Hi guys, For the past feww weeks I am experiencing a very strange problems with my mailserver. All mail sent to outlook.com, live.com, hotmail.com and all domains using 365 or outlook as mailservers are silently discarded by the recipient. There are no queued mail in postfix and all no blacklists (besides the abandoned lngsblock). All tests with various tools score our domains with 8 or 9/10 and spf, ptr, dmarc and dkim are properly setup. Furthermore all mail sent to us are received and if we reply on any of them then the mail is delivered correctly. I have contacted microsoft 10 times, filling up the investigation form which in return replied that the ip cannot be mitigated (meaning there isnt any fault found) My only suspicion is that my postfix setup is not following microsoft best practises or policies but I cannot figure it out. Any help will be tremendously appriaciated. Thanks
Which exact errors do you get in the mail.log file? Have you setup spf records for the domain and did you enable dkim?
No errors what so ever in mail.log. SPF records are in place as well as dkim. this is also proven in mxtoolbox lookup.
I am using multiple domains each one with unique DKIM key, dmarc & spf record as well as PTR record. My clients use the main domain to send from different domains, e.g mail.domain.com is the mail server domain and mail is sent from [email protected]; does this affect the constant blacklisting? as they think that multiple dkim keys are sending through 1 mailserver with different dkim key?
Till I ll explain my setup and maybe you will understand if I messed things up. I have a multiserver setup (web.domain.com,mail.domain.com,db.domain.com,ns1.nameserver.com,ns2.nameserver.com) I have setup several domains under these server and I am using mail.domain.com to send and receive emails from 10 of these domains and I use mail.specificdomain.com for specificdomain.com only. Each domain has the following DNS records setup: A www A mail A webmail A domain A ns1 A ns2 MX mail.domain.com ns xx.xx.x.xx.in-addr ns1.nameserver.com ns xx.xx.x.xx.in-addr ns2.nameserver.com ns domain ns1.nameserver.com ns domain ns2.nameserver.com PTR xxx xx.x.xx.in-addr.arpa TXT *._report._dmarc.domain.com. V=DMARC1 DMARC (quarantine) DKIM SPF v=spf1 mx a ip4:xx.xx.x.xxx ~all Furthermore each domainn has a Let's encrypt cert issued and renewed every 3 months. Deliverability score is between 8-9.5/10, mxtoolbox gives only 1 warning of both ns servers are onn the same subnet. What am I doing wrong and microsoft and sometimes gmail gives us hard time? thx
After A LOT of digging, my ISP figured out that Microsoft is blocking a segment of the subnet and apparently there is a mechanism between Microsoft and ISPs to delist the blacklisted IP. So this issue has been partly resolved, BUT somethings need to be done so that this wont happen again. I am currently in LOST mode and I would like someone to check my configuration if anything I left out or I did somethinng wrong. (please ignnore the relay option as this is being used temporarily until the IP issue is resolved and the mailserver is configured correctly. Code: alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes compatibility_level = 2 content_filter = amavis:[127.0.0.1]:10024 disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 greylisting = check_policy_service inet:127.0.0.1:10023 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all invalid_hostname_reject_code = 554 mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks multi_recipient_bounce_reject_code = 554 mydestination = mail.occhio.com.cy, localhost, localhost.localdomain myhostname = mail.occhio.com.cy mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks non_fqdn_reject_code = 554 owner_request_special = no policy-spf_time_limit = 3600s proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_domains_reject_code = 554 relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = mail-out.cablenet.com.cy sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtp_tls_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL smtp_tls_loglevel = 2 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL smtp_tls_mandatory_protocols = !TLSv1,!SSLv2,!SSLv3 smtp_tls_protocols = !TLSv1,!SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name Linux smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_error_sleep_time = 1s smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo regexp:/etc/postfix/helo.regexp smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_restriction_classes = greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, reject_authenticated_sender_login_mismatch, reject_sender_login_mismatch, reject_unlisted_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_soft_error_limit = 10 smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_loglevel = 2 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL smtpd_tls_mandatory_protocols = !TLSv1,!SSLv2,!SSLv3 smtpd_tls_protocols = !TLSv1,!SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_preempt_cipherlist = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf Any hhelp will greatly be appreciated
Yes the server is located in my data center and has the dedicated IP for office use and ISPconfig. The guest network is forwarded to a different static ip Talking with my ISP, it's a matter of spoofing. No infections exists in our network, and the logs of the ISP's mailserver which I relay show other ips trying to send as our emails.