Spamhaus PBL stops email even though SMTP-AUTH is enabled
My emails to D-Link get bounced due to my Comcast IP being on the Spamhaus PBL. Spamhaus says there's no way to get removed from the list and the only way to bypass this filter is to enable SMTP-AUTH. However, I am connecting to my host's (Total Choice Hosting) SMTP server through SSL and authenticating with my username and password, and the "with esmtpsa" in the headers seems to indicate that my messages are authenticated properly. Any idea if D-Link's server broken, or can you spot something else wrong that's preventing my emails from getting through?
The bounced message looks as follows:
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [email protected] SMTP error from remote mail server after end of data: host relay.dlink.com [192.152.81.15]: 554 Service unavailable; Client host [riker.tchmachines.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=24.5.171.149 ------ This is a copy of the message, including all the headers. ------ Return-path: Received: from c-24-5-171-149.hsd1.ca.comcast.net ([24.5.171.149] helo=[192.168.3.99]) by riker.tchmachines.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <[email protected]>) id 1NGp49-0000Ta-DY for [email protected]; Sat, 05 Dec 2009 02:28:29 -0500 Message-ID: <[email protected]> Date: Fri, 04 Dec 2009 23:28:08 -0800 From: Piotr Kaminski <[email protected]> User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: [email protected] Subject: Re: D-Link Email Case ID: DLK400638689 References: <1b4401ca757a$6797c520$3c6411ac@CRMDB> In-Reply-To: <1b4401ca757a$6797c520$3c6411ac@CRMDB> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit
It would appear that you are hosting an SMTP server that is attempting to perform delivery directly to Internet hosts. The IP you're hosting that server from, a Comcast client IP address, is on the Spamhaus Policy Block List (PBL). That's the root cause of your problem.
Comcast has registered their client IP addresses with Spamhaus because, as a matter of policy, Comcast doesn't want their Customers sending email directly to the Internet from servers they're hosting themselves. The Spamhaus link you provided in your posting directs:
If you are a Comcast Commercial Services customer and need support, please contact [email protected]
Presumably, this means that some commerical Customers can be assigned IP addresses that aren't subject to the "no sending email directly to the Internet" policy. Their commerical IP address blocks probably aren't registered with the Spamhaus PBL.
I'd be curious to know where you got the "...way to bypass this filter is to enable SMTP-AUTH..." guidance. I think you may be having a conceptual issue, insofar as such guidance was probably "...use SMTP-AUTH and send your mail throguh Comcast's SMTP servers."
The issue re: D-Link bouncing the mail isn't related to whether you've authenticated to your SMTP server or not-- it's that your SMTP server is sending mail to D-Link from an IP address that, because D-Link chooses to use what Spamhaus says about the IP as trusted, and because Comcast listed the IP in the Spamhaus PBL, D-Link finds unacceptable.
Had you configured your email client or SMTP server to deliver your outbound mail to a Comcast SMTP server (likely requiring your SMTP client or SMTP server to perform SMTP-AUTH while communicating with the Comcast SMTP server to prove that you're authorized to perform such relaying), the eventual communication with D-Link's server would come from an IP address assigned to a Comcast email server, which wouldn't be listed on a Spamhaus black-list and, as such, wouldn't be bounced by D-Link. Basically, you give the email to Comcast's server, and it delivers it to the final destination. This is known, in SMTP parlance, as "relaying", and in 2009 (almost 2010), all SMTP relaying should require authentication.
To put this in terms of a real-world analogy: You'd like to deliver a piece of postal mail to D-Link. They're not going to let you just walk into their building and drop off a package, though. They only accept packages from authorized courier services, like FedEx. As such, even though you are physically capable of carrying your package right up to D-Link's front door yourself, they're not going to let you in. If you hand off your package to FedEx (proving, by way of paying them, that you're a legitimate user of their courier serivces), then D-Link will happily accept the package.
This article from Comcast describes configuring Outlook Express to receive email from a 3rd-party POP3 server, but to relay outgoing mail via Comcast's SMTP servers. This is, generally speaking, the configuration you'd be looking for w/ either your email client or your SMTP server.
If you don't want to relay messages through Comcast, you always have the option to contract with another party to accept and deliver your mail. (Analagously, you can use UPS or the local postal service if you don't want to use FedEx.) Services like Mailhop Outbound from Dynamic Network Services, allow you to submit email to their server computers via a variety of TCP ports (in case you're using a provider that won't allow you to communicate with the rest of the Internet using TCP port 25), and their servers will perform final delivery to the recipient server. Of course, this service costs money, since you're using their computing and bandwidth resources.
You're not going to have a lot of success hosting an SMTP server from a Comcast client IP like you've got. Looking into finding an SMTP server that you can relay messages through and you'll have a better time of email delivery.
Edit:
I see that riker.tchmachines.com resolves to 208.76.82.134. It's unclear to me, then, why D-Link's mail server is complaining about riker.tchmachines.com but showing the IP address that it looked-up in the PBL as being what is presumably the Comcast IP address (24.5.171.149) you've submitted the message to riker.tchmachines.com from.
For kicks, I sent a message to the same recipient at dlink.com through my hosted "Mailhop Outbound" service at Dynamic Network Services, and it bounced in the same way, claiming that the DNS name "mho-02-ewr.mailhop.org" is listed on the Spamhaus PBL, but listing the IP that I submitted the item to Mailhop Outbound from (which is PBL'd, because it's a Time Warner dynamic client IP) as the blacklisted IP.
I also received a similiar response relaying through an SMTP server at Time Warner, and found that I received the same type of reply, with the "550 Service unavailable; ..." referencing the DNS name of a Time Warner SMTP server, but the Spamhaus URL referencing the IP address of the Time Warner client IP I submitted the item to Time Warner's SMTP server from.
D-Link's mail server (which banners as "220 The Drawbridge"... Oooooh!) is clearly broken. It would appear that they're checking each host in the "Received" headers against the Spamhaus blacklist. Considering the point of the PBL is to get users to send mail through authorized SMTP servers this is clearly the wrong behaviour on D-Link's part.
Good luck getting word to anybody there that their configuration is wrong. >sigh<
Just because you auth with your mailserver has no bearing on whether or not the mailserver you're sending to will subsequently get rejected. The entry in the PBL for the IP address (given in the link in the bounce message) gives a clear description of the problem and it's solution (relay through Comcast's mail server).
You must send your e-mail through Comcasts SMTP server (with authentication).*
Basically any consumer network with mostly dynamic IP addresses are on these blocklists. Your own e-mail server should be able to relay via your ISPs SMTP server (eg Exchange calls this a smart host).
*or some other outbound SMTP service provider