Email Relay - ISPConfig-Box-1 >> ISPConfig-Box-2 >> outbound

Discussion in 'Installation/Configuration' started by HappierTimesAhead, May 18, 2022.

  1. Hi all,
    I have two separate ISPConfig servers - NOT multi-server setup - both standalone servers
    What I want to achieve is email sent from ISPConfig-Box-1 is relayed to ISPConfig-Box-2 which sends the email out
    SETUP ISPConfig-Box-1
    Code:
    Relayhost: ISPConfig-Box-2.com
    Relayhost User: [email protected]
    Relayhost Password: PASSWORD ON ISPConfig-Box-2.com
    SETUP ISPConfig-Box-2
    Code:
    Email User: [email protected]
    Email Password: PASSWORD ON ISPConfig-Box-2.com
    DNS is all configured correctly (I think?) inc SPF, DKIM, Server A records etc.
    If I send an outbound email from a registered email account on ISPConfig-Box-1 to [email protected] account, I get the following log entries on ISPConfig-Box-2: -
    Code:
    May 18 09:30:37 main postfix/smtpd[1673626]: connect from main.ISPConfig-Box-1.com[1A01:c107:3333:4444::1]
    May 18 09:30:37 main postfix/smtpd[1673626]: NOQUEUE: reject: RCPT from main.ISPConfig-Box-1.com[1A01:c107:3333:4444::1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<main.ISPConfig-Box-1.com>
    May 18 09:30:37 main postfix/smtpd[1673626]: disconnect from main.ISPConfig-Box-1.com[1A01:c107:3333:4444::1] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
    I have obviously missed something but I cannot see what?
    Any help would be gratefully received.
    As always many thanks in advance.
    Kind regards
    HTA
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Personally, I would set it up like this:

    1) Add the IP address of server1 to the mynetworks setting in postfix main.cf on server 2 and restart postfix there.
    2) set server 2 as relay host in server 1 inside ispconfig and leave the username and password field empty there.
     
    HappierTimesAhead likes this.
  4. Hi Till,
    Many thanks for your kind help - brilliant as always.
    That certainly worked first time.
    What I was hoping to achieve was that we would remove all headers from ISPConfig-Box-1 in the email message. However, we can still see where this email came from: -
    Code:
    Received: from main.ISPConfig-Box-1.com (main.ISPConfig-Box-1.com [111.222.333.444]) by main.ISPConfig-Box-2.com (Postfix) with ESMTPS id 123456abcdef
    for <[email protected]>; Wed, 18 May 2022 15:47:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1])
    by main.ISPConfig-Box-1.com (Postfix) with ESMTP id 654321fedcba
    The reason for this is that the VPS which main.ISPConfig-Box-1.com is hosted on has a UCEPROTECTL3 block. Microsoft has blocked all emails, from all domains on this VPS which is a nightmare. Trying to get them to remove the block is a long, slow, painful process.
    Is there a way to remove the headers from main.ISPConfig-Box-1.com?
    As always I am most grateful for your kind help
    Kind regards
    HTA
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    HappierTimesAhead likes this.
  6. ahrasis

    ahrasis Well-Known Member

    Change VPS provider.
     
    HappierTimesAhead likes this.
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you shouldn't need to remove those headers to get past the microsoft block.
    i had the same issue last year, millions of AWS ip's put on a UCEPROTECTL3 blacklist and microsoft refusing all mail.
    took months for them to sort it out. in the meantime i just setup a postfix install on digital ocean, and set my main mailserver to relay through that, exactly as @till describes in post #3
    worked perfectly. mail going to microsoft without problems. no mx record changes. no need to adjust headers.

    also even once the ip is removed from the UCEPROTECTL3 blacklist, expect microsoft to still keep the ban in place.
    they told me it was because they were seeing spam emails being sent to them from our original mail server ip in the preceding months, even though that was impossible because *everything* was relayed through the DO relay server. they rather sheepishly removed the block once i pointed that out.
     
    HappierTimesAhead likes this.
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is someone actually using UCEPROTECT to block e-mails? I would say UCEPROTECT is completely bogus blacklist, seems it randomly adds IP-numbers to the list. My IP gets on UCEPROTECT every few weeks for no reason, and then gets removed eventually, I do nothing to get it removed.
     
    HappierTimesAhead likes this.
  9. @nhybgtvfr - Many Thanks for all the info.
    Very helpful indeed.
    UCEPROTECTL3 plus Microsoft equals a big mess. Them two think they own the internet!!!
    Once again Thank you
    Kind regards
    HTA
     
  10. @Taleman Completely agree. The bad thing is when the host gets onto the UCEPROTECTL3 list EVERY ip get's the grief and there is nothing you can do about it. @nhybgtvfr is very correct - the only way to do it is spark up a new server on a different host. Nightmare
     
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    just 1 point to remember. add the ip for the new relay server to any SPF records.
    if you're doing your own dns. easiest way is probably to query the dbispconfig db:
    select data from dbispconfig.dns_rr where data like '%spf%';
    hopefully most of them will be identical, and you can use update dns_rr set data = '<new spf record including relay server ip>' where data = '<old spf record>'; for each different set of spf records, and then resync dns.

    or write an api script to update them... doing them all manually is unbelievably tedious and time consuming.
     
    HappierTimesAhead likes this.
  12. michelangelo

    michelangelo Member

    Absolutely no one who is sober uses UCE Protect.
    Who ever is using their services doesn't want to do serious Email business, the same counts for Microsoft while the reasons why Microsoft sucks are different...

    Unlike other RBLs you're only removed from the UCE RBL if you pay them, but perhaps also after a long long time they may remove you automatically, but it's nothing compareable to reputable RBLs. So, try to ignore UCE...

    Regarding Microsoft they offer a form where you can ask for a delisting.
    It might take a few attempts (including answering their automated mails) to get removed and to get the reputation of the IP reset though.
     
    HappierTimesAhead likes this.
  13. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    yep, getting off a microsoft block is a real pain in the arse, always takes several attempts. their first response, no matter what evidence you provide in your initial request, is that it doesn't qualify for mitigation. they won't even get a real person to look at the issue until at least the 3rd request.
    but it's impossible if your ip's on the uceprotectl3 blacklist, they will simply refuse to remove it. the block will apply until the ASN block owner sorts themselves out with UCE Protect.
    wouldn't be surprised to find out that microsoft is the ultimate owner of UCE protect, it would be the perfect scam. too big an email service provider for anyone else to ignore. they could just add whatever ip's they wanted to the UCE protect blacklist and just wait for the money to roll in.....
    i'm not a fan of microsoft or UCE Protect.
     
    HappierTimesAhead likes this.
  14. michelangelo

    michelangelo Member

    @nhybgtvfr
    I highly doubt that UCE Protects belongs to Microsoft.
    UCE is a german rather more locally used RBL in germany. Although they may have a few fans all over the world.
    Their website looks like it was made 24 years ago and they don't even have an imprint on their website.

    I just noticed that they de-list automatically IPs on UCE 1 and 2 after some time, but if I remember correctly that was for a long time impossible. Looks like they've changed that.
     
    HappierTimesAhead likes this.
  15. @nhybgtvfr and @michelangelo I'm enjoy your style guys :):):)
    UCE's website also looks like it was done by a 5 year old - all them years ago :)
    Just finishing off spinning a new server up for smtp outbounds - wish me luck ;)
     
    nhybgtvfr likes this.

Share This Page