Server blocking mails from outlook and hotmail

Discussion in 'Server Operation' started by Yel4144, Aug 20, 2024.

  1. Yel4144

    Yel4144 Member

    I reveive many complaints that mails could not be sent through my server anymore (recipient on my server or forwarding via my server)

    another message is
    I'm using rspamd.
    This is what I found in mail.log
    Any idea? Do I have to disable spamhaus?
     
  2. Yel4144

    Yel4144 Member

    I've checked postfix main.cf
    There I found
    According to https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html the blocking should be done in rspamd and not on smtp-level. Is that right? So should I remove the reject_rbl_client entries above and configure it according https://github.com/spamhaus/rspamd-dqs ?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this an ISPConfig system? If yes, go to System > server config > mail, remove zen.spamhaus.org from the RBL field, and press save. Spamhaus has been causing lots of issues lately, so ISPConfig has not used it anymore for some time.
     
    Yel4144 likes this.
  4. Yel4144

    Yel4144 Member

    Done. Thank you!
     
  5. Yel4144

    Yel4144 Member

    I know it's not the same issue, but is there any news on implementing SRS? Most of my clients are using their domains just for mail forwarding and they get more and more errors...
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can use SRS on ISPConfig, it's just not set up by default. Google e.g. for "postfix postsrsd". You can also find threads about that here in the forum.
     
  7. Yel4144

    Yel4144 Member

    Yes, I found this:
    https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2551
    (with "Till Brehm changed milestone to %3.2.13 vor 3 Monaten")
    and this
    https://share.rb-hosting.de/s/EdbfgQxwTX3AqMN
    But I was waiting if it would be included and not that I break something with a new config
    --> would you recommend to wait for 3.2.13 or can I continue implementing it?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I can't give you a definite date when this will be included as it has not been widely tested and verified yet. So if you need it now, then you might want to try if it works. Likely, you have to redo this on updates though until it made its way into the main code.
     
  9. Yel4144

    Yel4144 Member

    Hello @till
    Is there any news on implementing SRS as default?
     
  10. remkoh

    remkoh Active Member HowtoForge Supporter

    Have a look here
    https://forum.howtoforge.com/thread...heme-in-an-ispconfig-mailserver-part-1.89827/
    and here
    https://forum.howtoforge.com/thread...heme-in-an-ispconfig-mailserver-part-2.89828/
    if you want to implement SRS.

    I've just finished a fresh Ubuntu 24.04 mailserver install with the autoinstaller script.
    Some things seem to have changed slightly in config files since I've created these tutorials so you need to pay extra attention when following the steps but in the end it still works.
     
    till likes this.
  11. Yel4144

    Yel4144 Member

    Thank you @remkoh
    I've already implemented SRS using the script provided by Jens and Helmo in this Post.
    The script does basically the same you've provided in part 1 (i don't use relay) with slight differences:
    In master.cf you've added
    Code:
            -o smtpd_milters=
            -o non_smtpd_milters=
    (is that relevant? Values are empty)
    And in virtual-outgoing-bcc.cf they added 2 other where conditions
    Code:
    WHERE (email = '%s'
                          OR email = regexp_replace('%s', '^srs0=.+?=..=(.+)=(.+)@.*$', '\\\\2@\\\\1')
                          OR email = regexp_replace('%s', '^srs0=.+?=..=(.+)=(.+)@.*$', '@\\\\1')
                      ) ...
    
    Otherwhise it looks the same.
    --> I manually adjusted those 2 files to your settings, restarted both services and tested again: Same result (see details here) --> SPF not aligned, DMARC denied and DKIM not found
     
  12. remkoh

    remkoh Active Member HowtoForge Supporter

    Are you sure your rewrite domain has proper spf and dmarc records in the dns?

    I've been testing my new install a lot, including different ways to forward mail to both hotmail and gmail.
    All tests succeeded, senders where rewritten and mail was forwarded and received by hotmail and gmail.
    I never had a spf or dmarc failure in the headers.

    Only thing was that the first forward to hotmail ended up in the spamfolder. Orthers after that not.
    Had nothing to do with spf or dmarc and all with microsoft being microsoft.
     
  13. Yel4144

    Yel4144 Member

    Yes, I am sure, because if SRS is not working (sender and recipient are internal, although both are sending from/to google), everything is green:
    upload_2025-6-20_16-11-23.png
    The problem is, when it's coming from outside, it mixes the sender DMARC& DKIMand my SRS-SPF (see test in

    Just updated to 3.3.0p2. I saw there was an Bug report with BCC, so I gave it a try (changed virtual_outgoing_bcc):
    https://forum.howtoforge.de/threads/outgoing-bcc-bei-srs.13828/

    Well, something has changed, but it's still not 100%:
    Google shows it passed (still mixed up):
    upload_2025-6-20_16-17-50.png
    With srs the srs-domain is being displayed:
    upload_2025-6-20_16-57-22.png

    But MX-Toolbox reveals still some mistakes:
    upload_2025-6-20_16-18-59.png
    DKIM cannot be authenticated, because SPF is the SRS domain and DKIM the customer-daomins: not aligned
     
  14. remkoh

    remkoh Active Member HowtoForge Supporter

    Updates the new server to 3.3.0p2 just now and ran a new test (all my tests where external)
    Still all working as expected.

    Code:
    ARC-Seal: i=2; a=rsa-sha256; t=1750432625; cv=pass;
           d=google.com; s=arc-20240605;
           b=ZSEFFXnm/IDCZ77VTbn9BVgPbsM+z+Yn+kq+LgDXskKKvAcRfAiHzcrCRpqti8LAKS
            u8fLpn6/Uv09Va/+XvTRGAkOMkmvkngLUR9HnG5jVdilFQzHpbZNrGUpabrihx924qw8
            8QI/dO8vshgpcjDzdErXVecHkSe18VOFRqcsclrEgPUGNU18CyOwR++aFZQej3cxrCr+
            BjWS2Qr9d1rhi8SSQmIjq1NDJD1rPX1k/Adde2rlvunm4/w/yp9LaehYR/4/pTiLk+MN
            XDHYS5xrm5VD10TnqTLA2ruuyUPvkiccqXIGS+L7X6JNjKpnCPH4mTD6BqJDTDvedxgN
            emrA==
    ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
           h=mime-version:content-language:accept-language:message-id:date
            :thread-index:thread-topic:subject:to:from:dkim-signature
            :dkim-filter:delivered-to:dkim-filter;
           bh=daGxVxATHHgiriZLhXnJimtKmK0j31KYtuFSzqaNQ4A=;
           fh=nSyKi/lCtcARFJZwmTlbGGfDLcVq+DWta2JAIbl10Is=;
           b=hTy34IWP+q2XxkSvqLjUVbZi8oq8ceV8F3ms2LR4xvKlpniibA09+3mL3VcUks4D6K
            kNerUyXEGYmpy3F+uS7HNbzWqD0JDPGceupj1ymyNG6FtfT4Cn7FiRZmtqVm+JixWJKL
            fQlkcTGUxXcWkck+kooHnTnQ6AuKVc7g8GHCR7eyw7xsWvjzZmqnIFrct0N27x7RNDUO
            7DLNPmU8kpAZlYzheYVGm5jswA4vVOIW8mLnEJTvCPK405mRcgTyMHqR5o8bgwYH9Hnb
            DrjKKGyBcF55qjLE+r8yEroo6tZJGOI2otx7I0NKfdzGX+0O/ThZKBfylhThPIKEqbtF
            G/1g==;
           dara=google.com
    ARC-Authentication-Results: i=2; mx.google.com;
          dkim=pass [email protected] header.s=_dkim header.b=Av3f7tXD;
          arc=pass (i=1 spf=pass spfdomain=mydomain.tld dkim=pass dkdomain=mydomain.tld dmarc=pass fromdomain=mydomain.tld);
          spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]";
          dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=mydomain.tld
    Return-Path: <[email protected]>
    Received: from mysmarthost (mysmarthost. [1.2.3.4])
           by mx.google.com with ESMTPS id 4fb4d7f45d1cf-60a18a7f956si1725996a12.184.2025.06.20.08.17.05
           for <[email protected]>
           (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
           Fri, 20 Jun 2025 08:17:05 -0700 (PDT)
    Received-SPF: pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
    Authentication-Results: mx.google.com;
          dkim=pass [email protected] header.s=dkim header.b=Av3f7tXD;
          arc=pass (i=1 spf=pass spfdomain=mydomain.tld dkim=pass dkdomain=mydomain.tld dmarc=pass fromdomain=mydomain.tld);
          spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]";
          dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=mydomain.tld
    
     
  15. remkoh

    remkoh Active Member HowtoForge Supporter

    Side note:
    All mail received on my gmail is copyforwarded to another personal mailaddress.
    That too is without any spf, dkim and dmarc errors.

    Also, the fact that I have a smarthost between the new mailserver and gmail should not make any difference when spf is setup properly.
     
  16. Yel4144

    Yel4144 Member

    This is excactly the problem: My system is not changing the host correctly. While yours "ARC-Authentication-Results" show
    Code:
          arc=pass (i=1 spf=pass spfdomain=mydomain.tld dkim=pass dkdomain=mydomain.tld dmarc=pass fromdomain=mydomain.tld);
          spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]";
          dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=mydomain.tld
    mine still show the original (unchanged GMail):
    Code:
           arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
          spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) smtp.mailfrom="[email protected]";
          dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
    Could you do me a favour and paste the whole original Header into https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx and verify that the dmarc/dkim and spf is not mixed up? For me only SPF has been adjusted
    upload_2025-6-20_18-15-59.png
     
  17. remkoh

    remkoh Active Member HowtoForge Supporter

    upload_2025-6-20_23-18-31.png

    I get the proper domainnames but spf and dkim signature are red.
    - dmarc:mydomain.tld
    - spf:srsdomain.tld (1.2.3.4)
    - dkim:mydomain.tld:dkim
     
    Last edited: Jun 20, 2025
  18. Yel4144

    Yel4144 Member

    It seems you have the same problem: SPF is taken from SRS, but DKIM is not rewritten to the SRS server, but the original server is being kept.
    Am I wrong thinking this is not working correctly?
     
  19. remkoh

    remkoh Active Member HowtoForge Supporter

    I don't understand the results mxtoolbox is giving.
    The whole purpose of SRS is preventing SPF errors only. So everything seems to be working.
    As long as the body of the mail doesn't get altered along the way then the original dkim signature remains to be valid.
    So there's no need for SRS to resign it.
    The headers at the final destination support this. Spf, dkim and dmarc are all passed.
     

Share This Page