Users browsing this thread: 1 Guest(s)
z3bra
Grey Hair Nixers
I've been trying to setup my very own mail server for quite some time now. This has many benefits: cool domain name, 100% control, 100% privacy, etc...

But I've been struggling with that for way longer than my sysadmin title would let me admit.
I'm asking for help here, in case someone ever did it successfully in the past. My case is pretty common I think, so here is the context:
  • One server, with one postfix instance
  • One "main" domain: z3bra.org
  • One virtual domain: domain.alt
  • Ability to send mails from both domains

So far, sending mails from the main domain works great. My real problem comes from the virtual domain, as I can see that the mails leaving my server, but they either get bounced, spammed or even dropped without notice.
Google flags me as SPAM without giving a reason, and I managed to get the following error message from mail.com:

Quote:host mx01.mail.com[74.208.5.22] said: 550-Requested
action not taken: mailbox unavailable 550 invalid DNS MX or A/AAAA resource
record (in reply to MAIL FROM command)

All MX records for these domains are correct, and point to mail.<domain.tld>, which itself points to the IP address of my server.
The PTR record for this IP points to mail.z3bra.org. I tried adding another PTR record for the virtual domain, but it's still propagating and I'm not sure an IP can have multiple PTR records.

For what matters, all SPF records are ok for both domains (even goggle acknoledged it).

I'm now running out of ideas to get my mails delivered. This looks like an incorrect DNS setup, but I'm not sure what should be done at this point....

Please someone tell me you have an idea. I'm fairly sure the solution is simple!
BANGARANG, MOTHERFUCKER
venam
Administrators
There could be two issues:
  • Or it's a mail transfer agent issue.
  • Or it's a spam related issue.

For the second point you could try this website: http://www.mail-tester.com/ it'll show you if the DNS records are fine.

I'm also in the process of "upgrading" my personal mail and learning more about the whole mail server architecture. My goal is to be able to setup a mail server with virtual users and a filter that will use GPG to encrypt mails stored according to the receiver.
z3bra
Grey Hair Nixers
https://p.iotek.org/a62.png

Then I guess I'm *almost* perfectly doing things here... Not sure why I can't reach any inbox then :/
I'll setup DKIM/DMARC then, as it's the last point I can improve.

thanks for the hint.
venam
Administrators
(21-07-2017, 03:22 AM)z3bra Wrote: I'll setup DKIM/DMARC then, as it's the last point I can improve.
Domain keys identified mail is one of the most important part of the mail infrastructure these days. It assures that mails are sent from the right server and can be traced back to an authority.
As far as I know Microsoft mail servers (hotmail, live, etc..), won't accept any email, complete nuke them, if they aren't signed by the mail provider.
Gmail is a bit more loose and will mark it as spam.

Here's a good guide to set it up:
https://www.digitalocean.com/community/t...ian-wheezy
kyberkhrime
Members
Quote:The PTR record for this IP points to mail.z3bra.org. I tried adding another PTR record for the virtual domain, but it's still propagating and I'm not sure an IP can have multiple PTR records.
Technically you can, practically this wouldn't be a good idea, because it would work as round-robin, giving a random PTR-record back every time. Does your virtual domain have an A-record? If not: Set it. That could be it.
Quote:I'll setup DKIM/DMARC then, as it's the last point I can improve.
Setting DKIM up isn't a bad idea, but especially for DMARC I'd recommend thoroughly reading about it beforehand. Because it's not a simple solution to problems and comes with a whole set of its own.
Quote:As far as I know Microsoft mail servers (hotmail, live, etc..), won't accept any email, complete nuke them, if they aren't signed by the mail provider.
Gmail is a bit more loose and will mark it as spam.
You're misinformed here.
z3bra
Grey Hair Nixers
(21-07-2017, 04:01 AM)kyberkhrime Wrote:
Quote:The PTR record for this IP points to mail.z3bra.org. I tried adding another PTR record for the virtual domain, but it's still propagating and I'm not sure an IP can have multiple PTR records.
Technically you can, practically this wouldn't be a good idea, because it would work as round-robin, giving a random PTR-record back every time. Does your virtual domain have an A-record? If not: Set it. That could be it.
Anyhow my provider doesn't let me add multiple PTR records. I realised though that my PTR was not exactly set to "mail.z3bra.org", but rather "orbb.z3bra.org" ("mail" is a CNAME for "orbb" of course). So I changed that to explicitely return "mail.z3bra.org".

My virtual domain is set in the exact same way as the primary domain (mail ---(CNAME)--> orbb), with the MX set to "mail". So yeah, I have an A record for it as well.
What seem to be confusing for other SMTP server is the fact that my address is user@domain.alt, but the HELO sent by my server is "mail.z3bra.org", which is different from the origin. The mail-tester venam linked doesn't report this as an issue thout.

(21-07-2017, 04:01 AM)kyberkhrime Wrote:
Quote:I'll setup DKIM/DMARC then, as it's the last point I can improve.
Setting DKIM up isn't a bad idea, but especially for DMARC I'd recommend thoroughly reading about it beforehand. Because it's not a simple solution to problems and comes with a whole set of its own.
I had DKIM setup already, and it's now enabled again. This is indeed a clusterfuck to understand/setup, but seems to be used (required?) by a lot of wild mail servers, so I guess I'll keep it.
For DMARC, I need to make another test now that the DNS has propagated my TXT record for it. I don't understand a single bit of it though, so I hope it will work on first try. Doing back-and-forth testing with DNS is a huge pain in the neck...

EDIT: Here we are: https://p.iotek.org/u60.png
kyberkhrime
Members
Okay, wait, you kind of lost me. So you have your main domain, z3bra.org, which has a MX-record pointing towards mail.z3bra.org. Your second domain has .. what kind of DNS-records? I'd also recommend avoiding CNAMEs here, especially when there's no, to me, visible need.
z3bra
Grey Hair Nixers
Code:
# zone for both domains
orbb 10800 IN A 163.172.89.172
mail 10800 IN CNAME orbb
mail 10800 IN MX 10

Also, I don't get your remark about CNAME. They are meant for domain aliases, and I'm using them as such.
kyberkhrime
Members
(21-07-2017, 07:54 AM)z3bra Wrote: Also, I don't get your remark about CNAME. They are meant for domain aliases, and I'm using them as such.

I just checked, in this case it's explicitly forbidden, according to RFC1821, under point 10.3:
Quote:It can also have other RRs, but never a CNAME RR.
An MX-record MUST never refer to a CNAME. So it might as well be that this is the root cause of your problem. Additionally, you could be in violation of RFC1034:
Quote:If a CNAME RR is present at a node, no other data should be present;

What I mean with my, admittedly snarky, comment was, that I don't see the point in naming your mailserver orbb, when you're making an alias for it. Why not pointing the MX-record towards orbb in the first place?
z3bra
Grey Hair Nixers
That is pretty interresting. Thanks for that!
I don't understand why this limitation was created though (aside from avoiding any ambiguity).

I used CNAME in a effort to keep all my services under explicit domain names, while keeping the names of the servers themselves "random" (it's quake characters in my case).
But I guess you're right, so I'll drop the "mail" CNAME for better clarity.
pizzaroll1
Long time nixers
Hey, z3bra, do you have any more information on your setup? I would love to hear about it. In particular, which MDA, MTA, you use.

I set up my own mail server, but I never bothered to set up POP/IMAP since I could already SSH in and read my mail that way, but that's perhaps not the most convenient way of doing things.
my website: kaashif.co.uk
z3bra
Grey Hair Nixers
Sure, here's what I'm using:

MDA: dovecot (IMAP + static passdb for users, accessed over VPN)
MTA: postfix (SMTP + starttls, auth through dovecot)
misc: opendkim to handle DKIM signature of my mails
maillist: mlmmj