First of all, excuse me if im posting this to wrong forum but here's my scenario:
I have a fully patched FC5 server running in the office - all unnecessery services removed/stoped and only ssh listening to remote connections. I installed zimbra to a this server last week, added suitable MX record (IP only) to a valid dns (hostname does not have reverse name) and installed zimbra.
Everything was working fine, i sent out few test emails, used abuse.net's relay testing and it reported the host to be fine (also checked relaying manually using telnet - just to be sure) . I also checked postfix configuration files manually as i have experience on running/maintaining it myself and all things looked nice.
I gave my ok and passed the box to the company that is checking out zimbra and some days later they sent me email that they got email from their ISP saying that a another isp has blacklisted the ip for sending out spam.
I checked the postfix logfiles and found this:
So, the first email set to this Finnish/Swedish ip was bounced due to company ip being blacklisted.Oct 4 15:19:59 localhost postfix/smtp: 06B7251C610: to=<email@example.com>, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.6.0 Ok, id=27780-02, from MTA([127.0.0.1]:10025): 250 Ok: queued as D546451C611)
Oct 4 15:19:59 localhost postfix/qmgr: 06B7251C610: removed
Oct 4 15:20:00 localhost postfix/smtp: D546451C611: to=<firstname.lastname@example.org>, relay=mta.inet.fi[188.8.131.52], delay=1, status=bounced (host mta.inet.fi[184.108.40.206] said: 550 mail not accepted from blacklisted IP address [X.Y.Z.D] (in reply to MAIL FROM command))
Oct 4 15:20:00 localhost postfix/cleanup: 6D9C851C613: message-id=<20061004122000.6D9C851C613@localhost.localdoma in>
Oct 4 15:20:00 localhost postfix/qmgr: 6D9C851C613: from=<>, size=3321, nrcpt=1 (queue active)
Oct 4 15:20:00 localhost postfix/qmgr: D546451C611: removed
Im sure that this machine aint hacked. I've installed it some 30 minutes before installing zimbra - did the installation behind the firewall and upgraded the machine via apt-get from Funet (gpg key checks enabled ofcourse)..
Now these two isp's are treatning the company with possible police investigation and arent cooperative when asking for information about the aclaimed spam batch.
After receiving their threatmail, i shutdown zimbra (last saturday) - and our main isp is still not willing to give out any information. Weird. Since then i've been sniffing traffic, done checks on the machine, read the logs and alot of different things to find out why they where blacklisting that ip but found out nothing that would be considered as "spam flood"
Allthou, there are few issues that might be the reason. The box had "localhost.localdomain" still as its hostname and zimbra installation was broadcasting that as its hostname in smtp sessions. Also, some smtp servers might check if the mta sending the message is in the zonefile of the domain (might have not been there due to dns caching) and if the servername in smtp session matches the reverse of the sender's ip..
Anyone had similar problems ? Any suggestions ?
Ps. People in the company have been sending emails to other isp's email boxes without getting blacklisted or banned.