My fight against Microsoft Outlook hotmail etc email blocking

[exxos]

So this problem seems to have cropped up at some point. No idea what's going on now :shrug:

Capture.PNG

I'm sure this likely started when I changed the PTR record.. possibly why I ended up putting www in there in the first place to solve the problem originally :shrug:


EDIT:

Yep, if I put www back into the PTR record it solves the mailserver problem.

Capture.PNG

But then that would seemingly be a mismatch because www.exxosforum.co.uk doesn't match as one has www and the other does not.
:dizzy:

I've opened a ticket with ramnode to see if they can shed any light on it.

[exxos]

Reply from host company.

The PTR record should be the same as your server's hostname.
So if your server's hostname is server.exxoshost.co.uk then you should have an A record for server.exxoshost.co.uk pointing to 185.52.2.172 and the PTR of 185.52.2.172 set to server.exxoshost.co.uk

Also in your postfix config you should set:

myhostname=server.exxoshost.co.uk
and restart postfix.

But postfix doesn't use www. but without www in the PTR record, mxtoolbox will fail R-DNA check. Even though they don't exactly match because the PTR has www, postfix doesn't .

I assume as mxtoolbox passes that way, it should be fine anyway.

:dizzy:

[exxos]

I've put www in the postfix config , can't see I can really do much else.

Code: Select all

Connecting to 185.52.2.172

220 www.exxosforum.co.uk ESMTP Postfix (Ubuntu) [257 ms]
EHLO keeper-us-east-1d.mxtoolbox.com
250-www.exxosforum.co.uk
250-PIPELINING

But I don't know if that's going to break anything or not.

[exxos]

:WTF:

outlook.com doesn't have a PTR record ?!

Capture.PNG

[stween]

Yeah I find your provider's response pretty confusing.

Confirmed though that I can see www.exxosforum.co.uk coming back from your mail server now though:

Code: Select all

$ telnet 185.52.2.172 25
Trying 185.52.2.172...
Connected to www.exxosforum.co.uk.
Escape character is '^]'.
220 www.exxosforum.co.uk ESMTP Postfix (Ubuntu)

I guess that can work even if it's not how my old brain would like to do it. www.exxosforum.co.uk resolves to CNAME exxosforum.co.uk, which resolves to A/AAAA records. The IPv4 address resolves back to www.exxosforum.co.uk. (The PTR record for the v6 address ought to be changed to match at some point.) Maybe outlook is okay with all that.

If I were starting fresh (but you probably have decades of configs to break...): I'd put mail on its own subdomain, mail.exxosforum.co.uk. Then the MX record is clear, and the PTR records would point to mail.exxosforum.co.uk. Clearer separation of concerns, even if the v4 and v6 IP addresses are shared with your web server.

Email today is hellish though, and the big providers don't have a lot of faith in smaller operators.

[exxos]

Yeah I find your provider's response pretty confusing.

Confirmed though that I can see www.exxosforum.co.uk coming back from your mail server now though:

Code: Select all

$ telnet 185.52.2.172 25
Trying 185.52.2.172...
Connected to www.exxosforum.co.uk.
Escape character is '^]'.
220 www.exxosforum.co.uk ESMTP Postfix (Ubuntu)

:thumbup:

I guess that can work even if it's not how my old brain would like to do it. www.exxosforum.co.uk resolves to CNAME exxosforum.co.uk, which resolves to A/AAAA records. The IPv4 address resolves back to www.exxosforum.co.uk. (The PTR record for the v6 address ought to be changed to match at some point.) Maybe outlook is okay with all that.

Wasn't sure what v6 should be but I can easily change that anyway.

If I were starting fresh (but you probably have decades of configs to break...): I'd put mail on its own subdomain, mail.exxosforum.co.uk. Then the MX record is clear, and the PTR records would point to mail.exxosforum.co.uk. Clearer separation of concerns, even if the v4 and v6 IP addresses are shared with your web server.

It used to be set up as mx / mail years ago. I think I'll just having so many different problems that I gave up in the end. Even in my Thunderbird config I just use the IP address as opposed to server names because I was always having problems with Thunderbird not being able to access my server. The whole thing just drove me nuts in the end.

Email today is hellish though, and the big providers don't have a lot of faith in smaller operators.

Yeah is getting ever so more complicated and troublesome as time goes on. As others have basically said, only the giants will likely survive it all in the end. On that day, if you end up banned then you basically are screwed.

[exxos]

Banned from Microsoft once again...

I have also noticed ...

host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=185.52.2.172 - None/bad reputation. Ask your postmaster for help or to contact tobr@rx.t-online.de for reset. (NOWL)

I noticed others with the same problems.
https://www.spamresource.com/2020/06/wh ... omment-ref

Also yahoo email will no longer work due to no SPF record.

I've found a LOT of spammers without SPF, so SPF is now enforced. This could break other email providers, but SPF is like 20 years old now. Mail servers should have the setup by now.

I found a bug in my SPF setup which was also fixed yesterday. There has also been HUGE firewall updates and rules to help stop the various constant attacks to the server. I've also done a lot of nginx tweaks to help with various issues. I've probably ploughed 100 hours into all this now over the past few weeks.

[stephen_usher]

SPF & DKIM etc. are all being dynamically set-up by bot nets anyway. All they tell you is that the message hasn't been modified since transmission (by the bot) and the server (bot) is who it says it is.

[exxos]

SPF (Sender Policy Framework) is an email authentication standard that helps protect senders and recipients from spam, spoofing, and phishing. By adding an SPF record to your Domain Name System (DNS), you can provide a public list of senders that are approved to send email from your domain.

Recipient address rejected: Message rejected due to: SPF fail - not authorized.: The reason for rejection is an SPF failure, indicating that the sending domain's SPF record did not authorize the client IP (90.164.45.1) to send mail.

Pretty much all SPF fails are spammers in my logs. I haven't see any spam coming from SPF verified domains yet.

EDIT:

I have also sped up the forum notifications. They should come more instantly now. Not "some random time later".

[IngoQ]

host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=185.52.2.172 - None/bad reputation. Ask your postmaster for help or to contact tobr@rx.t-online.de for reset. (NOWL)

I had to deal with t-online with our mail servers at work as well. They are very restrictive and expect a lot. In my case they insisted on MX entries for the domain of the mail server itself (which in our case was not identical to the mail domain he is supposed to receive mail for). Their argument was, that every mail server has to be able to receive postmaster mails sent to the FQDN of the server, which is always possible, even without MX entry. So we had to add MX entries for a domain that was never supposed to receive mail...

In addition they insisted on the mail server at least forwarding to a website with legal information, although the server itself did not have a website. At this point I simply gave up arguing and did what they asked... :roll:

On a side note: We have two mail servers, the second one could send to t-online just fine, although it did not fulfill their requirements. :lol: