Hi, ok here i am in isolation due to having covid 19, feeling ok very mild symptoms so far.
As such i have some time on my hands to work on server config, specifically email server setup.
Recently i had issue sending mail, seems i blocked myself with csf, but under lying this was the fact that i was on 3 blacklists, 2 were related to mail server trust, the other was with:
urbl.hostedemail.com; Your IP has been manually blacklisted"
The first 2 was easy ro request removal, but as automated trust test I need to ensure mail server setup well.
urbl.hostedemail.com is another kettle of fish and not the first time i have issues with this one, hard to find method for removal but in past did get IP removed, only to be manually blacklisted again, this time I went via hover.com mail support as i have an account there and i believe they are owned by opensrs who own hostedemail.com. Also successfully removed.
So after trying all the mail server testing sites i came with the following needing attention.
spf
DKIM/DMARC
Helo response
First some background on my setup
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
176.9.39.21 server.lislehost.com server
This was the domain used when setting server up.
the domain lislehost.com was added to the admin account and nameservers setup as:
When adding an email the mail server hostname is shown as
mail.domain.tld (the domain email is for ie mail.lislehost.com
All good so far.
a MX check at mxtoolbox.com for mail.lislehost.com showed
DNS Record Published DNS Record not found
DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled
DMARC Record Published DMARC Record found
I have both spf and DKIM enabled for mail.lislehost.com
dns entries
“v=spf1 a mx ip4:176.9.39.21 ~all”
“v=DMARC1; p=none”
After some checking i edited DNS entry _dmarc to:
“v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; rf=afrf”
reran text
Policy not found issue now cured, still left with issue.
DNS Record Published DNS Record not found
checking dns i have both:
@ MX 10 60 mail.lislehost.com.
mail A 60 176.9.39.21
So i did a test at dkimvalidator.com
report contained
Received: from server.lislehost.com (mail.lislehost.com [176.9.39.21])
SPF
Helo Address = server.lislehost.com
From Address = [email protected]
From IP = 176.9.39.21
I was also getting high spamAssassin Score usually around 1 and for some domains up to 1.5
Looking at this i thought the Helo address should be mail.lislehost.com regardless of the From address.
So after research i found /etc/exim4/mailhelo.conf
server.lislehost.com:server.lislehost.com - left this as is
lislehost.com:server.lislehost.com
was changed to
lislehost.com:mail.lislehost.com
new report from dkimvalidator.com
Received: from mail.lislehost.com (mail.lislehost.com [176.9.39.21])
DKIM = pass
SPF = pass
Helo Address = mail.lislehost.com
From Address = [email protected]
From IP = 176.9.39.21
spamAssassin Score: -0.098
Message is NOT marked as spam
Points breakdown:
0.0 URIBL_BLOCKED
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author’s domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Looking better
now a check on Cloud Cybersecurity Services for Email, Data and Web | Mimecast
SPF results for domain: mail.lislehost.con
We could not find a SPF record
i take this the same as mxtoolbox
DNS Record Published DNS Record not found
really not sure why still getting this?
So now i have both the following looking ok
DKIM/DMARC
Helo response
I still the SPF dns entry issue, plus the fact that i need to go through every domains DNS to amend dmac entry to add policy and edit the /etc/exim4/mailhelo.conf so every domain shows correct Helo response of:
mail.domain.tld
and not
server.domain.tld (hostname)
so in /etc/exim4/mailhelo.conf it will change from
domain.tld:server.lislehost.com(hostname
to
domain.tld:mail.domain.tld
Note i need to disable DKIM and save then re-enable it after editing/etc/exim4/mailhelo.conf entry for it to be seen by dkimvalidator.com
Now not being proper system admin i may have missed something, especially relating to the host/domain details:
host server.lislehost.com vs domain lislehost.com
but with checks on smtp becoming tighter having correct DKIM/SPF/Helo response are becoming very important you can get blocked even if you are not sending spam.
Is it possible for Hestiacp to be able to have choice to add basic DKIM policy to dns and have correct Helo response for each domain?
bit of long post, but nothing else to do, now to go through all my email domains on server.
thanks