Spamhaus ?

Similar Messages

• Does Google Pubilic DNS block Spamhaus RDNSBL queries?

  Our ISP here in Northwest Arizona is CableONE.  We noticed late last year some problems with some of their DNS resolving servers and decided to cut over, as whole, to using Google's Public DNS servers (8.8.8.8 and 8.8.4.4 respectively).  We didn’t realize this at the time of the cutover (11/11/2010), but this had the effect of killing our ability to use Spamhaus for RDNSBL-based rejection of incoming spam.
  We specifically use zen.spamhaus.org and bl.spamcop.net for RDNSBL spam rejection (as set in Server Admin under “Mail > Settings > Relay > Use these junk mail rejection servers (real-time blacklist)”.  Both of these servers had been working well for years, but after the cutover to GoogleDNS we found that Zen wasn’t blocking any spam any more, and there was a corresponding tenfold jump in the amount of rejections triggered by SpamCop.  This makes sense since SpamCop was now taking up the slack for the other service.  We didn't realize this in November 2010, but only now as we retroactively searched the mail server logs from last year.
  This issue can be demonstrated using the shell commands below.  The bottom line is that through Google's two public DNS servers, the Spamhaus queries *never* show the host as listed, whereas on the four CableONE DNS resolvers they *always* show proper results.  There could also be timing issue having to do with how long it takes older RDNSBL queries to time out.  I wonder if anyone can confirm these results; if not we may be dealing with a local DNS cache poisoning in Google’s public DNS servers, but I can’t imagine that this problem has persisted for a whole five months!!  What I suspect is the case is that Google has a policy where RDNSBL is not supported (or properly handled) on their public DNS servers.
  Comments?  Thoughts?  …I’d be interested if anyone else has this problem.  It’s purely a DNS issue, not specific to OS X Server, but it would obviously affect all flavors of OS X Server, not just SL server 10.6.x.
  Here's a shell session illustrating the situation.  I’m testing using the address 186.136.114.186, which is an address currently blocked by SpamCop, and the XBL listing on Spamhaus (and also the SBL-XBL and ZEN composite lists as a result).  I apologize if this a host you’re responsible for, I’m just choosing this host as an example to test against.  You can contact SpamCop and Spamhaus to find out why you're being blacklisted; that is outside of what I'm concerned about.
  bert-sierras-imac:~ bert$ test=186.114.136.186
  bert-sierras-imac:~ bert$ hosts='bl.spamcop.net sbl.spamhaus.org pbl.spamhaus.org xbl.spamhaus.org sbl-xbl.spamhaus.org zen.spamhaus.org'
  bert-sierras-imac:~ bert$ dns='8.8.8.8 8.8.4.4 24.116.0.201 24.116.0.202 ns1.cableone.net ns2.cableone.net'
  bert-sierras-imac:~ bert$ for d in $dns; do echo; echo ====== DNS = $d =======;     for h in $hosts; do host $test.$h $d; done; done
  ====== DNS = 8.8.8.8 =======
  Using domain server:
  Name: 8.8.8.8
  Address: 8.8.8.8#53
  Aliases:
  186.114.136.186.bl.spamcop.net has address 127.0.0.2
  Using domain server:
  Name: 8.8.8.8
  Address: 8.8.8.8#53
  Aliases:
  Host 186.114.136.186.sbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.8.8
  Address: 8.8.8.8#53
  Aliases:
  Host 186.114.136.186.pbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.8.8
  Address: 8.8.8.8#53
  Aliases:
  Host 186.114.136.186.xbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.8.8
  Address: 8.8.8.8#53
  Aliases:
  Host 186.114.136.186.sbl-xbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.8.8
  Address: 8.8.8.8#53
  Aliases:
  Host 186.114.136.186.zen.spamhaus.org not found: 3(NXDOMAIN)
  ====== DNS = 8.8.4.4 =======
  Using domain server:
  Name: 8.8.4.4
  Address: 8.8.4.4#53
  Aliases:
  186.114.136.186.bl.spamcop.net has address 127.0.0.2
  Using domain server:
  Name: 8.8.4.4
  Address: 8.8.4.4#53
  Aliases:
  Host 186.114.136.186.sbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.4.4
  Address: 8.8.4.4#53
  Aliases:
  Host 186.114.136.186.pbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.4.4
  Address: 8.8.4.4#53
  Aliases:
  Host 186.114.136.186.xbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.4.4
  Address: 8.8.4.4#53
  Aliases:
  Host 186.114.136.186.sbl-xbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 8.8.4.4
  Address: 8.8.4.4#53
  Aliases:
  Host 186.114.136.186.zen.spamhaus.org not found: 3(NXDOMAIN)
  ====== DNS = 24.116.0.201 =======
  Using domain server:
  Name: 24.116.0.201
  Address: 24.116.0.201#53
  Aliases:
  186.114.136.186.bl.spamcop.net has address 127.0.0.2
  Using domain server:
  Name: 24.116.0.201
  Address: 24.116.0.201#53
  Aliases:
  Host 186.114.136.186.sbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 24.116.0.201
  Address: 24.116.0.201#53
  Aliases:
  Host 186.114.136.186.pbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 24.116.0.201
  Address: 24.116.0.201#53
  Aliases:
  186.114.136.186.xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: 24.116.0.201
  Address: 24.116.0.201#53
  Aliases:
  186.114.136.186.sbl-xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: 24.116.0.201
  Address: 24.116.0.201#53
  Aliases:
  186.114.136.186.zen.spamhaus.org has address 127.0.0.4
  ====== DNS = 24.116.0.202 =======
  Using domain server:
  Name: 24.116.0.202
  Address: 24.116.0.202#53
  Aliases:
  186.114.136.186.bl.spamcop.net has address 127.0.0.2
  Using domain server:
  Name: 24.116.0.202
  Address: 24.116.0.202#53
  Aliases:
  Host 186.114.136.186.sbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 24.116.0.202
  Address: 24.116.0.202#53
  Aliases:
  Host 186.114.136.186.pbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: 24.116.0.202
  Address: 24.116.0.202#53
  Aliases:
  186.114.136.186.xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: 24.116.0.202
  Address: 24.116.0.202#53
  Aliases:
  186.114.136.186.sbl-xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: 24.116.0.202
  Address: 24.116.0.202#53
  Aliases:
  186.114.136.186.zen.spamhaus.org has address 127.0.0.4
  ====== DNS = ns1.cableone.net =======
  Using domain server:
  Name: ns1.cableone.net
  Address: 24.116.0.206#53
  Aliases:
  186.114.136.186.bl.spamcop.net has address 127.0.0.2
  Using domain server:
  Name: ns1.cableone.net
  Address: 24.116.0.206#53
  Aliases:
  Host 186.114.136.186.sbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: ns1.cableone.net
  Address: 24.116.0.206#53
  Aliases:
  Host 186.114.136.186.pbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: ns1.cableone.net
  Address: 24.116.0.206#53
  Aliases:
  186.114.136.186.xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: ns1.cableone.net
  Address: 24.116.0.206#53
  Aliases:
  186.114.136.186.sbl-xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: ns1.cableone.net
  Address: 24.116.0.206#53
  Aliases:
  186.114.136.186.zen.spamhaus.org has address 127.0.0.4
  ====== DNS = ns2.cableone.net =======
  Using domain server:
  Name: ns2.cableone.net
  Address: 24.119.5.34#53
  Aliases:
  186.114.136.186.bl.spamcop.net has address 127.0.0.2
  Using domain server:
  Name: ns2.cableone.net
  Address: 24.119.5.34#53
  Aliases:
  Host 186.114.136.186.sbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: ns2.cableone.net
  Address: 24.119.5.34#53
  Aliases:
  Host 186.114.136.186.pbl.spamhaus.org not found: 3(NXDOMAIN)
  Using domain server:
  Name: ns2.cableone.net
  Address: 24.119.5.34#53
  Aliases:
  186.114.136.186.xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: ns2.cableone.net
  Address: 24.119.5.34#53
  Aliases:
  186.114.136.186.sbl-xbl.spamhaus.org has address 127.0.0.4
  Using domain server:
  Name: ns2.cableone.net
  Address: 24.119.5.34#53
  Aliases:
  186.114.136.186.zen.spamhaus.org has address 127.0.0.4

  In digging further it seems this is a known issue.  It is not Google DNS that is banning RDNSBL queries to Spamhaus, but rather Spamhaus that does not want queries reaching it from Google's Public DNS servers.  For more info, see the following links:
       http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#261
       http://www.mail-archive.com/[email protected]/msg20322.html
       http://www.vistax64.com/sbs-server/263984-exchange-2003-google-dns-imf-connectio n-filtering-rbl-failures.html
  and again here
       http://us.generation-nt.com/answer/exchange-2003-google-dns-imf-connection-filte ring-rbl-failures-help-146139331.html?page=4
  Okay.... so that explains *why* this is happening.  Now I need to figure out what to do about it.
  I’m a bit relucant to switch my mail server to running DNS queries through CableONE because, as I mentioned, we have at least one major client of ours who’s servers aren’t listing properly on CableONE’s DNS resolvers.  We cut our enterprise over to Google Public DNS for that very reason.
  Is there a way to direct *just* the RDNSBL queries to work via CableONE resolvers, while leaving the general resolver settings (at /etc/resolv.conf) alone?  In other words, is there any syntax in Postfix that lets you choose which DNS servers resolve RDNSBL queries (aka RBL queries) without forcing you to choose those resolvers for other mail handling functions?
  Any help and comments would be appreciated.  Thank you in advance.
  Message was edited by: Bert Sierra

• Outgoing messages blocked by some recipients due to Spamhaus PBL

  I've read some related issues about this on the forums, but I haven't found any helpful solutions.
  I am a FiOS customer, but I already have email service set up with other providers, and have no interest in changing my e-mail address(s). In general this works fine.
  Recently however I have found that some receipients, who use spamhaus, are blocking my messages - apparantly because Verizon said that the only way their clients are allowed to send e-mail is through their servers.  The bounce looked something like this (personally identifying information, etc. edited):
  This message was created automatically by mail delivery software.
  A message that you sent could not be delivered to one or more of its recipients. The following addresses failed:
  <<edited>>
  SMTP error from remote server after transfer of mail text:
  host barracuda.acrocorp.com[edited]:
  554 Service unavailable; Client host [mout.perfora.net] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=71.164.000.000 (edited)
  --- The header of the original message is following. ---
  Received: from xxxxxx (pool-71-164-xxx-xxx.sttlwa.fios.verizon.net [edited])
  by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis)
  id 0MCKl7-1NM9wO0jcv-0097h4; Tue, 24 Nov 2009 16:40:26 -0500
  Return-Path: xxxxxxx
  From: xxxx
  Sender: xxxxxx
  To: xxxxxx
  Date: Tue, 24 Nov 2009 13:40:24 -0800
  Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAJ9z9bwRctQRnWQA4Jh+J3DCgAAAEAAAANjFkzKkqiFOp/[email protected]>
  MIME-Version: 1.0
  Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0C0C_01CA6D0B.AE1E9C70"
  X-Mailer: Microsoft Office Outlook 12.0
  Content-Language: en-us
  Thread-Index: AcppU1OkA2KRPgLKRqWWeNYMDLOrpwD+U21Q
  X-Provags-ID: V01U2FsdGVkX1/SPBJQinHX94j0qtDaHOJUZB38JI5NNAAl4Ic
  ktk2YLeUKebUC6fKBM+YvSW1b2YSERJwkbKiD+2F1Nc5UyRs6v
  WMF/kvX2k5L3lbGwKP4miYzEaDQ9gYz
   When reading the information at Spamhaus, I said OK, sounds like I need to use a verizon.net server.  So I set my outgoing server to outgoing.verizon.net, with appropriate credentials (I do have a verizon.net e-mail address, I just don't use it).  This seemed to work, but today when sending to the same recipient, I got the following bounce:
  This report relates to a message you sent with the following header fields:
  Message-id:
  <!&!AAAAAAAAAAAYAAAAAAAAAJ9z9bwRctQRnWQA4Jh+J3DCgAAAEAAAABuM/[email protected]>
  Date: Mon, 30 Nov 2009 20:14:49 -0800
  From: xxxxx
  To: xxxxxx
  Subject: xxxxx
  Your message cannot be delivered to the following recipients:
  Recipient address: [email protected] Reason: SMTP transmission failure has occurred
  Diagnostic code: smtp;554 Service unavailable; Client host [vms173017pub.verizon.net] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=71.164.0.0
  Remote system: dns;barracuda.acrocorp.com (TCP|206.46.173.17|42774|12.111.233.9|25) (barracuda.acrocorp.com ESMTP [26a1cc209bbca0bd7cbebfeeb226aade])
  Now first of all, I find it unacceptable that I need to use Verizon's outgoing mail servers rather than the provider of my choice.  This means that if I have someone over who wants to connect their laptop to our network to send e-mail, they have to reconfigure their e-mail, and I have to give them my credentials, or else create an account for them on verizon.net.  That's just bizzare!
  But now it seems that Verizon is also not even keeping its own data straight with spamhaus!
  Can anyone shed any light on this?  Is there anything I can do to resolve these problems?
  Thank you all!

  You don't need to change your INCOMING email address however you do need to change your outgoing email server address to be the Verizon server.  If you don't do this your email may be refused and treated as spam because it will appear that you are using "relaying" to send mail from fake accounts.
  You now appear to have hit the other problem that sometimes occurs.  It seems that at some point in the past the dhcp address you recived from verizon was blacklisted for something and spamhaus is now rejecting the email.  The simple answer to this is to reboot your verizon router to get a new address.  You could then report the blacklisted address to Verizon who might fight the adress issue with spamhaus or you could di it yourself.  Think I had this occur 3 times in the 5 years I had Verizon dsl on a pppoe connection which delivers dhcp address changes many more times than FiOS does.

• The DYNAMIC IP address Verizon assigned me is in a range that is BLOCKED at SpamHaus?

  {word filter avoidance} My public IP address is in a range that is blocked? 
  My mail is authenticated! I am providing my Verizon username/password when I send mail out via the outgoing.verizon.net SMTP server. I am doing exactly what Verizon tech support (escalation specialist) told me to do.
  http://www.spamhaus.org/pbl/query/PBL275150
  Outbound Email Policy of Verizon Online for this IP range:
  It is the policy of Verizon Online that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to Verizon Online customers. To find the hostname of the correct mail server to use, customers should consult the original signup documentation or contact Verizon Online Technical Support.
  Removal Procedure
  Removal of IP addresses within this range from the PBL is not allowed by the netblock owner's policy.
  About The PBL
  The Spamhaus Policy Block List ("PBL") is an international anti-spam system maintained by The Spamhaus Project in conjunction with Internet Service Providers and is used by Internet networks to enforce inbound email policies. The PBL database lists end-user IP address ranges which should not be delivering unauthenticated email to any mail server except those provided for specifically for that customer's use. The PBL lists only IP addresses (not domains or email addresses).
  For full information on how the PBL operates please see the PBL Home page and the PBL Frequently Asked Questions.
  Message Edited by KaLin on 06-18-2009 07:31 AM

  JennyC wrote:
  Hi, thanks so much-- but this is what it says on the Spamhaus site:
  Outbound Email Policy of Verizon Online for this IP range:
  It is the policy of Verizon Online that unauthenticated email sent from this IP address should be sent out only via the designated outbound mail server allocated to Verizon Online customers. To find the hostname of the correct mail server to use, customers should consult the original signup documentation or contact Verizon Online Technical Support. (http://www.spamhaus.org/pbl/query/PBL270930 )
  I use authentication and tried using different ports but that has had no effect.
  Exactly. You do use authentication. Thats exactly the point. You wouldnt be able to send emails at all if authentiction wasnt turned on so that suggestion by spamhaus is already done. Second, the only port used by verizon email is 587, so the suggestion that you may have another port is out the window as well because if it was anything else, you wouldnt be able to send email either. So it is NONE of those issues. The spamhaus suggestions do not apply as if they were not that way in the first place you wouldnt be able to send any emails via Verizon and would not be having this symptom. The fact that you can send an email in the first place means that all the spamhaus suggestions have already been verified as working.
  Like I said earlier, this is a spamhaus issue at this point. Everything that spamhaus suggested you check has been verified as working on the verizon side.
  The only thing left to try on the verizon side is to get you a new IP and see if spamhaus likes it better.
  The suggestion that the only work around was to use the web interface is a vaild idea because emails sent via the web use a different IP address range than the one used at your house. getting a new IP may help. Otherwise, you will need to contact spamhaus directly
  ====================================================================================
  Error exists between keyboard and chair.

• Spamhaus DBL support?

  I'm interested if the Ironport supports (or will in the future) querying the Spamhaus DBL: http://www.spamhaus.org/news.lasso?article=655
  Unlike other DNS block lists, this one supports domain name queries only and does not support IP address queries at all.  They recommend using it to check URIs in the message content as well as headers.
  Would be great to see this support!

  Thank you, but I am already aware of how to configure querying a blacklist in the Ironport. Support fail, please re-parse my query.
  I suggest anyone thinking of responding to this thread to actually READ the link included in my original post as well as the DBL FAQ: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL
  In particular find in the FAQ the following statement:
  You must not put 'dbl.spamhaus.org' into any email server 'DNSBL' or 'RBLs' feature, spam firewall or spam filter unless it specifically states that blocklists entered there are used for domain checking only. If you are unsure, ask your spam filter developer.
  Five Months for the appearance of a completely off-the-wall response to, basically, a yes/no question....anyone want to place bets on something effectual actually appearing here?

• Spamhaus PBL

  I have determined that my Verizon IP address is on the Spamhaus PBL list.  Many of my outgoing emails (multiple accounts) are being blocked because they initiate from the "Verizon" listed IP address.  This is a Verizon IP issue.  I don't send SPAM or mass emails.  I have been on the phone with Verizon all day without any results.  No one at Verizon has a clue.  I talked to two outside consultants who were quick to pinpoint the problem but only Verizon can fix it by requesting the IP address be removed from list or give me a new IP address.  After 10 phone calls today, I was told that I would have to email my problem to the whitelist department but that this department could not be contacted by telephone by me or anyone else at Verizon and that it could take a week for them to respond.  No one did anything to help.  I work from home and this is a major problem.  Verizon technical support and customer service are non-existent.  I heard that I can log into my router and change the IP address myself.  Does anyone know how?  I'm sure the "community" knows more than Verizon!  And I'm sure cares more than Verizon! 

  My issue is not just with Verizon email.  It is with all my email addresses (verizon and others).  Problem due to my Verizon internet service/IP address showing up on a Spamhaus PBL list.  I'm getting blocked by some mail servers/recipients.  Only Verizon can fix - get it removed with Spamhaus or give me a new IP address.  This is urgent!  It would be nice to "talk" to someone at Verizon who understood the problem and who knew how to fix it.  I am told there is no one to "talk to".  I have to send all my requests online.  I sent online requests and got an automated response which told me nothing.  Verizon needs to remember that the company's future, profitability and employee jobs have a direct correlation to the customer satisfaction & retention.  Verizon needs to empower their people and equip their people to RESOLVE issues.  I have never used a forum or blog before but I have no where else to turn! 

• Outgoing mail blocked by spamhaus

  I am using zen.spamhaus for spam protection and it seems to work great. One problem though... it also check outgoing messages. This is good in that it prevent unauthorized mail from going out, but it is also blocking some of my users, even though they authenticate first (as is required). Is there a way to change this so that authenticated users will not be picked up by spamhaus?

  If you look at/implement my tutorial Frontline spam defense for Mac OS X Server you will see the correct configuration for checking authentication before the RBLs. In addition you will reduce your spam intake significantly.
  If you don't want to add anything to your default configuration, make sure that the following parameters in /etc/postfix/main.cf are in the right horizontal order:
  smtpdclientrestrictions = permit_mynetworks, permitsaslauthenticated, rejectrblclient zen.spamhaus.org, permit
  smtpdrecipientrestrictions = permit_mynetworks, permitsaslauthenticated, rejectunauthdestination, rejectrblclient zen.spamhaus.org, permit
  This will make sure that once authenticated or coming from the internal network, the RBL won't be queried.
  Furthermore, I would add a separate submission port (587) for your authenticated users only, bypassing the content filter as well. This can be done by adding the following to /etc/postfix/master.cf
  submission inet n - n - - smtpd
  -o content_filter=
  -o smtpdrecipient_restrictions=permit_saslauthenticated,reject
  (3 spaces before -o )

• SpamHaus XBL listing cleared, however O365 blocking citing SpamHaus

  We have a MailFlow Connector authorizing a HostGator (I know, I know) server to transmit form mail within the domain. For a time, it was listed on SpamHaus under XBL. That listing has been cleared, however it's 24 hours later and O365 is still rejected mail
  from that server citing SpamHaus.
  SMTP -> FROM SERVER:550 5.7.1 Service unavailable; Client host [192.185.4.X] blocked using Spamhaus; To request removal from this list see http://www.spamhaus.org/lookup.lasso
  Meanwhile, SpamHaus is saying "all clear" on it's lookup tool
  192.185.4.X is not listed in the SBL
  192.185.4.X is not listed in the PBL
  192.185.4.X is not listed in the XBL
  Is there a way to clear O365's cache of the XBL or to temporarily disable SpamHaus check and re-enable 24 or 48 hours later once Microsoft is seeing the all clear from SpamHaus?

  Hi,
  As per the description, I understand that the client host was bocked by Spamhaus.
  As far as I know, there is no way on the recipients' end (office 365) to clear this 'cache of the XBL'. Actually, it can take 24-48 hours before it's completely removed, so maybe you will need to wait for more time.
  Regarding "temporarily disable SpamHaus check and re-enable...", I would suggest you check in the forum of
  Office 365 Community which is dedicated for Office 365
  server/admin aspects. Current forum only focus on questions and feedback for Microsoft Office client.
  Regards,
  Ethan Hua
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Error message ATLAS 2503 saying that "spamhaus" has blocked this email. Can anyone help?

  I've been in contact with my provider 123 reg. And they have checked the webmail and I can send messages through that way.
  However, when I go back to thunderbird I get this error message every time I try to email.
  I've removed my email address account from thunderbird then entered all the info again, changed my password. But nothing.
  No idea what would help now and 123reg are saying it's fine now.

  When you follow the instructions in the error message this is what you see.
  '''Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem '''
  If this does not fix the issue your need to have the owners of the IP address get it fixed. The IP address comes back to Sky Broadband in GB.
  Here is the link to the Spamhaus page.
  http://www.spamhaus.org/pbl/query/PBL1550975

• Outgoing emails being blocked by spamhaus. Blocking my IP address

  Good day
  My outgoing emails are being blocked. Spamhaus has blocked my IP address. How do I unblock it? This is the error message that I receive.
  This message was created automatically by mail delivery software.
  A message that you sent could not be delivered to one or more of its
  recipients. This is a permanent error. The following address(es) failed:
  [email protected]
  SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=484112:
  host mta6.am0.yahoodns.net [98.136.216.26]: 553 5.7.1 [BL21] Connections will not be accepted from 41.76.215.245, because the ip is in Spamhaus's list; see http://postmaster.yahoo.com/550-bl23.html
  Please help as this is a business address
  Thanks

  Your email provider controls the IP address they assign you. Only they can clear the reputation of a blacklisted IP address. Contact them.

• Skip spamhaus check for Email _to_ certain addresses?

  I've got some backup processes running at client sites that send me daily Emails when they complete, and most of them have stopped reporting since I turned on Spam checking thru spamhaus.org, since most of them sit behind dynamic addresses.
  Is there an easy way to have Email to certain addresses bypass the spamhaus check? I'd like (for instance) IknowItButThe [email protected] to be delivered no matter where it comes from...
  Love zen.spamhaus.org, BTW, since turning it on my spam has dropped by something like 90 percent.
  Yes, some of the programs can be set to authenticate, but not all of them are that sophisticated...
  Thanks!

  I think the relay option is best but had a think about original question...
  The problem with allowing a specific recipient To: address to bypass RBL checks is that the applicable option, checkrecipientaccess, is an smtpdrecipientrestriction and this restriction takes place AFTER the smtpdclientrestriction, where the RBL is normally specified.
  To enable this to work, you would need to move the RBL check into the recipient_restriction (probably at end) and have checkrecipientaccess before that (probably at beginning). The RBL will work fine in that location and will still check all external connecting IPs - just more 'intuitive' to have it in the client_restriction list.
  The checkrecipientaccess references a hash:file, e.g.,...
  checkrecipient_access   hash:/etc/postfix/recipientaccess
  which would have contents...
  [email protected] OK
  postmap it & reload...
  postmap /etc/postfix/recipient_access
  postfix reload
  -david
  [EDIT] Actually, if you have not hand edited main.cf already, then the RBL check will already be in recipient_restrictions (Server Admin default location).

• What is Undelivered mail returned to sender spamhaus?

  My emails, intermittently, whether being sent from my macbook or my iphone 5 are coming back saying connections not accepted from IP addresses on Spamhaus PBL
  I have gmail.  I don't know whether the problem is my apple products or my gmail.
  Thank you.

  This is 'some' of the language I receive in bounced back emails I've sent:
  <[email protected]>: host
     mx.abelmonteandson.com.cust.b.hostedemail.com[64.98.36.4] refused to talk
     to me: 554 5.7.1 Service unavailable; Client host [173.203.205.160] blocked
     using urbl.hostedemail.com;
     http://www.spamhaus.org/query/bl?ip=173.203.205.160
  Reporting-MTA: dns; mxout2.codelock.com
  X-Postfix-Relay-Hub-Queue-ID: 37A3E704AD
  X-Postfix-Relay-Hub-Sender: rfc822; [email protected]
  Arrival-Date: Tue, 22 Apr 2014 11:33:37 -0400 (EDT)
  Final-Recipient: rfc822; [email protected]
  Original-Recipient: rfc822;[email protected]
  Action: failed
  Status: 4.7.1
  Remote-MTA: dns; mx.abelmonteandson.com.cust.b.hostedemail.com
  Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host
     [173.203.205.160] blocked using urbl.hostedemail.com;
     http://www.spamhaus.org/query/bl?ip=173.203.205.160

• Cannot send messages - XBL Spamhaus crap

  24 hours now: Get blocked from sending or replying to any email with some nonsense about spamhaus

  Contact your ISP or email provider and tell them to get you off the spammer list.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Newie Mail server and running other services

  We have a small office network of 6 macs that connect to a Panther server, this server provides DNS and file sharing and thats about it a Filemaker Sever and Retrospect Server. I doesn't suffer from heavy use
  I have been using a a separate mac to run Quickmail server 1 (os9) and I need to upgrade it as some of the mail protocols are out of date.
  We have a static IP address assigned to our mail gateway by our service provider.
  My question or advice
  Should I just start using OS X server to run mail services
  or
  Upgrade Quickmail and continue running it separately on a new mac mini (or similar)
  My concerns are at the moment any problem with email locally can be solved pretty much without effecting the other server or the network.
  Thanks

  The basic setup is prety simple...
  Replace following with your own equivalents...
  Domain name: woopee.com (the domain name after the "@" in your emails)
  Host name: mail.woopee.com (the hostname your MX record points to. Does not need to match server hostname. This will be the hostname mail server uses when communicating with other servers)
  Local Host Aliases: woopee.com (a list of the domains you want to accept mail for. Probably just same as Domain name?)
  Local network: 192.168.10.0/24 (LAN IP range for local users. Used to bypass authentication when they send mail out)
  Server Admin-> Mail-> General...
  Tick:Enable POP
  Tick:Enable IMAP
  Tick:Enable SMTP, Allow incoming mail, Enter Domain name & Host name (from above).
  Mail-> Relay
  Tick: Accept SMTP relays... Enter localhost IP: 127.0.0.1/32 and Local network (from above).
  Tick: Use these junk mail rejection servers. Add: zen.spamhaus.org
  Mail->Filters
  Tick: scan for junk mail. Minimum score: 5 (can be reduced later)
  Junk mail should be: Delivered (will just tag and forward to recipient)
  Tick: Attach subject tag: * Junkmail *
  Tick: Scan email for viruses
  Infected messages should be: Deleted
  Tick: update junk mail & virus database: 1 time per day
  Mail->Advanced->Security
  SMTP: none (this prevents smtp authentication from anyone outside your Local network)
  IMAP: Tick: Clear, Plain, Cram-md5 (or leave all unticked if only using pop accounts)
  POP: Tick: APOP
  Mail->Advanced->Hosting
  Local Host Aliases: Add: localhost & woopee.com (separate entries, see Local host aliases, above)
  That's it (I think ...although I cannot guarantee I have not missed something). There will be no problem setting this up and seeing it going whilst still using the existing mail server. Set up client accounts to send and receive from new server and you can send mail around internally to test. Last thing would be to change your firewall port-forwarding for SMTP from existing server to new one.
  Watch the mail.log in Console for any errors & do plenty tests.
  Ensure users have mail enabled in Workgroup Manager.
  There are plenty mods available beyond this. Have a good read through the mail services manual (I know its a bit confusing at times) and you should see where the above settings fit in.
  Lots of stuff on the forum here which you can search for. Spam filtering in particular can be made far more effective but requires editing of the underlying unix configuration files - again, plenty of previous discussions about that on forum. Meantime, the zen.spamhaus.org RBL will filter out a great many spammers.
  -david