I have a problem with my Debian server running ISPConfig 3. I've installed the server a couple of years ago using the perfect server HOWTO: https://www.howtoforge.com/tutorial...8-4-jessie-apache-bind-dovecot-ispconfig-3-1/ I've checked many times and the server isn't an open relay. I'm also using DKIM, spf and registered each domain with Google Postmaster Tools. Still Gmail and Outlook flag many mails as spam. It seems my server has "bad reputation". But there are no newsletters sent from the server, just "regular" correspondence. There also seems to be some spam that comes to my personal inbox that is has a counterfeit address with my domain as a sender. Is there something I can do about that?
I am going through the same thing, Symantec had an IP address that I just gave to an organization on their Blacklist, it's a real pain.. See what these tools say: Try to get 10/10 here: https://www.mail-tester.com/ Analyze Headers: https://mxtoolbox.com/EmailHeaders.aspx SMTP Test: https://mxtoolbox.com/diagnostic.aspx Can you post your /etc/postfix/main.cf?
Thanks for the links! It seems that my DKIM installation is broken... I've configured them with the ISPConfig and added the needed DNS records. I need to investigate that a bit deeper... Here's my /etc/postfix/main.cf with edited hostname PHP: # See /usr/share/postfix/main.cf.dist for a commented, more complete version# Debian specific: Specifying a file name will cause the first# line of that file to be used as the name. The Debian default# is /etc/mailname.myorigin = /etc/mailnamesmtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)biff = no# appending .domain is the MUA's job.append_dot_mydomain = no# Uncomment the next line to generate "delayed mail" warnings#delay_warning_time = 4hreadme_directory = /usr/share/doc/postfix# TLS parameterssmtpd_tls_cert_file = /etc/postfix/smtpd.certsmtpd_tls_key_file = /etc/postfix/smtpd.key#smtpd_tls_cert_file=/etc/postfix/mailserver.cert#smtpd_tls_key_file=/etc/postfix/mailserver.key#smtpd_tls_CAfile = /etc/postfix/cacert.pemsmtpd_use_tls = yessmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for# information on enabling SSL in the smtp client.myhostname = server.mydomain.comalias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliasesalias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliasesmyorigin = /etc/mailnamemydestination = server.mydomain.com, localhost, localhost.localdomainrelayhost =mynetworks = 127.0.0.0/8 [::1]/128mailbox_command = procmail -a "$EXTENSION"mailbox_size_limit = 0recipient_delimiter = +inet_interfaces = allhtml_directory = /usr/share/doc/postfix/htmlvirtual_alias_domains =virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cfvirtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cfvirtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cfvirtual_mailbox_base = /var/vmailvirtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cfvirtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cfinet_protocols = allsmtpd_sasl_auth_enable = yesbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yessmtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cfsmtpd_tls_security_level = maytransport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cfrelay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cfrelay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cfproxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_mapssmtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.resmtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cfsmtpd_client_message_rate_limit = 100maildrop_destination_concurrency_limit = 1maildrop_destination_recipient_limit = 1virtual_transport = dovecotheader_checks = regexp:/etc/postfix/header_checksmime_header_checks = regexp:/etc/postfix/mime_header_checksnested_header_checks = regexp:/etc/postfix/nested_header_checksbody_checks = regexp:/etc/postfix/body_checksowner_request_special = nosmtp_tls_security_level = maydovecot_destination_recipient_limit = 1smtpd_sasl_type = dovecotsmtpd_sasl_path = private/authcontent_filter = amavis:[127.0.0.1]:10024receive_override_options = no_address_mappingssmtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_protocols = !SSLv2,!SSLv3smtp_tls_protocols = !SSLv2,!SSLv3milter_protocol = 2milter_default_action = acceptsmtpd_milters = inet:localhost:12301non_smtpd_milters = inet:localhost:12301message_size_limit = 0sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cfsmtpd_restriction_classes = greylistinggreylisting = check_policy_service inet:127.0.0.1:10023smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cfsmtpd_helo_required = yessmtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helosmtpd_tls_exclude_ciphers = RC4, aNULLsmtp_tls_exclude_ciphers = RC4, aNULLinet_protocols = all
DKIM and DMARC are best explained (from what I've found) here: https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ I'm having problems too getting through spam filters. I think because it sends from 'localhost' 127.0.0.1 -- (mynetworks = 127.0.0.0/8 [::1]/128) By no means am I an expert, but this is working so far, with only Symantec blocking me, I've requested them to investigate the IP address and take us off the blacklist. Here is my main.cf - - PHP: # See /usr/share/postfix/main.cf.dist for a commented, more complete version# Debian specific: Specifying a file name will cause the first# line of that file to be used as the name. The Debian default# is /etc/mailname.#myorigin = /etc/mailnamesmtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)biff = no# appending .domain is the MUA's job.append_dot_mydomain = no# Uncomment the next line to generate "delayed mail" warnings#delay_warning_time = 4hreadme_directory = /usr/share/doc/postfix# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on# fresh installs.compatibility_level = 2# TLS parameterssmtpd_tls_cert_file = /etc/postfix/smtpd.certsmtpd_tls_key_file = /etc/postfix/smtpd.keysmtpd_use_tls = yessmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${data_directory}/smtp_scache# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for# information on enabling SSL in the smtp client.smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destinationmyhostname = mydomain.comalias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliasesalias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliasesmyorigin = /etc/mailname#mydestination = mydomain.com, localhost, localhost.localdomainmydestination =relayhost =mynetworks = 127.0.0.0/8 [::1]/128mailbox_size_limit = 0recipient_delimiter = +inet_interfaces = allinet_protocols = allhtml_directory = /usr/share/doc/postfix/htmlvirtual_alias_domains =virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cfvirtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cfvirtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cfvirtual_mailbox_base = /var/vmailvirtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cfvirtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cfsender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cfsmtpd_sasl_auth_enable = yesbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yessmtpd_restriction_classes = greylistinggreylisting = check_policy_service inet:127.0.0.1:10023smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cfsmtpd_tls_security_level = maytransport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cfrelay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cfrelay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cfsmtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cfproxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_mapssmtpd_helo_required = yessmtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helosmtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.resmtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cfsmtpd_client_message_rate_limit = 100maildrop_destination_concurrency_limit = 1maildrop_destination_recipient_limit = 1virtual_transport = dovecotheader_checks = regexp:/etc/postfix/header_checksmime_header_checks = regexp:/etc/postfix/mime_header_checksnested_header_checks = regexp:/etc/postfix/nested_header_checksbody_checks = regexp:/etc/postfix/body_checksowner_request_special = nosmtp_tls_security_level = maysmtpd_tls_mandatory_protocols = !SSLv2, !SSLv3smtpd_tls_protocols = !SSLv2,!SSLv3smtp_tls_protocols = !SSLv2,!SSLv3smtpd_tls_exclude_ciphers = RC4, aNULLsmtp_tls_exclude_ciphers = RC4, aNULLdovecot_destination_recipient_limit = 1smtpd_sasl_type = dovecotsmtpd_sasl_path = private/authcontent_filter = amavis:[127.0.0.1]:10024receive_override_options = no_address_mappingsmessage_size_limit = 0 I'm going to be setting up a test email domain just to try things out, mail is really frustration to get working! Plus I have to pass 'Trustwave' PCI compliance on a different domain, thats a huge PIA! Hope this helps
I finally took time to take a look at this and added the dmarc records to my DNS server. I have enabled DKIM from ISPConfig and added the DKIM TXT record to my DNS server, but mail-tester.com test still gives me an error of not implementing DKIM... Even without DMARC I got a score of 8.5 so it's shouldnt be that bad?
