Hi About 2 weeks ago - unbeknownst to myself one of my users accounts was hacked (even with strong password!) and for days we were sending spam. I've since changed the password and increased the strength of our firewalls with FireHOL blacklists etc... Within 24 hours I'd removed our IP's from every RBL going but we're still, 2 weeks later, having trouble with this particular domain not being able to send email to any gmail mx's. The domain is verified with Google Postmaster tools and I have valid DKIM, SPF and DMARC records. All other domains are functioning fine but the previously hacked domain are still bouncing with this message: I have another domain I could use temporarily whilst we wait for the reputation to rebuild (I've seen this take over a month in some cases). Is there a way to have all email from our problem domain, to gmail's mx's, rewritten to use another "fresh" domain? The fresh domain would of course have to have correct SPF and DKIM records (DKIM through amavis?). I could set up email aliases for each user's address so mail replied to on the fresh domain could be forwarded to the main domain, offering the users a seamless solution. The problem is compounded as some people tend to use gmail's G-Suite to send and receive email for their own domains so it would probably have to target gmail's mx's? Many thanks in advance Elliot
That GMail return message tells you your server is still sending spam. My guess is the mails are in mail queue, and are still being delivered, or trying to be delivered. Check as root on the mail server host with command Code: mailq how many and what messages you have in the queue. You can see the contents of the message using the 10 charecter ID code, it is the first word on lines mailq prints. Use it like this: Code: postcat /var/spool/postfix/deferred/C/C1C4480322 That is from Debian GNU/Linux 9.5, if you run some other operating system it may be in some other directory. Then if you want to remove stuff from mailq, there is nifty pfdel.perl script. My copy was installed by previous maintainer, but using Internet Search Engines now I found this: http://www.ustrem.org/en/articles/postfix-queue-delete-en/
We've definitely cured our problem and there is no mail in the mail queue other than genuine email. As I said before, we've cured the problems we were facing about 2 weeks ago and we're still blacklisted, only on gmail's mx's. It's well document how draconian gmail is with their blanket domain bans, this poor chap was on one for 34 days! https://productforums.google.com/forum/#!topic/gmail/ZmmC4bdo428
I would use something like this in such a case: https://serverfault.com/questions/536001/how-to-route-mail-in-postifix-based-on-recipient-address and route the outgoing traffic for gmail domains through a different MX
Other domains hosted on our server (IP?) are unaffected, it's literally just one domain. I basically need mail destined for a Google hosted MX and coming from @foo.com to be rewritten to come from @bar.com (with @bar.com's SPF's, DKIM etc...)
Is there a way of using a combination of sender_dependent_transport_maps and check_recipient_mx_access to route all outgoing email from @mydomain destined for a google.com MX through my g-suite account? I thought about having a sender_dependent_transport_maps map like this: @mydomain.com gmail_transport: Then in master.cf: gmail_transport unix - - n - - smtp -o smtpd_recipient_restrictions = check_recipient_mx_access hash:/etc/postfix/outbound_mx Then in main.cf outbound_mx: *google.com FILTER smtp-relay.gmail.com:25 I've no idea how the "Email Routing" tab works - I'm guessing this is the GUI for the sender_dependent_transport_maps?
Ok - just worked out the whole email routing tab - I rtfm'd Will the gmail_transport service I specify in the master.cf that includes the option check_recipient_mx_access work to forward all outgoing mail that is destined for a google hosted mx through my google account and the rest just drop into the normal transport? Feel like I'm so close to a solution here!
Ok - one other question I can't answer from the manual: In email routing, how do I specify the name of the "custom" type of transport?
Ok so I populated the fields like this: Server: MyServer (I only have one!) Domain: [email protected] (I just want to test with my email address not the whole domain) Type: custom Destination: gmail_transport Sort By: 5 (I've no other transport rules) Active: checked In my master.cf: Code: gmail_transport unix - - n - - smtp -o smtpd_recipient_restrictions=check_recipient_mx_access hash:/etc/postfix/outbound_mx,permit_sasl_authenticated,reject -o syslog_name=gmail-transport I've restarted postfix but when I send email it doesn't appear to be picking up the transport/service (no log entries for gmail-transport).
Also if I try and send mail to myself from another email address the mail is deferred: ...status=deferred (mail transport unavailable)
Ok I've established that master.cf does not like the space that is required in between "check_recipient_mx_access" and the reference to the hash, inserting a comma between removes the warning.
Really can't get this working, in the logs postfix doesn't even attempt to use the transport except for mail inbound from google!
Now I've changed the Email Routing with these settings, just to take the custom service out of the loop: Domain: [email protected] Type: SMTP No MX-Lookup: (unchecked) Destination: smtp-relay.gmail.com Sort by: 1 Active (checked) Everything is set up fine at gmail's relay (IP is in whitelist, user is authorised to send mail without auth etc...) If I try and send mail to a gmail account, the mail just bounces around amavis until I get: 554 5.4.0 Error: too many hops, dt: 1.0 ms I'm not so sure the Email Routing even works. Would really appreciate a hand with this if anyone is listening...
It seems that the check_recipient_mx_access isn't even being looked at? To take out the Email Routing, I've changed the setup slightly - I've posted it on stack overflow: https://serverfault.com/questions/926602/postfix-check-recipient-mx-access-not-working Can anyone help with this?