Hi, I have a problem with the emails created in hestiaCp, when I send an email to a hotmail or outlook always bounces the mail as I can solve it help please.
You’ve asked the same in our discord channel, the facts doesnt change when you post it here. Read the error message, either reach out to your isp as suggested or use an smtp relay.
Microsoft is very picky regarding DANE TLSA now. This is easily enabled and generated especially when you run dns on hestia as well. Just run an openssl command after each new LE key is generated, then put the output in a dns entry for the domain name.
This is not the solution. Isps can only do so much. Your score with mail server config is too low regardless of what isp you use. Two issues would help: Enable ipv6, enable DANE TLSA.
Have you noticed the error message? Microsoft has blocked the ip range in use by the mail server. Ofc you can now enable ipv6 and get another ip, which is probaly not blocked, but this doesnt resolve the main issue…
I’ve had the same happen with the IP(v4) range of a server of mine. You can get the IP-block cleared by MS, but only if you enable DANE TLSA and some other requirements…
For DANE TLSA you only need to do:
# openssl x509 -noout -fingerprint -sha256 < /etc/exim4/domains/yourdomain.tld/ssl/yourdomain.tld.crt |tr -d : |cut -d"=" -f2
And if, for this example, the output is:
you can put the output in DNS records as follows:
;; TLSA Records _25._tcp.yourdomain.tld. 1 IN TLSA 3 0 1 450CFBF8893B3798F3173F24D272D154F31B0F39C603F89EFC832944BCC467F7 _25._tcp.mail.yourdomain.tld. 1 IN TLSA 3 0 1 450CFBF8893B3798F3173F24D272D154F31B0F39C603F89EFC832944BCC467F7 _443._tcp.yourdomain.tld. 1 IN TLSA 3 0 1 450CFBF8893B3798F3173F24D272D154F31B0F39C603F89EFC832944BCC467F7 _443._tcp.mail.yourdomain.tld. 1 IN TLSA 3 0 1 450CFBF8893B3798F3173F24D272D154F31B0F39C603F89EFC832944BCC467F7
And if you need more subdomain names to make use of TLSA, you can add them like so:
I.e., in cloudflare this means you’d have to fill in
_443._tcp.subdomain for another TLSA record in the DNS interface for your domain.
The main point to remember is to update these after your cert has been updated. So it should be scripted after each LE cert-updated confirmation.
Or use gentlsa.py: GitHub - ekollof/gentlsa: Tool for DANE/TLSA (with Cloudflare API support)
Outlook uses spamhaust pbl The Spamhaus Project - PBL
When you host your own emails ane reverse ip address is listed as different to the host you send from it throws a fit.
I personally think they are forcing you to go through vps dps providers instead of self hosting if you isp or ip service will not allow you to change the hostmane to your own servers.