Client emails aren't connecting, tracing down the problem

[GoWilkes]

I have a hosting client who has a customer that can't email them. When they do, they get an error that:

SMTP error from remote mail server after initial connection:
550 Your country is not allowed to connect to this server.

This is definitely originating from my server:

https://support.cpanel.net/hc/en-us/articles/360063074013-How-to-filter-incoming-emails-by-country

I use WHM > Email > Filter Incoming Emails by Country to block all except Canada, Cocos Islands, French Southern Territories, Northern Mariana Islands, Puerto Rico, Saint Barthelemy, Saint Helena, US Minor Outlying Islands, and United States. So it appears that somewhere along the way, they have an IP that's coming from outside of this range.

The client can email ME, though, which I don't understand at all. They also said that it doesn't matter whether they email from a local computer or via webmail, they both give the same error (which eliminates a local virus, which was my first thought). Their sites are hosted with siteground.com.

I had them run tracert hostedclientdomain.com, and they are definitely coming from a US IP. There are 19 hops:

Hop # 1 is to their local router
#2 is to spectrum.com
#3-9 is to charter.com
#10 is * * *
#11 is to zayo.com (I checked, it's in Colorado)
#12-14 are * * *
#15-16 are back to zayo.com
#17-19 are my network

Using ssh, when I dig theirdomain.com the "answer section" is Google Cloud:

https://whois.arin.net/rest/net/NET-35-208-0-0-1/

Then the "additional section" is Amazon:

https://whois.arin.net/rest/net/NET-99-83-64-0-1/

https://whois.arin.net/rest/net/NET-75-2-0-0-1/

Running dig mail.theirdomain.com gives the same result.

Using dig @35.208.0.0 hostedclient.com just times out.

Any other suggestions on finding where it's failing?

 

[cPRex]

Hey hey! Do you see any trace of that initial transaction that failed on your server? I would expect that to show up in either the Exim mainlog or /var/log/maillog.

 

[GoWilkes]

I don't see the initial transaction, but I did find another one later from their domain that DOES route outside of the US!

2023-01-03 15:14:14 H=delivery15.mailspamprotection.com [185.56.85.130]:60611 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<[email protected]> temporarily rejected RCPT <[email protected]>: Deferred due to greylisting. Host: '185.56.85.130' From: '[email protected]' To: '[email protected]' SPF: 'unchecked'

The IP in there:

https://whois.arin.net/rest/net/NET-185-0-0-0-1/

So now I'm 90% sure that the issue is with their host, but I'm personally invested so I still want to help With that IP not showing up in their tracert, any suggestions on how I can trace it down on my end? And how they can get it to stop routing there?

 

[GoWilkes]

Or should I whitelist that specific IP? If so, where do I whitelist it so that the "Filter Incoming Emails by Country" doesn't catch it?

 

[cPRex]

A tracert may not follow the same path as the mail delivery at all, since one is checking a plain connection, and one is port 25 with mail servers. It's likely those are going through a different path to get to your system.

I'm not sure I have a good way to test this on my end, but could you try adding the IP to the Trusted SMTP IP address in the Exim Configuration in WHM? I think that will override the country level block.

 

[GoWilkes]

That's what I was thinking; my best option would be to log in to his server via SSH and dig from his end. But I don't know if he even has SSH access, much less whether he would give it to me :-/

I added the 185.x.x.x IP to Trusted SMTP IP as suggested, let's see how that goes! I don't know if that will be a permanent fix, though (I'm not sure if the IP will change), and it really doesn't solve the problem for him if others block non-US IPs.

 

[cPRex]

As far as cPHulk is concerned, a whitelist will override the country block:

https://support.cpanel.net/hc/en-us/articles/360055954573