Around October 15th OrangeWebsite broke my mail service, without telling me

Around October 15th, surprised that I had not received a copy of some message which was supposed to include me in Cc:, I checked my mail server configuration.

The Postfix logs were clear: the message supposed to arrive in my mailbox @ageinghacker.net had never reached my SMTP server. Thinking that the problem was on the sender’s side I ignored the issue for a few hours. Then a doubt came to my mind: I tried to contact my SMTP server (in fact at first I was misled by Swisscom intercepting my communication attempt: see below) from outside, and eventually discovered that port 25 smtp was blocked. There was no mistake, and indeed no recent change, in my configuration. It was not my fault.

After I opened a support ticket a customer-support representative at OrangeWebsite candidly confirmed that they had indeed blocked my port 25:

Yes, we have blocked Port 25, we noticed a high influx of people buying level 1 servers and using them send spam on port 25 then having that server closed after a month. This destroys our IP range so to counter this we have blocked the port. This is something new so we will have to work out a few kinks here and there. As you have had your server for a long period and your IP is not blacklisted anywhere we can remove the block for you. If you have any other issues please let us know.

After verifying that ageinghacker.net could now be contacted on port 25 and receive messages I replied, making it very clear that I was unhappy, even more because I had not been notified in advance.

I did not lose messages just because I checked carefully and quickly: after traffic could reach port 25 again I received the older messages that had been laying in some queue on the sender’s side, waiting for my SMTP server to become reachable again.
No message to me bounced, that I know of.

The exchange irritated me. I had always had a good experience with OrangeWebsite up to that point, and having renewed my subscription with them for three more years only recently I started wondering whether I should have switched to a different hosting provider instead.

On October 20th I received an email from OrangeWebsite

On October 20th I received an email from OrangeWebsite about new requirements for using port 25; I believe it was a canned message sent to every VPS customer. I am reproducing the message here with only whitespace changes, for clarity:

From: "Orangewebsite.com" <noreply@orangewebsite.com>
Subject: IMPORTANT: Port 25 Blocked as of now, contact support to have it opened (requires criteria to be met)
To: (me)
Date: Thu, 20 Oct 2022 01:20:06 +0200(CEST)

Dear Client,

We strive to give all our clients the best service we have to offer, which
includes protection against abusive behavior. To prevent your legitimate server
from receiving a bad IP Reputation amongst high-profile lists such as SORBS,
SpamHaus, and others, we've amended our terms of service policy with the
following:

   11.1) VPS Non-Authenticated SMTP
   All virtual servers have port 25 (non-authenticated) smtp
   blocked. All servers requiring this port to be enabled, need to be
   fullfil any of the following criteria:

   At least 3 months old in existance
   Billing cycle is quarterly (3-Months) and above
   VPS Level 3 and above

   and a valid reason is given as to why needed. This rule is in place
   to prevent abusive spoofing behavior on the network. We suggest anyone
   with legitimate use to send email to utilize secure smtp services such
   as https://sendgrid.com/solutions/email-api/smtp-service/ or
   https://sendlayer.com/.  Refunds are not given on the basis of the
   server not having this port enabled as there are good alternatives
   available for the legitimate end-user.

What this means is that if you have your email applications, WordPress, Joomla,
and other scripts to handle deliveries, normally those would go out through port
25, an unsecured email port. This port is being blocked by many high-profile
mail delivery servers or marked as "Spam" or "Insecure". The best way to deliver
emails is through an SMTP Authenticated server.


WP Mail SMTP: https://wordpress.org/plugins/wp-mail-smtp/ - This plugin allows
you to plug in your own SMTP server and or any other SMTP service such as
Sendgrid/Sendlayer/Mailchimp/Mailgun to handle mail deliveries efficiently.
Joomla SMTP Settings: https://serversmtp.com/smtp-joomla-settings/ - In Joomla,
one can set the SMTP in the Global settings, and connect to their own SMTP and
or 3rd party SMTP service which there are many.

Is this common practice?

It sure is, it is widely known that hosting providers block 25 by default, and
allow it only on a case-by-case basis. This is to significantly reduce the
abusive behavior of signing up, and spamming emails out of the network,
tarnishing the IP reputation and causing issues for legitimate clients.

Still, I want port 25 enabled, I need it!

If you truly need to SEND emails from your server directly, you can contact
support to have port 25 opened outbound, however, we require server nodes to
fulfill any of the criteria

At least 3 months old, billing cycle to be 3 months and above, VPS to be level 3
and higher and require a valid reason for sending email from the server, and why
using legitimate secure SMTP which there are so many available in the world, to
send your email for you securely is not an option.

We may ask for identification, and a copy of your passport and update your
account so it may no longer be anonymous (if it is). This is done to build trust
between our network and you for the responsible use cases of the SMTP service in
our virtual environment.

Any further questions feel free to open a support ticket.

Best greetings,
- Customer Service
Orangewebsite.com - 'Your solid business partner'

The message deals with sending mail from a VPS system, while instead I had had problems receiving. I overlooked that point at the time.

(And the world is not the web, I would be tempted to say.)

The OrangeWebsite people have always prided themselves of respecting their customers’ privacy (they accepted cryptocurrency payment and did not demand to know a customer’s real name), and of standing for free speech. Now instead new requirements that did not exist before have suddenly been put in place: one needs to give them justifications for using SMTP on a paid server, and they may ask for a copy of a user’s passport (!).

And no refunds even if the rules changed after one had bought the service on different terms, since in their opinion there are “good alternatives” to using an own SMTP server.

I disliked the tone of that message. Even if I believed that the change did not apply to me personally since access to port 25 had been restored for me just a few days before that email left me fuming with anger and pushed me to write this post. However I checked again after receiving the message: SMTP was working on ageinghacker.net, for both sending and receiving.

Contacting other hosting providers in Iceland

In order to research this post and propose alternatives to OrangeWebsite, and possibly for myself to switch as well, I researched OrangeWebsite’s main competitors.

I found two Icelandic hosting providers which support free speech and, in particular, allow to host Tor exit nodes¹: 1984 Hosting and FlokiNET.

On October 22 I noticed that my mail was broken again

After checking whether somebody had already replied to a message of mine, a doubt came to my mind: Had my message, coming from ageinghacker.net, reached its destination?
No. It had timed out, and remained in an outgoing queue on my server.

It turned out that every outgoing message was stuck, as some other rule blocked connections this time from my server to any other server’s port 25, while SMTP worked correctly in the other direction. I had done nothing. It was OrangeWebsite again.

And so I opened another ticket, quite upset. The subject: “You have broken my outgoing mail again. I want to be able to use SMTP”.

The reply stated:

The method that was used for opening/closing ports was flawed and was replaced with a switch block, meaning it happens at the core switch for the service, this is why this happened, we’ll resolve this. We require no further validation from your end, you are not the type of people we’re excluding. We’re trying to protect clients such as yourself as we’ve been a focus point of a new spam ring, which has up to this point occupied loads of VM’s cheapest available to load a single mailer called Alexus Mailer, and the sole point is to spoof emails, and tarnish the entire CIDR reputation which would include your IP.

We’ve now stopped this, and have repaired some of the reputation on those IP’s and provided adequate proof to Spamhaus and SORBS that actions sever have been taken to prevent this.

So to confirm, we’ll open your IP right now.

SMTP is indeed working again.

After a while the operator felt the need to add a further message, replying to my earlier complaints on the passport requirement:

Not at all, we still offer anonymity to our clients, but we "may ask" doesn’t mean we do ask, in your case we don’t need to. We add it in there to prevent bad behavior people who just signed up to use our service for malicious ways. We’re seeing drops in servers now that 25 is closed. Anyway it doesn’t mean we backtrack our premise, it just means we need to make it a deterrent for people with bad intention to not damage our IP reputation, once they do, you will start suffering for it when Spamhaus lists the whole range for the bad apples and your emails start coming back as bounced.

With that said, you are all set and this should not occur again unless you have your IP switched in which case you should ask for this to be whitelisted again.

The new stipulation may not mean that they do ask, but it means that they have the power to ask whenever they want.

Not good enough.

We all know that the world is an ugly place, or Why you should run your own services including SMTP

This is what happens if I try to connect to my server’s SMTP port from home, using our domestic Swisscom DSL.

[luca@moore ~]$ telnet smtp.ageinghacker.net smtp
Trying 82.221.139.216...
Connected to abelson.ageinghacker.net.
Escape character is '^]'.
220 nwas.bluewin.ch vimdzmsp-nwas02.bluewin.ch Swisscom AG ESMTP server ready

You can recognise my machines, all named after computer scientists: the computers involved here are my laptop moore (after Chuck Moore) sitting here on my desk and the VPS abelson (after Harold Abelson) at OrangeWebsite.

smtp.ageinghacker.net is indeed an alias, in the sense of a CNAME DNS record, for abelson.ageinghacker.net, with IP address 82.221.139.216; the IP address belongs to the Icelandic AS50613 Thor Data Center, which is correct.

The machine that responded to my telnet client, however, was not abelson: it was some machine from Swisscom pretending to be abelson and relaying SMTP commands from my client to it.

To me this qualifies as a man-in-the-middle attack; I do not care if it is in their contracts or they claim not to hide it. What is Swisscom’s excuse for doing this to its customers?

It is not just the US and the EU, of course; I have absolutely no trust in Switzerland either. Do not trust any service provider: expect to be spied upon.

Just to be clear to non-technical people who may be reading, this is not at all OrangeWebsite’s fault. It is just an example of why OrangeWebsite’s justifications are unacceptable and in fact now in the days of surveillance capitalism (or worse) we need independent, replicated, decentralised mail infrastructure, more than ever. The physical and virtual infrastructure around us is hostile. Delegating the job of secure communications to others or to “the cloud” is not the solution. It is rather the opposite of the solution.

Notice how if I use the smtps port instead of smtp then Swisscom does not attempt a man-in-the-middle:

[luca@moore ~]$ telnet smtp.ageinghacker.net smtps
Trying 82.221.139.216...
Connected to abelson.ageinghacker.net.
Escape character is '^]'.
220 abelson.ageinghacker.net ESMTP Postfix

At the moment of exchanging certificates the attack would become obvious and the client would notice, as long as the CA were not also compromised.

Mail has been designed long ago, perhaps by accident, as a decentralised federated service. We should exploit this good design by using multiple small instances. José and I were speaking not long ago about the GNU Project being, again by accident and at least to GNU hackers, one of the remaining providers of email services not affiliated with mass-surveillance entities such as Google. We need more entities like it, even smaller than it and together more resilient to surveillance and censorship.

Conclusion

What OrangeWebsite should do in my opinion is:

• apologising, which by itself for a company means little, but costs nothing. OrangeWebsite’s behaviour to its paying customers in this instance has been atrocious. Acknowledging this fact will be the first step to let this episode slip into the past, one negative data point against years and years’ worth of excellent service and customer support;
• offering a refund to those who do not accept the new rules.

In the mean time I suggest those who are already using or planning to use OrangeWebsite’s service to consider 1984 Hosting and FlokiNET as alternatives.

Tags: 1984-hosting, email, english, flokinet, freedom, free-software, gnu, hosting, iceland, myself, orangewebsite, port-25, p≡p, server, smtp, surveillance, swisscom, switzerland, vps