Turn on SMTP Authentication

[Dodi300]

Hello. I cannot send emails from my server to Hotmail.
I get this error:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

****-****@hotmail.co.uk
SMTP error from remote mail server after MAIL FROM:<******@*****.com>
SIZE=1832:
host mx1.hotmail.com [65.55.37.104]: 550 DY-001 Mail rejected by Windows Live
Hotmail for policy reasons. We generally do not accept email from dynamic IP's
as they are not typically used to deliver unauthenticated SMTP e-mail to an
Internet mail server. The Spamhaus Project maintains lists of dynamic and
residential IP addresses. If you are not an email/network admin please contact
your E-mail/Internet Service Provider for help. Email/network admins, please
visit MSN Postmaster for email delivery information and support

I went to the address in the email, The Spamhaus Project, and I'm listed on the Policy Block List (PBL).
It says I simply need to turn on "SMTP Authentication".

Does anyone know how to do this in Cpanel?
Thanks for the help!

[cPanelDavidG]

Hello. I cannot send emails from my server to Hotmail.
I get this error:



I went to the address in the email, The Spamhaus Project, and I'm listed on the Policy Block List (PBL).
It says I simply need to turn on "SMTP Authentication".

Does anyone know how to do this in Cpanel?
Thanks for the help!

By default, cPanel/WHM will allow those who have authenticated successfully via POP3 within the past 30 to login to send mail via SMTP without authentication (since they already authenticated via POP3).

To disable this behavior and thus force all your customers to use SMTP authentication, run the following command as root via SSH:

Code:

/usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd

[cPanelEric]

If you're still having trouble after doing what Dave suggested send me your IP in a PM. I used to do a lot of work with spam and antispam stuff including the PBL list over at spamhaus. You could be listed for a number of other reasons.

Thanks!

[Dodi300]

Thanks for the help.
It didnt work though, and now I cant send any emails

Do you know how I can re-enable it?
I'll send you a PM cpanelerice.

Thanks!

[cpanelchrish]

The esmtp auth piece on the Spamhaus site is mentioned for those needing to route outbound mail through their ISP's SMTP server

Forcing your clients to auth to use your smtp server won't do heaps - the hotmail systems are going to have zero real visibility into whether or not your users have authenticated to a system which it (hotmail) has no control over (headers are easily forged, so this is not an adequate indicator).

Regarding the PBL inclusion, flat-out they believe your IP address to be dynamic/residential.

This leaves you with two options:

-if you aren't on dynamic/residential address space, it'd be worthwhile engaging Spamhaus and seeing if they can correct their records

-if you are on such address space, you're pretty much limited to routing outbound email through a smarthost; if nothing else, on a case by case basis, though I would wager given the popularity of Spamhaus ZEN, you'll see this same issue with a fair number of other sites.

[Infopro]

Hello. I cannot send emails from my server to Hotmail.
I get this error:



I went to the address in the email, The Spamhaus Project, and I'm listed on the Policy Block List (PBL).
It says I simply need to turn on "SMTP Authentication".

Does anyone know how to do this in Cpanel?
Thanks for the help!

Your IP is listed or your server's IP is listed? If it's your server IP that's listed, you can't run cPanel on a dynamic IP.

[Dodi300]

My IP is not dynamic.

Still can't get emails to send.

[cPanelEric]

Howdy,

You're really going to need to contact spamhaus or get your ISP to do so on your behalf. The block they have in place is pretty broad need to be rechecked.

Thanks!

[Dodi300]

Ok, Will do.
I've started a Support Ticket, like you said.

Thanks for the help.

[blargman]

If the ISP has the policy of putting their ip's in the PBL. There's pretty much nothing that can be done except for forging the Received From: headers yourself. Otherwise they need to use the ISP's outbound servers. That's my idea of the matter anyway. Though I thought this was just for unauthenticated mail, I'm seeing an issue of it myself currently with authenticated mail. :\ It's showing ESMTPA in the header yet SpamHaus is still blocking it.

[Dodi300]

Hey,
The Cpanel support team fixed all the errors on my server and I've contacted SpamHaus and they have removed my IP.
So now I can send/receive emails to Hotmail accounts!

Thanks everyone for the help.

[cPanelEric]

Yea, a happy ending

[cpanelchrish]

If the ISP has the policy of putting their ip's in the PBL. There's pretty much nothing that can be done except for forging the Received From: headers yourself. Otherwise they need to use the ISP's outbound servers. That's my idea of the matter anyway. Though I thought this was just for unauthenticated mail, I'm seeing an issue of it myself currently with authenticated mail. :\ It's showing ESMTPA in the header yet SpamHaus is still blocking it.

Something to watch out for regarding this, it'll depend upon how the remote MTA is evaluating the RBL

If they're checking the connecting IP, even mangling/rewriting the Received header won't do the trick - the connecting IP will still be exposed, queried, and buggered. The headers won't be visible until the DATA command is sent, acknowledged, etc.

The other thing to point out, is the "Received" header that the remote MTA creates is one you'll have no control over - and is the one most likely to contain your IP. So to that end, you'd be somewhat stuck.

Generally RBL providers (among others) will recommend that with lists such as the PBL, you query *only* the connecting IP against the blacklist - reason being, it is perfectly legitimate for a host on a dynamic IP to connect to their ISP's SMTP server and send away; in fact, this is what Spamhaus recommends if you're listed on the PBL (assuming the listing isn't in error). If you do deep header parsing, and query every IP found against an RBL (such as Spamhaus PBL) which is intended solely to restrict what IP's are allowed to connect directly, you end up with a considerable amount of what are by most accounts false positives.

Similar logic applies for those using the ZEN aggregate zone - if you utilize ZEN, and do deep header parsing (a practice which is generally not recommended) for RBL checks, the return code should be evaluated beyond the topmost (or most recent, rather) header and only trigger policy if found in SBL-XBL, but not PBL. A listing on SBL-XBL 2 or 3 layers deep is cause for suspicion. A listing on PBL 2 or 3 layers deep is not.

At any rate, rather than continuing on this tangent....headers are very, very easily forged, and no *single* header is a reliable indicator of spam. Tis usually best to consider the makeup of the header, or extract specific tokens that are common to mail sent from botnets.

Hope this helps someone, and doesn't bore everyone to sleep

[blargman]

cpanelchrish. That's the odd part. I've been seeing a lot of MTA's like comcast parsing received headers. ie the original connecting ip to the cpanel server and then blocking based on that. When it is the cpanel server connecting to comcast?! Very strange.