréhensible. Je sais que les mails partent comme il faut donc je peux vivre avec ça, même si c’est un peu agaçant. - Le mail de diagnostic automatique est cassé, il ressemble maintenant à ça :
Subject: Cron <root@xxxxxxx> : YunoHost Automatic Diagnosis; sleep $((RANDOM%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
Body : Running the automatic diagnosis failed miserably
voici la sortie de la commande yunohost diagnosis run --email --debug
root@xxxxxxxx:~# yunohost diagnosis run --email --debug
173 DEBUG initializing base actions map parser for cli
174 DEBUG loading actions map
175 DEBUG building parser...
179 DEBUG building parser took 0.003s
180 DEBUG acquiring lock...
197 DEBUG lock has been acquired
198 DEBUG loading python module yunohost.diagnosis took 0.001s
198 DEBUG processing action [3041044.1]: yunohost.diagnosis.run with args={'categories': [], 'force': False, 'except_if_never_ran_yet': False, 'email': True}
199 DEBUG Running diagnosis for basesystem ...
199 DEBUG Loading diagnoser basesystem
251 DEBUG Using cached results for meltdown checker, from /tmp/yunohost-meltdown-diagnosis
509 DEBUG Updating cache /var/cache/yunohost/diagnosis/basesystem.json
512 SUCCESS Everything looks OK for Base system!
513 DEBUG Running diagnosis for ip ...
513 DEBUG Loading diagnoser ip
670 DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
805 DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
809 DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
918 DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
927 DEBUG Updating cache /var/cache/yunohost/diagnosis/ip.json
929 SUCCESS Everything looks OK for Internet connectivity!
930 DEBUG Running diagnosis for dnsrecords ...
930 DEBUG Loading diagnoser dnsrecords
1065 DEBUG initializing ldap interface
1067 DEBUG Diagnosing DNS conf for lewagondufaget.org
1090 DEBUG Fetching IP from https://ip.yunohost.org
1093 DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
1193 DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
1195 DEBUG IP fetched: xxx.xxx.xxx.xxx
1201 DEBUG Fetching IP from https://ip6.yunohost.org
1203 DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
1279 DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
1282 DEBUG IP fetched: xxxx:xxxx:xxx:xxxx::xxxx
1941 DEBUG Formating result in 'export' mode
1946 DEBUG Formating result in 'export' mode
1950 DEBUG Formating result in 'export' mode
3517 DEBUG Updating cache /var/cache/yunohost/diagnosis/dnsrecords.json
3521 SUCCESS Everything looks OK for DNS records!
3521 DEBUG Running diagnosis for ports ...
3521 DEBUG Loading diagnoser ports
3648 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
3864 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
3871 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4101 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
4105 DEBUG Updating cache /var/cache/yunohost/diagnosis/ports.json
4113 SUCCESS Everything looks OK for Ports exposure!
4115 DEBUG Running diagnosis for web ...
4115 DEBUG Loading diagnoser web
4152 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4356 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4359 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4589 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4614 DEBUG Starting new HTTP connection (1): 135.125.161.248:80
4617 DEBUG http://135.125.161.248:80 "HEAD / HTTP/1.1" 302 0
4618 DEBUG Updating cache /var/cache/yunohost/diagnosis/web.json
4620 SUCCESS Everything looks OK for Web!
4620 DEBUG Running diagnosis for mail ...
4620 DEBUG Loading diagnoser mail
4632 DEBUG Running check_outgoing_port_25
5672 DEBUG Running check_ehlo
5674 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
5843 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
5848 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
6821 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
6825 DEBUG Running check_fcrdns
7103 DEBUG Running check_blacklist
20814 DEBUG Running check_queue
20832 DEBUG Updating cache /var/cache/yunohost/diagnosis/mail.json
20835 SUCCESS Everything looks OK for Email! (+ 2 ignored issue(s))
20836 DEBUG Running diagnosis for services ...
20836 DEBUG Loading diagnoser services
21722 DEBUG Updating cache /var/cache/yunohost/diagnosis/services.json
21726 SUCCESS Everything looks OK for Services status check!
21727 DEBUG Running diagnosis for systemresources ...
21727 DEBUG Loading diagnoser systemresources
21738 DEBUG Updating cache /var/cache/yunohost/diagnosis/systemresources.json
21741 SUCCESS Everything looks OK for System resources!
21742 DEBUG Running diagnosis for regenconf ...
21742 DEBUG Loading diagnoser regenconf
21777 DEBUG Updating cache /var/cache/yunohost/diagnosis/regenconf.json
21779 SUCCESS Everything looks OK for System configurations!
21779 DEBUG Running diagnosis for apps ...
21779 DEBUG Loading diagnoser apps
21919 DEBUG Updating cache /var/cache/yunohost/diagnosis/apps.json
21921 SUCCESS Everything looks OK for Applications!
21935 WARNING To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues --human-readable' from the command-line.
21935 DEBUG action [3041044.1] executed in 21.737s
21936 DEBUG lock has been released
Si je lance yunohost diagnosis show --issues --human-readable ça ne me renvoie rien du tout…
Est-ce que je devrais supprimer mes règles iptables et débloquer à nouveau le port 25 ?
Est-ce que je devrais chercher un moyen de faire éxécuter le diagnostic autrement ?
Est-ce que j’apprends à vivre avec un tel diagnostic parce qu’après tout je ne suis plus blacklisté et mes mails sont correctement envoyés avec 10/10 niveau DKIM SPF etc ?
Merci de vos conseils !