My very own mails - Printable Version +- nixers (https://nixers.net) +-- Forum: Operating Systems & Administration (https://nixers.net/Forum-Operating-Systems-Administration) +--- Forum: Servers Administration, Networking, & Virtualization (https://nixers.net/Forum-Servers-Administration-Networking-Virtualization) +--- Thread: My very own mails (/Thread-My-very-own-mails) |
My very own mails - z3bra - 20-07-2017 I've been trying to setup my very own mail server for quite some time now. This has many benefits: cool domain name, 100% control, 100% privacy, etc... But I've been struggling with that for way longer than my sysadmin title would let me admit. I'm asking for help here, in case someone ever did it successfully in the past. My case is pretty common I think, so here is the context:
So far, sending mails from the main domain works great. My real problem comes from the virtual domain, as I can see that the mails leaving my server, but they either get bounced, spammed or even dropped without notice. Google flags me as SPAM without giving a reason, and I managed to get the following error message from mail.com: Quote:host mx01.mail.com[74.208.5.22] said: 550-Requested All MX records for these domains are correct, and point to mail.<domain.tld>, which itself points to the IP address of my server. The PTR record for this IP points to mail.z3bra.org. I tried adding another PTR record for the virtual domain, but it's still propagating and I'm not sure an IP can have multiple PTR records. For what matters, all SPF records are ok for both domains (even goggle acknoledged it). I'm now running out of ideas to get my mails delivered. This looks like an incorrect DNS setup, but I'm not sure what should be done at this point.... Please someone tell me you have an idea. I'm fairly sure the solution is simple! RE: My very own mails - venam - 21-07-2017 There could be two issues:
For the second point you could try this website: http://www.mail-tester.com/ it'll show you if the DNS records are fine. I'm also in the process of "upgrading" my personal mail and learning more about the whole mail server architecture. My goal is to be able to setup a mail server with virtual users and a filter that will use GPG to encrypt mails stored according to the receiver. RE: My very own mails - z3bra - 21-07-2017 https://p.iotek.org/a62.png Then I guess I'm *almost* perfectly doing things here... Not sure why I can't reach any inbox then :/ I'll setup DKIM/DMARC then, as it's the last point I can improve. thanks for the hint. RE: My very own mails - venam - 21-07-2017 (21-07-2017, 03:22 AM)z3bra Wrote: I'll setup DKIM/DMARC then, as it's the last point I can improve.Domain keys identified mail is one of the most important part of the mail infrastructure these days. It assures that mails are sent from the right server and can be traced back to an authority. As far as I know Microsoft mail servers (hotmail, live, etc..), won't accept any email, complete nuke them, if they aren't signed by the mail provider. Gmail is a bit more loose and will mark it as spam. Here's a good guide to set it up: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy RE: My very own mails - kyberkhrime - 21-07-2017 Quote:The PTR record for this IP points to mail.z3bra.org. I tried adding another PTR record for the virtual domain, but it's still propagating and I'm not sure an IP can have multiple PTR records.Technically you can, practically this wouldn't be a good idea, because it would work as round-robin, giving a random PTR-record back every time. Does your virtual domain have an A-record? If not: Set it. That could be it. Quote:I'll setup DKIM/DMARC then, as it's the last point I can improve.Setting DKIM up isn't a bad idea, but especially for DMARC I'd recommend thoroughly reading about it beforehand. Because it's not a simple solution to problems and comes with a whole set of its own. Quote:As far as I know Microsoft mail servers (hotmail, live, etc..), won't accept any email, complete nuke them, if they aren't signed by the mail provider.You're misinformed here. RE: My very own mails - z3bra - 21-07-2017 (21-07-2017, 04:01 AM)kyberkhrime Wrote:Anyhow my provider doesn't let me add multiple PTR records. I realised though that my PTR was not exactly set to "mail.z3bra.org", but rather "orbb.z3bra.org" ("mail" is a CNAME for "orbb" of course). So I changed that to explicitely return "mail.z3bra.org".Quote:The PTR record for this IP points to mail.z3bra.org. I tried adding another PTR record for the virtual domain, but it's still propagating and I'm not sure an IP can have multiple PTR records.Technically you can, practically this wouldn't be a good idea, because it would work as round-robin, giving a random PTR-record back every time. Does your virtual domain have an A-record? If not: Set it. That could be it. My virtual domain is set in the exact same way as the primary domain (mail ---(CNAME)--> orbb), with the MX set to "mail". So yeah, I have an A record for it as well. What seem to be confusing for other SMTP server is the fact that my address is user@domain.alt, but the HELO sent by my server is "mail.z3bra.org", which is different from the origin. The mail-tester venam linked doesn't report this as an issue thout. (21-07-2017, 04:01 AM)kyberkhrime Wrote:I had DKIM setup already, and it's now enabled again. This is indeed a clusterfuck to understand/setup, but seems to be used (required?) by a lot of wild mail servers, so I guess I'll keep it.Quote:I'll setup DKIM/DMARC then, as it's the last point I can improve.Setting DKIM up isn't a bad idea, but especially for DMARC I'd recommend thoroughly reading about it beforehand. Because it's not a simple solution to problems and comes with a whole set of its own. For DMARC, I need to make another test now that the DNS has propagated my TXT record for it. I don't understand a single bit of it though, so I hope it will work on first try. Doing back-and-forth testing with DNS is a huge pain in the neck... EDIT: Here we are: https://p.iotek.org/u60.png RE: My very own mails - kyberkhrime - 21-07-2017 Okay, wait, you kind of lost me. So you have your main domain, z3bra.org, which has a MX-record pointing towards mail.z3bra.org. Your second domain has .. what kind of DNS-records? I'd also recommend avoiding CNAMEs here, especially when there's no, to me, visible need. RE: My very own mails - z3bra - 21-07-2017 Code: # zone for both domains Also, I don't get your remark about CNAME. They are meant for domain aliases, and I'm using them as such. RE: My very own mails - kyberkhrime - 21-07-2017 (21-07-2017, 07:54 AM)z3bra Wrote: Also, I don't get your remark about CNAME. They are meant for domain aliases, and I'm using them as such. I just checked, in this case it's explicitly forbidden, according to RFC1821, under point 10.3: Quote:It can also have other RRs, but never a CNAME RR.An MX-record MUST never refer to a CNAME. So it might as well be that this is the root cause of your problem. Additionally, you could be in violation of RFC1034: Quote:If a CNAME RR is present at a node, no other data should be present; What I mean with my, admittedly snarky, comment was, that I don't see the point in naming your mailserver orbb, when you're making an alias for it. Why not pointing the MX-record towards orbb in the first place? RE: My very own mails - z3bra - 21-07-2017 That is pretty interresting. Thanks for that! I don't understand why this limitation was created though (aside from avoiding any ambiguity). I used CNAME in a effort to keep all my services under explicit domain names, while keeping the names of the servers themselves "random" (it's quake characters in my case). But I guess you're right, so I'll drop the "mail" CNAME for better clarity. RE: My very own mails - pizzaroll1 - 04-08-2017 Hey, z3bra, do you have any more information on your setup? I would love to hear about it. In particular, which MDA, MTA, you use. I set up my own mail server, but I never bothered to set up POP/IMAP since I could already SSH in and read my mail that way, but that's perhaps not the most convenient way of doing things. RE: My very own mails - z3bra - 04-08-2017 Sure, here's what I'm using: MDA: dovecot (IMAP + static passdb for users, accessed over VPN) MTA: postfix (SMTP + starttls, auth through dovecot) misc: opendkim to handle DKIM signature of my mails maillist: mlmmj |