In the past month, I have realized that some blacklists have decided
to list my IP. Spamhaus suggests in its documentation that my
outgoing email is not correctly using SMTP Authentication.
I'm assuming by your IP, are you referring to nullmailer's IP or your ISP's?
Is it just Spamhaus, or are other blocklists listing the IP?
Spamhaus is IMO an extortion racket masking as a spam fighter. They have
pretty low credibility in the mail server admin crowd.
Having said that, if your ISP is allowing unencrypted email
authentication, then in this case Spamhaus and any other blocklist are
correct - the ISP is incompetent and a danger to the internet. Read on
for an explanation...
I suspect my problem is with nullmailer, and the fact that it does
not seem to support STARTTLS on ubuntu 12.04.
If the shell command below (run as root) returns nothing, it could mean
that you've been sending your password to your ISP in clear text.
Normally your ISP should not allow cleartext authentication!
updatedb && `locate /nullmailer/smtp` --help|grep ssl
(Note the backticks around the middle bit, which if replaced with single
quotes will not work)
If it chokes on updatedb, I recommend that you, as root:
apt-get install mlocate
as it's really fast at finding files on your system. You'll need to run
updatedb to create the index before a locate will work.
If you don't want to bother installing mlocate, you can try:
/usr/lib/nullmailer/smtp --help|grep ssl
...which works on a default install of nullmailer on Ubuntu.
nullmailer is authenticating with my provider using a password. But
it is not authenticating using STARTTLS.
You need to confirm whether or not this is true, and if so, gather proof
that your ISP is allowing clear text authentication.
Trouble is that I don't know how I can enable starttls on nullmailer
Edit the file "/etc/nullmailer/remotes" (assuming your version of
nullmailer supports TLS - the latest Ubuntu version does). The line for
your ISP's mail server should contain "--starttls". Example:
deliv.foscore.com smtp --port=587 --starttls --user=<loginname>
--pass=<password>
You may also need to add the "--insecure" option, which isn't as ominous
as it sounds. It just means that you'll still connect using encryption,
but without caring about the ISP's server certificate (which they most
likely have buggered up anyway).
If your nullmailer doesn't do STARTTLS, did you install it manually, or
through Ubuntu's package manager? If it was a manual install, you need
to remove it before using apt-get (or the Software Manager).
BTW, if you've been authenticating to your ISP without encrypted
connections, anyone sniffing their mail server's traffic can scoop
people's passwords. This means that your ISP is not only grossly
incompetent, it is also in violation of many countries' privacy laws!
Usually an ISP email password is also the password used to log into
their account on the ISP's web server. Hackers could be doing all kinds
of crazy shit, including identity theft, and the ISP (let alone the
user) wouldn't even know it! WTF???
So if this is indeed the case, identify the ISP to us, so we can avoid
them like the plague. And change your password immediately of course...