An ag(e)ing hacker, Luca Saiu's blog
2022-10-24 00:35 (last update: 2022-11-21 05:11) Luca Saiu

SMTP, OrangeWebsite and using your own computing resources

I have had a personal server with the domain ageinghacker.net since 2010. At the beginning I was sharing hosting costs with two or three other people, each of us running a virtual machine inside a Virtual Private Server. By 2016 my requirements had grown, I wanted stability and so decided to rent a VPS by myself.
Around that time I had also decided to run a Tor exit node for the benefit of the global community, and more in general wanted my server to be in a country that allowed some freedom of speech; since I did not, then like now, even remotely trust the US and EU I looked for a hosting provider in some place I had a better opinion about, and eventually chose OrangeWebsite in Iceland.

My server runs the web site https://ageinghacker.net plus a good number of other services, mostly not intended for the public: a small IRC server, a VPN, NFS (only for myself over the VPN), git and bzr; you may have seen the git web interface I use for GNU Jitter at https://git.ageinghacker.net/jitter. Sometimes I use my server to pass large files around. I have my own Mumble server; Mailman mailing lists. A wiki that few people have seen but I occasionally use for private projects; Gopher and Gemini, because I despise the web and like toying with alternatives.
Of course ageinghacker.net run its own mail services over the usual combination of local, SMTP, POP and IMAP in their unencrypted and encrypted variants; I am currently using Postfix and Dovecot. At work I find ageinghacker.net useful for testing, since I develop a (mostly) mail-based system at p≡p Foundation, which uses SMTP and IMAP: I can play with accounts and aliases and make any number of mailboxes on my server.
Then there is the small Tor exit node I provide for the community, for which I bought a separate second IP address; even with my own scripts based on iptables preventing it from eating up all the bandwidth Tor remains by far the heaviest service in terms of resource usage.

Since I believe in the command line I access the server over SSH. Some of the files which are not security-critical, for example web pages, I edit over NFS over the VPN, without ever leaving the Emacs editor running on my local laptop and without even using TRAMP.

Some of the services on my VPS run on non-standard ports and are otherwise heavily customised, or configured in unusual ways. This is normal: it was my server alone before E. came into my life. Now she uses it as well, mostly from the alternative domain saiu.ch resolving to the same IP address.

So the machine is used by me, by E. and also by a few friends who asked for an account. Since José Marchesi needed it I also set up a git repository and a script to update his “Pokology” website. Of course; why not. They are friends, and GNU poke is a nice project.
To me it is beautiful to remotely connect to the same server and work together: I like the symbol of it. And of course we also have the old-style Unix talk program, that everybody likes.

The VPS is not a big system and feels overloaded at times, but as experienced users we can handle it. It usually has an uptime of many months when not years.

I have come to love ageinghacker.net and to depend on it.

Around October 15th OrangeWebsite broke my mail service, without telling me

Around October 15th, surprised that I had not received a copy of some message which was supposed to include me in Cc:, I checked my mail server configuration.

The Postfix logs were clear: the message supposed to arrive in my mailbox @ageinghacker.net had never reached my SMTP server. Thinking that the problem was on the sender’s side I ignored the issue for a few hours. Then a doubt came to my mind: I tried to contact my SMTP server (in fact at first I was misled by Swisscom intercepting my communication attempt: see below) from outside, and eventually discovered that port 25 smtp was blocked. There was no mistake, and indeed no recent change, in my configuration. It was not my fault.

After I opened a support ticket a customer-support representative at OrangeWebsite candidly confirmed that they had indeed blocked my port 25:

Yes, we have blocked Port 25, we noticed a high influx of people buying level 1 servers and using them send spam on port 25 then having that server closed after a month. This destroys our IP range so to counter this we have blocked the port. This is something new so we will have to work out a few kinks here and there. As you have had your server for a long period and your IP is not blacklisted anywhere we can remove the block for you. If you have any other issues please let us know.

After verifying that ageinghacker.net could now be contacted on port 25 and receive messages I replied, making it very clear that I was unhappy, even more because I had not been notified in advance.

I did not lose messages just because I checked carefully and quickly: after traffic could reach port 25 again I received the older messages that had been laying in some queue on the sender’s side, waiting for my SMTP server to become reachable again.
No message to me bounced, that I know of.

The exchange irritated me. I had always had a good experience with OrangeWebsite up to that point, and having renewed my subscription with them for three more years only recently I started wondering whether I should have switched to a different hosting provider instead.

On October 20th I received an email from OrangeWebsite

On October 20th I received an email from OrangeWebsite about new requirements for using port 25; I believe it was a canned message sent to every VPS customer. I am reproducing the message here with only whitespace changes, for clarity:

From: "Orangewebsite.com" <noreply@orangewebsite.com>
Subject: IMPORTANT: Port 25 Blocked as of now, contact support to have it opened (requires criteria to be met)
To: (me)
Date: Thu, 20 Oct 2022 01:20:06 +0200(CEST)

Dear Client,

We strive to give all our clients the best service we have to offer, which
includes protection against abusive behavior. To prevent your legitimate server
from receiving a bad IP Reputation amongst high-profile lists such as SORBS,
SpamHaus, and others, we've amended our terms of service policy with the
following:

   11.1) VPS Non-Authenticated SMTP
   All virtual servers have port 25 (non-authenticated) smtp
   blocked. All servers requiring this port to be enabled, need to be
   fullfil any of the following criteria:

   At least 3 months old in existance
   Billing cycle is quarterly (3-Months) and above
   VPS Level 3 and above

   and a valid reason is given as to why needed. This rule is in place
   to prevent abusive spoofing behavior on the network. We suggest anyone
   with legitimate use to send email to utilize secure smtp services such
   as https://sendgrid.com/solutions/email-api/smtp-service/ or
   https://sendlayer.com/.  Refunds are not given on the basis of the
   server not having this port enabled as there are good alternatives
   available for the legitimate end-user.

What this means is that if you have your email applications, WordPress, Joomla,
and other scripts to handle deliveries, normally those would go out through port
25, an unsecured email port. This port is being blocked by many high-profile
mail delivery servers or marked as "Spam" or "Insecure". The best way to deliver
emails is through an SMTP Authenticated server.


WP Mail SMTP: https://wordpress.org/plugins/wp-mail-smtp/ - This plugin allows
you to plug in your own SMTP server and or any other SMTP service such as
Sendgrid/Sendlayer/Mailchimp/Mailgun to handle mail deliveries efficiently.
Joomla SMTP Settings: https://serversmtp.com/smtp-joomla-settings/ - In Joomla,
one can set the SMTP in the Global settings, and connect to their own SMTP and
or 3rd party SMTP service which there are many.

Is this common practice?

It sure is, it is widely known that hosting providers block 25 by default, and
allow it only on a case-by-case basis. This is to significantly reduce the
abusive behavior of signing up, and spamming emails out of the network,
tarnishing the IP reputation and causing issues for legitimate clients.

Still, I want port 25 enabled, I need it!

If you truly need to SEND emails from your server directly, you can contact
support to have port 25 opened outbound, however, we require server nodes to
fulfill any of the criteria

At least 3 months old, billing cycle to be 3 months and above, VPS to be level 3
and higher and require a valid reason for sending email from the server, and why
using legitimate secure SMTP which there are so many available in the world, to
send your email for you securely is not an option.

We may ask for identification, and a copy of your passport and update your
account so it may no longer be anonymous (if it is). This is done to build trust
between our network and you for the responsible use cases of the SMTP service in
our virtual environment.

Any further questions feel free to open a support ticket.

Best greetings,
- Customer Service
Orangewebsite.com - 'Your solid business partner'

The message deals with sending mail from a VPS system, while instead I had had problems receiving. I overlooked that point at the time.

(And the world is not the web, I would be tempted to say.)

The OrangeWebsite people have always prided themselves of respecting their customers’ privacy (they accepted cryptocurrency payment and did not demand to know a customer’s real name), and of standing for free speech. Now instead new requirements that did not exist before have suddenly been put in place: one needs to give them justifications for using SMTP on a paid server, and they may ask for a copy of a user’s passport (!).

And no refunds even if the rules changed after one had bought the service on different terms, since in their opinion there are “good alternatives” to using an own SMTP server.

I disliked the tone of that message. Even if I believed that the change did not apply to me personally since access to port 25 had been restored for me just a few days before that email left me fuming with anger and pushed me to write this post. However I checked again after receiving the message: SMTP was working on ageinghacker.net, for both sending and receiving.

Contacting other hosting providers in Iceland

In order to research this post and propose alternatives to OrangeWebsite, and possibly for myself to switch as well, I researched OrangeWebsite’s main competitors.

I found two Icelandic hosting providers which support free speech and, in particular, allow to host Tor exit nodes1: 1984 Hosting and FlokiNET.

FlokiNET

FlokiNET owns (or more likely rents space in) multiple data centres and offers a choice of Romania, Netherlands, Finland and Iceland, with Iceland being the most expensive option.

Since I want nothing to do with the EU I am only considering the Iceland offer, on which (they warn very visibly) no “adult content” is allowed. While not personally interested in hosting such content I consider this to be a flaw: free speech was the entire point of this exercise. [2022-10-24 update: in response to this article a FlokiNET representative specified that hosting “adult content” is illegal in Iceland; a cursory search confirms this. I am astonished.]

This clause, instead, I like:

FlokiNET is not authorized to monitor customer traffic through or use of the Service other than for statistics or management of the service function.

(I am not claiming that OrangeWebsite behaves differently in this regard. They have always asked for permission before touching my VPS, even if only for rebooting; in fact I think they only ever did it for that reason, with my authorisation.)

As per https://billing.flokinet.is/index.php?rp=/store/virtual-private-server-iceland FlokiNET’s “Iceland VPS I” offer comes with 1 CPU core, 1 GB RAM, 20GB space (SSD, but I am not sure it is local), 1 TB traffic per month, 1 IPv4 address and 64 IPv6 addresses, for 9.5€/month plus a 5€ setup fee. The VPS is virtualised using KVM, like on OrangeWebsite.
This offer is much cheaper than OrangeWebsite’s “VPS Level 1” offer and has equal or better specs, except for the single CPU core.

I did not find an explicit offer of more IP addresses for the same server.

The FlokiNET ordering interface presents no current VPS offers, showing zero products available — however see below.

1984 Hosting

1984 is quite vocal in its promotion of free software and civil rights, values which I strongly approve. I am less interested in 1984’s environmentalist stance (OrangeWebsite makes similar claims) stated by making a point of its reliance on only “green energy from renewable, sustainable sources”. In 1984’s defence, I appreciate its honesty of specifying how “This is achievable in Iceland” (my emphasis) largely because of the cold climate.

Deep in 1984’s Terms of Service document I found a prohibition of “pornography or sexual products” [2022-10-24 update: see the remark above, which also applies to 1984] and another, I would say much more concerning, about “any materials or information that are, in the opinion of 1984 ehf., illegal, harmful or ethically objectionable”.

This moralism seems to be a feature of the culture of a certain Left from which I have taken great care to distance myself.

1984 does offer currently available VPS systems. According to https://1984.hosting/product/pricelist/ its “VPS #1” server option with 1GB RAM, 1 CPU, 25GB disk and 1 TB transfer per month goes for €5/month.
Very similar to the FlokiNET offer but even cheaper, that again has better specs than OrangeWebsite’s “VPS Level 1” except for 1984’s single CPU core.

In the case of FlokiNET either I did not find an explicit offer of more IP addresses for the same server; with OrangeWebsite ordering that option is quite easy.

Contacting OrangeWebsite’s competitors

I contacted both 1984 and FlokiNET, recounting my experience with OrangeWebsite up to that point and asking about limits on their SMTP service. Within less than 24 hours they both replied, stating in categorical terms that they do not tolerate spam (but spam coming from me has never been the problem at OrangeWebsite either) and at the same time making it very clear that they pose no limit over the usage of SMTP and that they do not block any port.

The FlokiNET representative wrote me that that the company keeps VPS offers showing as unavailable for purchase “due to high demand”, but is able to issue exceptions.

On October 22 I noticed that my mail was broken again

After checking whether somebody had already replied to a message of mine, a doubt came to my mind: Had my message, coming from ageinghacker.net, reached its destination?
No. It had timed out, and remained in an outgoing queue on my server.

It turned out that every outgoing message was stuck, as some other rule blocked connections this time from my server to any other server’s port 25, while SMTP worked correctly in the other direction. I had done nothing. It was OrangeWebsite again.

And so I opened another ticket, quite upset. The subject: “You have broken my outgoing mail again. I want to be able to use SMTP”.

The reply stated:

The method that was used for opening/closing ports was flawed and was replaced with a switch block, meaning it happens at the core switch for the service, this is why this happened, we’ll resolve this. We require no further validation from your end, you are not the type of people we’re excluding. We’re trying to protect clients such as yourself as we’ve been a focus point of a new spam ring, which has up to this point occupied loads of VM’s cheapest available to load a single mailer called Alexus Mailer, and the sole point is to spoof emails, and tarnish the entire CIDR reputation which would include your IP.

We’ve now stopped this, and have repaired some of the reputation on those IP’s and provided adequate proof to Spamhaus and SORBS that actions sever have been taken to prevent this.

So to confirm, we’ll open your IP right now.

SMTP is indeed working again.

After a while the operator felt the need to add a further message, replying to my earlier complaints on the passport requirement:

Not at all, we still offer anonymity to our clients, but we "may ask" doesn’t mean we do ask, in your case we don’t need to. We add it in there to prevent bad behavior people who just signed up to use our service for malicious ways. We’re seeing drops in servers now that 25 is closed. Anyway it doesn’t mean we backtrack our premise, it just means we need to make it a deterrent for people with bad intention to not damage our IP reputation, once they do, you will start suffering for it when Spamhaus lists the whole range for the bad apples and your emails start coming back as bounced.

With that said, you are all set and this should not occur again unless you have your IP switched in which case you should ask for this to be whitelisted again.

The new stipulation may not mean that they do ask, but it means that they have the power to ask whenever they want.

Not good enough.

We all know that the world is an ugly place, or Why you should run your own services including SMTP

This is what happens if I try to connect to my server’s SMTP port from home, using our domestic Swisscom DSL.

[luca@moore ~]$ telnet smtp.ageinghacker.net smtp
Trying 82.221.139.216...
Connected to abelson.ageinghacker.net.
Escape character is '^]'.
220 nwas.bluewin.ch vimdzmsp-nwas02.bluewin.ch Swisscom AG ESMTP server ready

You can recognise my machines, all named after computer scientists: the computers involved here are my laptop moore (after Chuck Moore) sitting here on my desk and the VPS abelson (after Harold Abelson) at OrangeWebsite.

smtp.ageinghacker.net is indeed an alias, in the sense of a CNAME DNS record, for abelson.ageinghacker.net, with IP address 82.221.139.216; the IP address belongs to the Icelandic AS50613 Thor Data Center, which is correct.

The machine that responded to my telnet client, however, was not abelson: it was some machine from Swisscom pretending to be abelson and relaying SMTP commands from my client to it.

To me this qualifies as a man-in-the-middle attack; I do not care if it is in their contracts or they claim not to hide it. What is Swisscom’s excuse for doing this to its customers?

It is not just the US and the EU, of course; I have absolutely no trust in Switzerland either. Do not trust any service provider: expect to be spied upon.

Just to be clear to non-technical people who may be reading, this is not at all OrangeWebsite’s fault. It is just an example of why OrangeWebsite’s justifications are unacceptable and in fact now in the days of surveillance capitalism (or worse) we need independent, replicated, decentralised mail infrastructure, more than ever. The physical and virtual infrastructure around us is hostile. Delegating the job of secure communications to others or to “the cloud” is not the solution. It is rather the opposite of the solution.

Notice how if I use the smtps port instead of smtp then Swisscom does not attempt a man-in-the-middle:

[luca@moore ~]$ telnet smtp.ageinghacker.net smtps
Trying 82.221.139.216...
Connected to abelson.ageinghacker.net.
Escape character is '^]'.
220 abelson.ageinghacker.net ESMTP Postfix

At the moment of exchanging certificates the attack would become obvious and the client would notice, as long as the CA were not also compromised.

Mail has been designed long ago, perhaps by accident, as a decentralised federated service. We should exploit this good design by using multiple small instances. José and I were speaking not long ago about the GNU Project being, again by accident and at least to GNU hackers, one of the remaining providers of email services not affiliated with mass-surveillance entities such as Google. We need more entities like it, even smaller than it and together more resilient to surveillance and censorship.

Conclusion

What OrangeWebsite should do in my opinion is:

  • apologising, which by itself for a company means little, but costs nothing. OrangeWebsite’s behaviour to its paying customers in this instance has been atrocious. Acknowledging this fact will be the first step to let this episode slip into the past, one negative data point against years and years’ worth of excellent service and customer support;
  • offering a refund to those who do not accept the new rules.

In the mean time I suggest those who are already using or planning to use OrangeWebsite’s service to consider 1984 Hosting and FlokiNET as alternatives.

— Luca Saiu, 2022-10-24 00:35 (last update: 2022-11-21 05:11)

Tags:
1984-hosting, email, english, flokinet, freedom, free-software, gnu, hosting, iceland, myself, orangewebsite, port-25, p≡p, server, smtp, surveillance, swisscom, switzerland, vps

Next post Previous post

Go to the main index...
Atom feed All post feeds: Atom 1.0, RSS 2.0.

[my photo]
Luca Saiu

The opinions I express here are my own and do not necessarily reflect the beliefs or policies of my employer, or for that matter of anyone else. In case you felt that the public statement of my thoughts threatened your warm sense of security and your emotional stability, please feel free to leave at any time.

The system does not support user comments and probably never will. Anyway you can contact me if you want to discuss some topic with me. I might update my posts if you provide interesting insights.


Copyright © 2009, 2011-2014, 2017, 2018, 2021, 2022 Luca Saiu
Verbatim copying and redistribution of this entire page are permitted in any medium without royalties, provided this notice is preserved.
This page was generated by trivialblog. trivialblog is free software, available under the GNU GPL.
Tag icon copyright information is available in this file.


Footnotes

(1)

Claiming to support free speech, with words, is cheap.