Hi I am checking my SPF status at [email protected] and I get a softfail. from the header info it listed at the bottom of the reply it looks as though it is receiving my IP6 address not my IP4 and I presume using this with my txt record. Header info Return-Path: <[email protected]> Received: from srv.testserver.com (2001:888:888:888::66:5100) by verifier.port25.com id h6skbm11u9cp for <[email protected]>; Sat, 29 Mar 2014 16:10:35 -0400 (envelope-from <[email protected]>) Authentication-Results: verifier.port25.com; spf=softfail (SPF-Result: SoftFail) txt record v=spf1 a mx ~all I am also currently having fun with gmail blocking and had read that gmail were doing this to IP6 connections. My question is if this is to do with using IP6 how can I get my system to only use IP4 and is that a good solution or should I be doing something else. The server is running Debian Wheezy, Courier, ISPconfig 3.0.5.3, Postfix.
You only allow all mx-servers in your domain to send mail. Make sure that you have an A and an AAAA-Record for your mx-servers in the dns-zone. Regarding google - and without any error-message - you have a ptr-record defined? You can configure postfix to use ipv4 only and you can also define postfix to use ipv4 to send to some domains. But i think you fix your setup to use ipv4 and ipv6.
Thanks Florian I added the AAAA record for each account and all looks good. On the gmail front I did check everything on Friday afternoon and noticed the ptr wasn't resolving correctly so changed that then. I have also configured the ptr for IP6 now as well and gmail looks to be working ok again, at least no bounce back to my test just now. Either google has responded to my reported mail issue in double quick time or correcting the IP6 and ptr records has done the trick. Hope this helps someone else.
Spoke too soon, still getting some bounce back from google. Looking at the tests everything is now passing with the exception of DomainKeys check which looks to be an earlier version of DKIM, is this necessay in which case is there a guide: ========================================================== Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham Funny thing is when they do allow messages in from some of the accounts they may let the first then block the next etc, or one replying to a gmail email. The header on the received mail also looks ok: Delivered-To: [email protected] Received: by 10.96.40.6 with SMTP id t6cspxxxxxxqdk; Mon, 31 Mar 2014 06:26:58 -0700 (PDT) X-Received: by 10.180.11.36 with SMTP id n4mr123xxxxxwib.4.1396272418241; Mon, 31 Mar 2014 06:26:58 -0700 (PDT) Return-Path: <[email protected]> Received: from srv.example.com (srv.example.com. [2001:xxx:86d:xxx::6d:8888]) by mx.google.com with ESMTP id y6si220000eep.257.1111.03.22.06.26.57 for <[email protected]>; Mon, 31 Mar 2014 06:26:58 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 2001:xxx:86d:xxx::6d:8888 as permitted sender) client-ip=2001:xxx:86d:xxx::6d:8888; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 2001:xxx:86d:xxx::6d:8888 as permitted sender) [email protected]; dkim=pass [email protected] Received: from localhost (localhost.localdomain [127.0.0.1]) by srv.example.com (Postfix) with ESMTP id 5DF5F33B for <[email protected]>; Mon, 31 Mar 2014 14:26:57 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thexxxxxx.xxx Any thoughts are appreciated.
"DomainKeys check: neutral" means, that the mail was signed but may contain syntax-errors. How to you sign your mails with DKIM and is your public-key in your DNS?
Hi Florian I use amavis-new to create the key: amavisd-new genrsa /var/db/dkim/$DomainName.key.pem I then include a reference to the key in /etc/amavis/conf.d/50-user along with the other configuration lines required: #DKiM Check Configuration $enable_dkim_verification = 1; $enable_dkim_signing = 1; @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16); # list your internal networks $interface_policy{'10024'} = 'DKIM_ALWAYS'; $policy_bank{'DKIM_ALWAYS'} = { originating => 1, }; dkim_key('testemail.com', 'mail', '/var/db/dkim/testemail.com.key.pem'); I then use amavisd-new showkeys testemail.com to get the key text for the DNS record which I then enter as a txt record into ISPConfigs DNS record for the domain. This has a name like mail._domainkey.testmail.com. followed by a text key similar to: v=DKIM1; p=KGFfMA4GCSqERDb3DQEBAQUAY8GFHGCBmQKBpWQGkpKOHKyi2gxdH2LbPK Finally I test the key using amavisd-new testkeys testmail.com and if it passes restart amavis: /etc/init.d/amavis restart That's it, am I missing something or have I got an error. I assumed it was all working correctly because amavisd-new testkeys gives a pass and because the report said: DKIM check: pass If you can point me in the right direction that would be greatly appreciated.
You create a dkim-key for testemail.com and a dns-record for testmail.com I prefer to send some test-mails to different services as described here to get additional informations.
Got to say still somewhat confused by the DomainKeys check: neutral. Having tested with the other services described they all say things like: Message does not contain a DomainKeys Signature But they then all go on to say the message contains a DKIM Signature which they pass. Looking up further about DomainKeys, these all appear to use a k=rsa;p=MIGfMA0GC......... format so I assume the issue is the encoding where I currently use v=DKIM1; p=KGFfM............. Presumably if I wanted to get DomainKeys to work as well as DKIM then I would need to use another encrypted rsa key and create a separate text record for this. Apologies if this is me being stupid but it has just got me very confused. I guess if someone who reads this has passed both can you let me know what you did.
Ig you run amavisd-new showkeys as described above you get the correct TXT-record for your dns. I recommend to use http://unlocktheinbox.com to check your dkim signature. You get a detailed list what is wrong.
Thanks Florian, unlocktheinbox confirms everything is fine with my DKIM check and public DKIM KEY so everything looks ok. DKIM Check Signature Found:Yes SM Sig Verificationassed LL Sig Verificationassed From Signed:Yes Restricted Headers Signed:No I have even added a DMARC check which is all passed Record Syntaxassed DKIM Testassed SPF Testassed ADKIM Testassed ASPF Testassed RUA Testassed RUF Testassed DMARC Passed:Yes DMARC Record Location:Click Here: _dmarc.xxxx.com But it still says signiture not found under Domain Keys Check so I have to assume this is a different test, and I can therefore ignore this result. Domain Keys Check (Obsolete) Signature Found:No - Public Domain Key (Obsolete) Selector Location:Not Found - Once again thanks for all your help. James
