Advice - Mail servers

Discussion in 'Tips/Tricks/Mods' started by Anthony Cleaves, Apr 21, 2016.

  1. Hello, so I have been using ISP config 3 for a few days. The IP immediately got blocked by live mail. I was curious to how others deal with their IP reputation?

    I usually add SPF records but I usually set up mail servers for one customer with 1 IP. I am not sure how to add records suitable for all customers on the platform? Does anyone how any advise on how they handle their mail reputation? I can confirm I sent no spam during this period but still live mail decided to block the IP.

    I will request an unblock once I found a solution?

    I would appreciate any feedback.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Microsoft mail services are a bit crazy, I guess they block everyone in advance, no matter if you ever had sent a single spam mail :) The best option is to use dkim (see Florians Dkim plugin fpr ISPConfig) plus SPF records for all domains that send trough your server.
     
    Anthony Cleaves likes this.
  3. An SPF record per customer then I guess, if it's possible? as there is a 255 character limit.

    Thanks for the quick reply, I will install DKIM and apply to be removed form Microsoft.

    I wonder how mail companies handle this, as spf records per client can't be easily managed. I am not sure if it's even possible.

    Is there a URL for this plugin, I am only finding stuff in a different language and the page fails to load :(
     
    Last edited: Apr 21, 2016
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Are you familiar with spf "include:" ? See https://www.howtoforge.com/communit...dns-record-for-all-domains.72058/#post-339105 for an example that makes managing/updating many SPF records pretty maintainable.

    SPF records are set per-domain and per-host (anything with an A record in dns), though you may of course have common needs per client and could implement that as well. A typical client with no special needs can use something like this (mx records point to a host, not CNAME, so add an SPF record for it, too):
    Code:
    yourclient.com TXT "v=spf1 +a:www.yourclient.com include:spf.yourcompany.com -all"
    mx.yourclient.com TXT "v=spf1 ip4:mx.ip.ad.dr a -all"
    
    Say another client has their own ip space that needs allowed and a couple domains:
    Code:
    client2.com TXT "v=spf1 +a:www.client2.com +ip4:aa.bb.cc.dd/26 include:spf.yourcompany.com -all"
    mx.client2.com TXT "v=spf1 ip4:mx.ip.ad.dr a -all"
    mx2.client2.com TXT "v=spf1 ip4:mx2.ip.ad.dr a -all"
    client2-dom2.com TXT "v=spf1 include:client2.com -all"
    mx.client2-dom2.com TXT "v=spf1 ip4:mx.ip.ad.dr a -all"
    
    You maintain the spf.yourcompany.com record according to your hosting needs, and the client maintains the client2.com spf record according to theirs.
     
    Anthony Cleaves likes this.
  5. That is very useful, thank you for that. I will do something similar with this. I will test this with my private domain.

    Do you have any examples for an SPF record for the company?
    I'm currently using

    v=spf1 mx a ip4:46.101.88.xxx32 ?all

    Edit:

    just to clarify, I added these 2 records to my domain (which hosts ispconfig)

    * 3600 TXTv=spf1 +a:host.com include:spf.host.com-all
    spf 3600 TXT v=spf1 +a +mx +a:host.com +a:web.host.com -all

    Then on the domain
    * 3600 TXT v=spf1 +a:www.domain.me.uk include:spf.host.com -all
     
    Last edited: Apr 21, 2016
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    From that other comment/link:
    Code:
    spf.yourdomain.com TXT "v=spf1 +a +mx +a:mail.yourcompany.com +a:webmail.yourcompany.com +a:web1.yourcompany.com +a:web2.yourcompany.com include:mail.relay.company -all"
    yourcompany.com TXT "v=spf1 +a:www.yourcompany.com include:spf.yourcompany.com -all"
    yourclient.com TXT "v=spf1 +a:www.yourclient.com include:spf.yourcompany.com -all"
    Is that what you mean, or just a live domain setup this way?
     
  7. Sorry I updated my original request, does this make more sense now?
    ----------

    just to clarify, I added these 2 records to my domain (which hosts ispconfig)

    * 3600 TXTv=spf1 +a:host.com include:spf.host.com-all
    spf 3600 TXT v=spf1 +a +mx +a:host.com +a:web.host.com -all

    Then on the domain
    * 3600 TXT v=spf1 +a:www.domain.me.uk include:spf.host.com -all

    OR does it need to be set to this this only on the hosting domain (host.com)

    host.com 3600 TXT v=spf1 +a:host.com include:spf.host.com-all
    spf 3600 TXT v=spf1 +a +mx +a:host.com +a:web.host.com include:mail.host.com -all
    domain.me.uk 3600 TXT v=spf1 +a:www.domain.me.uk include:spf.host.com -all
     
    Last edited: Apr 21, 2016
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You would create a record at spf.host.com to cover your hosting infrastructure, ie. ip addrs of your mail and web servers (any place your customer's email would be sent from). Then include that in the SPF record for both your own host.com domain and in your customer's domain. You can use wildcard entries to cover unknown hostnames, but any name that is known has to have its own record (eg. mx hosts, and anything else with an A record).

    I think my example is bad in that the spf record to be included shouldn't have '+a +mx', as there won't be an A or MX record for spf.host.com, just the TXT. Maybe more like:

    spf.host.com: v=spf1 +a:mail1.host.com +a:webmail.host.com +a:web1.host.com +a:web2.host.com -all
    host.com: v=spf1 +a +mx +a:www.host.com include:spf.host.com -all
    mail1.host.com: v=spf1 +a -all
    webmail.host.com: v=spf1 +a -all
    web1.host.com: v=spf1 +a -all
    web2.host.com: v=spf1 +a -all
    ftp.host.com: v=spf1 -all
    db1.host.com: v=spf1 +a -all
    db2.host.com: v=spf1 +a -all
    *.host.com: v=spf1 +a -all

    And add SPF records for any other names which have an A (note ftp shouldn't be used in HELO hostname in this example).

    domain.me.uk: v=spf1 +a +mx +a:www.domain.me.uk include:spf.host.com -all
    mail.domain.me.uk: v=spf1 -all
    *.domain.me.uk: v=spf1 -all

    Here the mx record would point to "mail.domain.me.uk", but that server (ie. your mail server) would never identify as that, so not allowed.

    You could maybe improve that first spf.host.com record by listing ip addresses instead of using hostnames, and it would require fewer dns lookups (although it would then require more maintenance when your servers change/add addresses)..
     
    Anthony Cleaves likes this.
  9. I understand, however this caused confusion.
    Do you mean I should leave out
    mail.domain.me.uk: v=spf1 -all
    Or no?

    Thank you for the help by the way.
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What do you use as an MX record for domain.me.uk? If it's something like mx.host.com, you don't need an spf record for mail.domain.me.uk. If you set the MX record to something like mail.domain.me.uk, and simply give that host an A record the same ip address(es) of your hosting mail server, you would add that spf record. Unless you've gone out of your way to configure them differently, your hosting mail servers will never identify themselves as mail.domain.me.uk in smtp (eg. "EHLO mail.domain.me.uk"), so you can safely create an spf record that doesn't let anyone else identify as that name, either.
     
    Anthony Cleaves likes this.
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    I don`t know if you really need dkim / spf to avoid backlistening by microsoft. imho the best option is to join the "smart network data services" and check your ip periodical. i have seen blocks because the did not receive mails within the last x days from the ip (so: no mail is spam) and they usually block subnets and not only single ips.

    don`t use includes with spf as long as you don`t know what you are doing. "v=spf1 mx a -all" is working in the most setus.
     
    Anthony Cleaves likes this.
  12. All the help was great, I am not no longer black listed. Smart network data was also great. Many thanks.
     

Share This Page