Two days ago we migrated a customer’s Zimbra mailserver to a SSD VPS of our beloved Contabo hosting. While I wasn’t in charge of the migration I couldn’t refrain to tail zimbra.log to see how/when mail was flowing throug, and I immediately spotted some Connection refused errors for different hosts, even our own mailserver still on a Contabo VPS.
While quite worring I let the balls stop before raising an alert.
The day after the migration there were still Connection refused errors in mail log: time to investigate.
The error was appearing just some times, not always, for the same server. While testing with telnet I was never returned an error, it was just happening when Postfix tried the delivery. When forcing queue flush, if there were 10 mails in queue just one or two at most would be delivered, the others for the same server had Connection refused errors.
I thought all the possible limitating services I installed on the CentOS 7 system, namely firewalld and SELinux, but the first wasn’t limit outgoing connections while SELinux has been disabled. So I had no other choice than asking for a feedback from the rather good Contabo support team.
We had few mail exchange, here comes the reply:
Since we are not able to verify any cause of this issue from the outside we are assuming that an automated script from our side has limited the amount of separate outgoing SMTP connections to “5”.
We would recommend making according adjustments only allowing 5 outgoing SMTP connections in your mail server configuration.
This looked new to me: we have other VPSes on Contabo which happily deliver mailing lists with no troubles. So I asked further and
Indeed, a change has been applied to all VPS during the last days which affects the sending of e-mails. Bulk or spam e-mails are a real problem nowadays.
To protect the vast majority of our customers from suffering from a few others sending spam, we have applied a limit for sending e-mails from a VPS. Now it is no longer allowed, to have more than 5 simultaneously open SMTP connection. This is no real limitation because you are still able to send many e-mails per hour, but it effectively impedes bulk or spam e-mails being sent in large numbers.
This new limitation is active for all VPS, and we are afraid that we cannot allow any exceptions in this case. If this is a real problem for the kind of service you provide and there is no possibility to apply changes to deal with the limitation, we could understand if you cancelled your contract for your VPS.
Another possibility avoiding the e-mail limit would be to use a dedicated server instead of a VPS. This might be an option for you although a dedicated server is more expensive (a Dedicated Server Quad is 39.99 EUR per month).
What really drove me mad is that they did this change without any prior notification to the users, no statement in the FAQs, no mention in the signup page… Totally no communication to their users!
So the big problem for them (and it is a problem) is that some commercial blacklist do block the whole subnet. I had similar problem when running a Tor exit node on a VPS, some gross blacklist services do ban the whole /24 or the network block.
But Contabo still gives you a single IPv4 address for a dedicated server, so a spamming IP would still impact other customers. I didn’t ask because was out of the scope of the discussion, but I have to suppose dedicated servers use smaller netblocks than VPSes (which are in /23 or /16 spaces).
Of course comparing a VPS (26,99€ the most expensive) with a dedicated server (39,99€ the cheapest) is not the same, for many reasons. The first is that with VPS they give you tons of resources (CPU/RAM/disk) that thrills you. Maybe you don’t need them all, but having them available in case it’s very good.
You could also consider consolidating different VPSes in one dedicated server, but you must add price for the additional IPs.
In the next months I have to investigate how to optimize Zimbra and Postfix in order to reduce delivery delays due to the 5 concurrent SMTP connections. Our customer sends a lot of mails, and most of them are for 3 to 6 recipients each, making them harder to deliver. Postifx should reuse the same connection for the same server by default, but to speed up delivery it’s probavly using several connections. I need to investigate.
Much different story for delivering a mailing list!