Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC

Howdy,

I've noticed that on my vBulletin forum new thread notifications are not emailed.
So went into Admin Control Panel -> Maintenance -> Diagnostics -> Email Diagnostics and sent test email but I never got it.

/var/log/mail.log shows below error.
What is easiest solution for this? use google's SMTP server? Use ISPconfig's ?
I've read about SPF records but there's no way yahoo would add my IP there. DKIM will it help? I hope I'm not the only one having this problem and thread goes without a reply.

Code:

May 10 07:40:52 ks4003281 postfix/pickup[24709]: 36229BF862: uid=5006 from=<web4>
May 10 07:40:52 ks4003281 postfix/cleanup[20815]: 36229BF862: message-id=<[email protected]>
May 10 07:40:52 ks4003281 postfix/qmgr[12397]: 36229BF862: from=<[email protected]>, size=1190, nrcpt=1 (queue active)
May 10 07:40:56 ks4003281 postfix/smtpd[20849]: connect from localhost.localdomain[127.0.0.1]
May 10 07:40:56 ks4003281 postfix/smtpd[20849]: D9B68BF4D4: client=localhost.localdomain[127.0.0.1]
May 10 07:40:56 ks4003281 postfix/cleanup[20815]: D9B68BF4D4: message-id=<[email protected]>
May 10 07:40:56 ks4003281 postfix/qmgr[12397]: D9B68BF4D4: from=<[email protected]>, size=1690, nrcpt=1 (queue active)
May 10 07:40:56 ks4003281 postfix/smtpd[20849]: disconnect from localhost.localdomain[127.0.0.1]
May 10 07:40:56 ks4003281 amavis[4543]: (04543-04) Passed CLEAN, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: X37o8xzQA6rG, Hits: 2.243, size: 1189, queued_as: D9B68BF4D4, 4655 ms
May 10 07:40:56 ks4003281 postfix/smtp[20821]: 36229BF862: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=0.12/0.01/0/4.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D9B68BF4D4)
May 10 07:40:56 ks4003281 postfix/qmgr[12397]: 36229BF862: removed
May 10 07:40:58 ks4003281 postfix/smtp[20851]: D9B68BF4D4: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=1.7, delays=0.05/0.01/0.85/0.77, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.27] said: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC 550 5.7.1 initiative. c4si3522980qad.141 - gsmtp (in reply to end of DATA command))
May 10 07:40:58 ks4003281 postfix/cleanup[20815]: 9F431BF87C: message-id=<[email protected]>
May 10 07:40:58 ks4003281 postfix/qmgr[12397]: 9F431BF87C: from=<>, size=4462, nrcpt=1 (queue active)
May 10 07:40:58 ks4003281 postfix/bounce[20852]: D9B68BF4D4: sender non-delivery notification: 9F431BF87C
May 10 07:40:58 ks4003281 postfix/qmgr[12397]: D9B68BF4D4: removed
May 10 07:40:58 ks4003281 postfix/local[20857]: 9F431BF87C: to=<[email protected]>, relay=local, delay=0.07, delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (delivered to mailbox)
May 10 07:40:58 ks4003281 postfix/qmgr[12397]: 9F431BF87C: removed

Here's also http://network-tools.com/ DNS Records (Advanced Tool) for my domain.

Code:

Retrieving DNS records for mydomain.com...
DNS servers
ns57.domaincontrol.com [216.69.185.29]
ns58.domaincontrol.com [208.109.255.29]

Answer records
mydomain.com		SOA	
server:	ns57.domaincontrol.com
email:	[email protected]
serial:	2013092101
refresh:	28800
retry:	7200
expire:	604800
minimum ttl:	600
3600s
mydomain.com		A	MY.SERVER.IP.HERE	600s
mydomain.com		MX	
preference:	0
exchange:	mydomain.com
3600s
mydomain.com		NS 	ns57.domaincontrol.com	3600s
mydomain.com		NS 	ns58.domaincontrol.com	3600s

Authority records

Additional records

 

Thanks for the reply!

My domains are at godaddy.com
There for this particular domain in question I have the following
@ = my.server.ip



http://mxtoolbox.com/ when checked IP it resolves to my server's hostname.
Please advise what to do.
Thanks!

 

Just wanted to explain my scenario. I have 8 domains registered at godaddy.com and none of them are hosted there. I have a dedicated server hosted by a data center.
When I login into my server using Putty
root@ks4003xXXX:~# hostname
ks4003XXX.ip-142-4-XXX.net
root@ks4003XXX:~#
So if I understand you correctly on godaddy.com I need to create a "new" A-Record for mydomain.com and instead of @ I should enter ks4003XXX.ip-142-4-XXX.net ?

After explaining above do I still contact them and ask for mydomain.com to set reverse record to what?
What about other domains ie. mydomain2.com mydomain3.com .....?

While I was going thru godaddy I've noticed that I can add SPF record for mydomain.com ?

Thanks again for taking time to reply!

 

First of all:
ks4003XXX.ip-142-4-XXX.net is not a good hostname for a server I think. It looks similar to those hostnames providers give on dynamic ip connections (DSL etc), maybe this could lead to some servers blocking mails.

The important thing when sending mails from a server is that the settings match. That means:

Server's IP must resolve to it's hostname and vice versa.
If server's name is my.server.tld and this resolves to 12.34.56.78 then the reverse dns entry for 12.34.56.78 has to be my.server.tld
In addition I would always send mails from the domain's mx server via a real smtp account with authentication.

 

Hostname was obviously assigned by a data center.
ks4003XXX.ip-142-4-XXX.net resolves to my server ip ie. 12.34.56.78
That's why I asked what is my next step when I have 8 domains?

 

Of course it is assigned by the data center, but normally you change it during server setup

Important for mail sending is the main domain, that is set up on the server in postfix.

postfix main.cf:
myhostname = xxxxxxx

or sometimes the value in /etc/mailname

This should match the server's hotname and the reverse dns entry for the ip.

It doesn't matter how many domains are pointing to the same server.

 

Installation is done by a automated process and I did not had a chance to enter it.

I went a head and contacted my data center and they suggested to create new A record and I did on godaddy.com
and its linux which points to my ip 12.34.56.78
After that I went into my server control panel and changed from ks4003XXX.ip-142-4-XXX.net to linux.mydomain.com

Then I went and changed /etc/hostname to linux.mydomain.com and in postfix I also changed myhostname = linux.mydomain.com

When I did
root@linux:~# postfix stop && postfix start
I got errors in /var/spool/postfix/etc/ so I've changed to match my new address.
But this error still shows:

Code:

root@linux:~# postfix stop && postfix start
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: warning: /var/spool/postfix/etc/nsswitch.conf and /etc/nsswitch.conf differ
postfix/postfix-script: starting the Postfix mail system
root@linux:~# 

here's output of each one:

/var/spool/postfix/etc/nsswitch.conf

Code:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/nsswitch.conf

Code:

     

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:	files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
 

 

Just copy /etc/nsswitch.conf to /var/spool/postfix/etc/nsswitch.conf
Anyway this is only a warning, not an error.

You should do a

Code:

dig -x 12.34.45.56 (your ip)

to check if the reverse also points to your server name linux.mydomain.net

 

Did suggested for postfix and now error is gone!

I'm still unable to send email.

Here's dig output on the server:

Code:

root@linux:~# dig -x 12.34.45.56

; <<>> DiG 9.8.1-P1 <<>> -x 12.34.45.56
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63757
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;135.209.4.xxx.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
135.209.4.xxx.in-addr.arpa. 86400 IN    PTR     linux.mydomain.net.

;; AUTHORITY SECTION:
209.4.xxx.in-addr.arpa. 68855   IN      NS      NS10.OVH.CA.
209.4.xxx.in-addr.arpa. 68855   IN      NS      DNS10.OVH.CA.

;; Query time: 126 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 16 07:09:27 2014
;; MSG SIZE  rcvd: 119

root@linux:~# 

 

What are the error messages now when you try to send mail?

 

Here it is:

Code:

May 16 19:46:42 linux postfix/pickup[18629]: 517F2BF84F: uid=5006 from=<web4>
May 16 19:46:42 linux postfix/cleanup[7066]: 517F2BF84F: message-id=<[email protected]>
May 16 19:46:42 linux postfix/qmgr[2313]: 517F2BF84F: from=<[email protected]>, size=1180, nrcpt=1 (queue active)
May 16 19:46:42 linux amavis[4963]: (04963-06) NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 100) line 166, <GEN98> line 4.
May 16 19:46:46 linux postfix/smtpd[7096]: connect from localhost.localdomain[127.0.0.1]
May 16 19:46:46 linux postfix/smtpd[7096]: EA04FBF9D5: client=localhost.localdomain[127.0.0.1]
May 16 19:46:46 linux postfix/cleanup[7066]: EA04FBF9D5: message-id=<[email protected]>
May 16 19:46:47 linux postfix/smtpd[7096]: disconnect from localhost.localdomain[127.0.0.1]
May 16 19:46:47 linux postfix/qmgr[2313]: EA04FBF9D5: from=<[email protected]>, size=1640, nrcpt=1 (queue active)
May 16 19:46:47 linux amavis[4963]: (04963-06) Passed CLEAN, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: nAr1TrEGVGmp, Hits: 2.243, size: 1179, queued_as: EA04FBF9D5, 4638 ms
May 16 19:46:47 linux postfix/smtp[7069]: 517F2BF84F: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=0.12/0.01/0/4.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EA04FBF9D5)
May 16 19:46:47 linux postfix/qmgr[2313]: 517F2BF84F: removed
May 16 19:46:48 linux postfix/smtp[7098]: EA04FBF9D5: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2607:f8b0:400d:c01::1a]:25, delay=1.2, delays=0.08/0.01/0.66/0.49, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:400d:c01::1a] said: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC 550 5.7.1 initiative. p8si5157782qag.99 - gsmtp (in reply to end of DATA command))
May 16 19:46:48 linux postfix/cleanup[7066]: 3E592BF89E: message-id=<[email protected]>
May 16 19:46:48 linux postfix/bounce[7099]: EA04FBF9D5: sender non-delivery notification: 3E592BF89E
May 16 19:46:48 linux postfix/qmgr[2313]: 3E592BF89E: from=<>, size=4289, nrcpt=1 (queue active)
May 16 19:46:48 linux postfix/qmgr[2313]: EA04FBF9D5: removed
May 16 19:46:48 linux postfix/local[7100]: 3E592BF89E: to=<[email protected]>, relay=local, delay=0.07, delays=0.03/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to mailbox)
May 16 19:46:48 linux postfix/qmgr[2313]: 3E592BF89E: removed

 

I've been fighting some DMARC problems on a mailing list I take care of. The issue comes from sending an email out through a SMTP host and the domains don't match up. Most of the time with mailing lists they don't.

If I send an email from my mailbox, say [email protected], to a mailing list called [email protected], which may or may not be on a server of the same name, say the servers host name is mail1.example.com. Your headers will have 3 different domains. Your MX record for domain.com should be mail1.example.com.

Dmarc is barfing that you are sending emails from [email protected], sent through [email protected].

Now, I know you aren't dealing with a mailing list in this problem, but I'm just giving you my experience with Dmarc so far.

From your logs, it looks like you are trying to send an email to a google domain from a yahoo domain. Since you are talking about an ispconfig build, it seems you are using yahoo for an authenticated email send?

If that's the case, that's why you are getting the bounces. The error message gives you the reason and tells you to go to http://support.google.com/mail/answer/2451690 It basically tells you that you are sending the email through a 3rd party and to setup your domain for DMARC authentication.

I have not tackled that with ispconfig yet. I only setup SPF and DKIM on my server, but when I get ready to move my mailing lists over, I'll figure out how to do DMARC, but from what I can gather from the DMARC website, mailing lists have caveats depending on how you send the email, and no solution is perfect.

Hope this info helps.

--edit--
I just finished reading the DMARC stuff again, once you have DKIM up and running, it's basically another TXT record you put in DNS, telling it where to send you email reports and if you want receivers to quarantine or reject unauthenticated email. Since I have DKIM running on my ispconfig setup, I went ahead and setup my TXT record for DMARC, telling it to take no action, but email me the reports. Will see what I get.

 

Are you trying to "fake" the sender email [email protected]?
Google says "Unauthenticated email from yahoo.com is not accepted due to domain's"
yahoo uses spf records:
_spf.mail.yahoo.com. 1800 IN TXT "v=spf1 ptr:yahoo.com ptr:yahoo.net ip4:206.108.40.0/27 ip4:199.16.139.0/26 ?all"
so you cannot send from a @yahoo.com address from your own server.

 

No, I'm not trying to fake the email. I'm sending test email from vBulletin (see bellow).

 

Just finally tested this w/ my server email and I was able to get email without any error.
This is definitely vBulletin bug because there is no warning not to enter free email service.

Since I went ahead and changed my hostname to linux.mydomain.com is there anywhere else where I need to change this?

Also, do I need to try to get DKIM or SPF working since its working for now?

TIA

 

Got it, thank you!