[en] blacklist, port 25, broken diagnosis [fr] IP Blacklistée, port 25, diagnostic cassé

Hi !

My YunoHost server

Hardware: VPS bought online
YunoHost version: 11.2.10.3 (stable)
I have access to my server : Through SSH && through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain: I added some iptables rules to allow outgoing port 25 to ‘postfix’ user only (still don’t know if that was necessary but it works !)

Description of my issue

My IP was blacklisted by Spamhaus. I run Yunohost on a VPS from OVH

SpamHaus wrote :

<My IP> is making SMTP connections with HELO values that indicate a problem, usually a spambot but can also be caused by a misconfiguration.
Technical information

The most recent connections we have seen:

(IP, UTC timestamp, HELO value)

<My IP> 2024-03-21 23:00:00 comcast.net

Notable things about the HELOs:

    They are often dynamic-looking rDNS, and claim to be from geographically very different networks
    They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.

From my understanding of the situation, they think a spambot uses my IP, trying to identify as comcast . net but that’s obviously a lie. So they put my IP on a blacklist.

(I tried to grep comcast in every log file I could find, but got nothing.)

along with other explanations, I found this :

If you are running your own mail server, please contact your ISP for help with getting 
set up on an appropriate static IP and valid DNS/rDNS for that purpose, 
to configure SMTP authentication on port 587, 
and then to limit outbound port 25 only to the use of that server.

So I decided to take care of this, and did everything they mentioned. Not knowing if that was what they really meant, I added iptables rules to block outbound port 25 for everything except user ‘postfix’.
It all works fine and I’m not blacklisted anymore \o/

BUt
since then

  1. the diagnosis tells me that port 25 is blocked.
    I can ignore this. I think that the diagnosis is not run by user postfix, so this is understandable. A little bit annoying but I can live with it.
  2. the automatic diagnosis email looks like this :
Subject: Cron <root@xxxxxxx> : YunoHost Automatic Diagnosis; sleep $((RANDOM%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
Body : Running the automatic diagnosis failed miserably

here is the output of yunohost diagnosis run --email --debug

root@xxxxxxxx:~# yunohost diagnosis run --email --debug
173  DEBUG initializing base actions map parser for cli
174  DEBUG loading actions map
175  DEBUG building parser...
179  DEBUG building parser took 0.003s
180  DEBUG acquiring lock...
197  DEBUG lock has been acquired
198  DEBUG loading python module yunohost.diagnosis took 0.001s
198  DEBUG processing action [3041044.1]: yunohost.diagnosis.run with args={'categories': [], 'force': False, 'except_if_never_ran_yet': False, 'email': True}
199  DEBUG Running diagnosis for basesystem ...
199  DEBUG Loading diagnoser basesystem
251  DEBUG Using cached results for meltdown checker, from /tmp/yunohost-meltdown-diagnosis
509  DEBUG Updating cache /var/cache/yunohost/diagnosis/basesystem.json
512  SUCCESS Everything looks OK for Base system!
513  DEBUG Running diagnosis for ip ...
513  DEBUG Loading diagnoser ip
670  DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
805  DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
809  DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
918  DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
927  DEBUG Updating cache /var/cache/yunohost/diagnosis/ip.json
929  SUCCESS Everything looks OK for Internet connectivity!
930  DEBUG Running diagnosis for dnsrecords ...
930  DEBUG Loading diagnoser dnsrecords
1065 DEBUG initializing ldap interface
1067 DEBUG Diagnosing DNS conf for lewagondufaget.org
1090 DEBUG Fetching IP from https://ip.yunohost.org 
1093 DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
1193 DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
1195 DEBUG IP fetched: xxx.xxx.xx.xx
1201 DEBUG Fetching IP from https://ip6.yunohost.org 
1203 DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
1279 DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
1282 DEBUG IP fetched: <My IP>
1941 DEBUG Formating result in 'export' mode
1946 DEBUG Formating result in 'export' mode
1950 DEBUG Formating result in 'export' mode
3517 DEBUG Updating cache /var/cache/yunohost/diagnosis/dnsrecords.json
3521 SUCCESS Everything looks OK for DNS records!
3521 DEBUG Running diagnosis for ports ...
3521 DEBUG Loading diagnoser ports
3648 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
3864 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
3871 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4101 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
4105 DEBUG Updating cache /var/cache/yunohost/diagnosis/ports.json
4113 SUCCESS Everything looks OK for Ports exposure!
4115 DEBUG Running diagnosis for web ...
4115 DEBUG Loading diagnoser web
4152 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4356 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4359 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4589 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4614 DEBUG Starting new HTTP connection (1): 135.125.161.248:80
4617 DEBUG http://135.125.161.248:80 "HEAD / HTTP/1.1" 302 0
4618 DEBUG Updating cache /var/cache/yunohost/diagnosis/web.json
4620 SUCCESS Everything looks OK for Web!
4620 DEBUG Running diagnosis for mail ...
4620 DEBUG Loading diagnoser mail
4632 DEBUG Running check_outgoing_port_25
5672 DEBUG Running check_ehlo
5674 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
5843 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
5848 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
6821 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
6825 DEBUG Running check_fcrdns
7103 DEBUG Running check_blacklist
20814 DEBUG Running check_queue
20832 DEBUG Updating cache /var/cache/yunohost/diagnosis/mail.json
20835 SUCCESS Everything looks OK for Email! (+ 2 ignored issue(s))
20836 DEBUG Running diagnosis for services ...
20836 DEBUG Loading diagnoser services
21722 DEBUG Updating cache /var/cache/yunohost/diagnosis/services.json
21726 SUCCESS Everything looks OK for Services status check!
21727 DEBUG Running diagnosis for systemresources ...
21727 DEBUG Loading diagnoser systemresources
21738 DEBUG Updating cache /var/cache/yunohost/diagnosis/systemresources.json
21741 SUCCESS Everything looks OK for System resources!
21742 DEBUG Running diagnosis for regenconf ...
21742 DEBUG Loading diagnoser regenconf
21777 DEBUG Updating cache /var/cache/yunohost/diagnosis/regenconf.json
21779 SUCCESS Everything looks OK for System configurations!
21779 DEBUG Running diagnosis for apps ...
21779 DEBUG Loading diagnoser apps
21919 DEBUG Updating cache /var/cache/yunohost/diagnosis/apps.json
21921 SUCCESS Everything looks OK for Applications!
21935 WARNING To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues --human-readable' from the command-line.
21935 DEBUG action [3041044.1] executed in 21.737s
21936 DEBUG lock has been released

Should I remove the iptables rules ?
Should I go on like this ? (after all everything runs fine except automatic diagnosis, my emails are all sent and everything is perfect with DKIM SPF etc)
Should I try to have the diagnosis run differently ?

Thank you all for your expertise and your advice !


Bonjour !

Mon serveur YunoHost

Matériel: VPS acheté en ligne
Version de YunoHost: 11.2.10.3 (stable)
J’ai accès à mon serveur : En SSH et Par la webadmin
Êtes-vous dans un contexte particulier ou avez-vous effectué des modifications particulières sur votre instance ? : oui
Si oui, expliquer: j’ai ajouté des règles iptables pour bloquer le port 25 sortant et n’autoriser que le user ‘postfix’ à l’utiliser (je ne sais pas si c’était nécessaire mais ça fonctionne sans souci)

Description du problème

Mon IP était blacklistée par Spamhaus. (Je fais tourner Yunohost sur un VPS chez OVH)

L’explication de SpamHaus :

<Mon IP> is making SMTP connections with HELO values that indicate a problem, usually a spambot but can also be caused by a misconfiguration.
Technical information

The most recent connections we have seen:

(IP, UTC timestamp, HELO value)

<Mon IP> 2024-03-21 23:00:00 comcast.net

Notable things about the HELOs:

    They are often dynamic-looking rDNS, and claim to be from geographically very different networks
    They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.

Donc si je comprends bien, on soupçonne un spambot d’utiliser mon IP pour spammer en se faisant passer pour comcast . net, et on blackliste l’IP en question.

dans le texte d’explications et de préconisations j’ai trouvé ceci :

If you are running your own mail server, please contact your ISP for help with getting
set up on an appropriate static IP and valid DNS/rDNS for that purpose,
to configure SMTP authentication on port 587,
and then to limit outbound port 25 only to the use of that server.

Sans être complètement certain de ce que ça voulait dire exactement dans le cas d’un VPS, j’ai décidé d’aller jusqu’au bout des préconisations et d’ajouter des règles iptables pour bloquer le port 25 sortant et ne le débloquer que pour le user ‘postfix’ (et puis allez, je voulais essayer d’y arriver et voir ce que ça donnait !)

J’y suis donc parvenu sans problème, et d’ailleurs je ne suis plus blacklisté \o/

Seulement, depuis ça…

  1. Le diagnostic me signale que le port 25 est bloqué.
    Je peux ignorer ça, ça n’est pas très grave. Je suppose que le diagnostic n’est pas éxécuté par postfix (mais par root ?), donc ça coince, c’est compréhensible. Je sais que les mails partent comme il faut donc je peux vivre avec ça, même si c’est un peu agaçant.
  2. Le mail de diagnostic automatique est cassé, il ressemble maintenant à ça :
Subject: Cron <root@xxxxxxx> : YunoHost Automatic Diagnosis; sleep $((RANDOM%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
Body : Running the automatic diagnosis failed miserably

voici la sortie de la commande yunohost diagnosis run --email --debug

root@xxxxxxxx:~# yunohost diagnosis run --email --debug
173  DEBUG initializing base actions map parser for cli
174  DEBUG loading actions map
175  DEBUG building parser...
179  DEBUG building parser took 0.003s
180  DEBUG acquiring lock...
197  DEBUG lock has been acquired
198  DEBUG loading python module yunohost.diagnosis took 0.001s
198  DEBUG processing action [3041044.1]: yunohost.diagnosis.run with args={'categories': [], 'force': False, 'except_if_never_ran_yet': False, 'email': True}
199  DEBUG Running diagnosis for basesystem ...
199  DEBUG Loading diagnoser basesystem
251  DEBUG Using cached results for meltdown checker, from /tmp/yunohost-meltdown-diagnosis
509  DEBUG Updating cache /var/cache/yunohost/diagnosis/basesystem.json
512  SUCCESS Everything looks OK for Base system!
513  DEBUG Running diagnosis for ip ...
513  DEBUG Loading diagnoser ip
670  DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
805  DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
809  DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
918  DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
927  DEBUG Updating cache /var/cache/yunohost/diagnosis/ip.json
929  SUCCESS Everything looks OK for Internet connectivity!
930  DEBUG Running diagnosis for dnsrecords ...
930  DEBUG Loading diagnoser dnsrecords
1065 DEBUG initializing ldap interface
1067 DEBUG Diagnosing DNS conf for lewagondufaget.org
1090 DEBUG Fetching IP from https://ip.yunohost.org 
1093 DEBUG Starting new HTTPS connection (1): ip.yunohost.org:443
1193 DEBUG https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 15
1195 DEBUG IP fetched: xxx.xxx.xxx.xxx
1201 DEBUG Fetching IP from https://ip6.yunohost.org 
1203 DEBUG Starting new HTTPS connection (1): ip6.yunohost.org:443
1279 DEBUG https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 24
1282 DEBUG IP fetched: xxxx:xxxx:xxx:xxxx::xxxx
1941 DEBUG Formating result in 'export' mode
1946 DEBUG Formating result in 'export' mode
1950 DEBUG Formating result in 'export' mode
3517 DEBUG Updating cache /var/cache/yunohost/diagnosis/dnsrecords.json
3521 SUCCESS Everything looks OK for DNS records!
3521 DEBUG Running diagnosis for ports ...
3521 DEBUG Loading diagnoser ports
3648 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
3864 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
3871 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4101 DEBUG https://diagnosis.yunohost.org:443 "POST /check-ports HTTP/1.1" 200 100
4105 DEBUG Updating cache /var/cache/yunohost/diagnosis/ports.json
4113 SUCCESS Everything looks OK for Ports exposure!
4115 DEBUG Running diagnosis for web ...
4115 DEBUG Loading diagnoser web
4152 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4356 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4359 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
4589 DEBUG https://diagnosis.yunohost.org:443 "POST /check-http HTTP/1.1" 200 133
4614 DEBUG Starting new HTTP connection (1): 135.125.161.248:80
4617 DEBUG http://135.125.161.248:80 "HEAD / HTTP/1.1" 302 0
4618 DEBUG Updating cache /var/cache/yunohost/diagnosis/web.json
4620 SUCCESS Everything looks OK for Web!
4620 DEBUG Running diagnosis for mail ...
4620 DEBUG Loading diagnoser mail
4632 DEBUG Running check_outgoing_port_25
5672 DEBUG Running check_ehlo
5674 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
5843 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
5848 DEBUG Starting new HTTPS connection (1): diagnosis.yunohost.org:443
6821 DEBUG https://diagnosis.yunohost.org:443 "POST /check-smtp HTTP/1.1" 200 43
6825 DEBUG Running check_fcrdns
7103 DEBUG Running check_blacklist
20814 DEBUG Running check_queue
20832 DEBUG Updating cache /var/cache/yunohost/diagnosis/mail.json
20835 SUCCESS Everything looks OK for Email! (+ 2 ignored issue(s))
20836 DEBUG Running diagnosis for services ...
20836 DEBUG Loading diagnoser services
21722 DEBUG Updating cache /var/cache/yunohost/diagnosis/services.json
21726 SUCCESS Everything looks OK for Services status check!
21727 DEBUG Running diagnosis for systemresources ...
21727 DEBUG Loading diagnoser systemresources
21738 DEBUG Updating cache /var/cache/yunohost/diagnosis/systemresources.json
21741 SUCCESS Everything looks OK for System resources!
21742 DEBUG Running diagnosis for regenconf ...
21742 DEBUG Loading diagnoser regenconf
21777 DEBUG Updating cache /var/cache/yunohost/diagnosis/regenconf.json
21779 SUCCESS Everything looks OK for System configurations!
21779 DEBUG Running diagnosis for apps ...
21779 DEBUG Loading diagnoser apps
21919 DEBUG Updating cache /var/cache/yunohost/diagnosis/apps.json
21921 SUCCESS Everything looks OK for Applications!
21935 WARNING To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues --human-readable' from the command-line.
21935 DEBUG action [3041044.1] executed in 21.737s
21936 DEBUG lock has been released

Si je lance yunohost diagnosis show --issues --human-readable ça ne me renvoie rien du tout…

Est-ce que je devrais supprimer mes règles iptables et débloquer à nouveau le port 25 ?
Est-ce que je devrais chercher un moyen de faire éxécuter le diagnostic autrement ?
Est-ce que j’apprends à vivre avec un tel diagnostic parce qu’après tout je ne suis plus blacklisté et mes mails sont correctement envoyés avec 10/10 niveau DKIM SPF etc ?

Merci de vos conseils !