10

I've set up Postfix and created an alias that maps to a gmail account. When I mail from one of my own (google mail) accounts, it goes through, but if someone from the outside mails me, Google won't accept the mail from my server. The logs something contains this:

Aug 20 13:47:09 Ubuntu-1204-precise-64-minimal postfix/smtpd[8249]: connect from mailout.example.com[1.1.1.1]
Aug 20 13:47:09 Ubuntu-1204-precise-64-minimal postfix/smtpd[8249]: DB399E3318: client=mailout.example.com[1.1.1.1]
Aug 20 13:47:09 Ubuntu-1204-precise-64-minimal postfix/cleanup[8253]: DB399E3318: message-id=<015e01ce9d9a$f988a750$ec99f5f0$@dk>
Aug 20 13:47:09 Ubuntu-1204-precise-64-minimal postfix/qmgr[8230]: DB399E3318: from=<test@example.com>, size=3813, nrcpt=1 (queue active)
Aug 20 13:47:09 Ubuntu-1204-precise-64-minimal postfix/smtpd[8249]: disconnect from mailout.example.com[1.1.1.1]
Aug 20 13:47:10 Ubuntu-1204-precise-64-minimal postfix/smtp[8255]: DB399E3318: to=<example@gmail.com>, orig_to=<example@mydomain.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c04::1b]:25, delay=1.1, delays=0.22/0/0.14/0.76, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c04::1b] said: 550-5.7.1 [2a01:4f8:d12:11c2::2      16] The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126for more information. qh9si1111170lbb.172 - gsmtp (in reply to end of DATA command))

The relevant part seems to be:

The sender does not meet basic ipv6 550-5.7.1 sending guidelines of authentication and rdns resolution of sending 550-5.7.1 ip. Please review 550 5.7.1 https://support.google.com/mail/answer/81126 for more information.

Any idea how I can solve this?

Edit

On the mails that do come through, I find the following headers:

Received-SPF: neutral (google.com: 1.1.1.1 is neither permitted nor denied by best guess record for domain of sender@example.com) client-ip=1.1.1.1;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 1.1.1.1 is neither permitted nor denied by best guess record for domain of sender@example.com) smtp.mail=sender@example.com

Now, the curious thing is that it appears that Google is evaluating my server against the SPF of the original sender. This is a third party, so I can't control their SPF. If I'm interpreting this correctly, Google thinks that my server is the origin of the message. Is this perhaps the crux of the problem?

Edit 2

It looks like I have the same problem as this: Why is SPF being validated against my mail server's IP instead of sender's IP?

Edit 3

So I've fixed the spf issue by installing pfix-srs and setting an spf record for my mail server. I followed this guide (Had to install some packages manually, since they aren't available for Ubuntu): http://blog.phusion.nl/2012/09/10/mail-in-2012-from-an-admins-perspective/

This appears to solve the spf issue (The mails now pass spf), but alas, mail is still getting dropped from some senders. I'm now trying to set the rdns entry and see if it resolves. I'll post back here once I know.

Edit 4

It worked. In summary, what I did to resolve this was:

  • Install pfix-srs.
  • Create an spf record for my mail servers domain, allowing my ip4 and ip6 to send. (E.g. v=spf1 ip4:1.1.1.1 ip6:abcd:abc:123:4567::8 ~all)
  • Create an rdns entry for my mail severs domain, pointing to its IP.
Community
  • 1
troelskn
  • 219
  • 1
  • 2
  • 11
  • 1
    Looks to me like your Postfix is forwarding to Google just fine; it's *Google rejecting* those forwarded emails that is your problem. – user Aug 20 '13 at 12:31

1 Answers1

6

The link that Google provides explains it very well. You should go through the list of requirements that Google lists there and check if you satisfy each of them, if not then fix that.

I think the most basic ones are these:

If you satisfy these three requirements you should at least get accepted. The next step is to avoid the Spam folder, which might be a little more difficult. For a big part it depends on if users mark your email as spam, plus a few other details that are described in Google's support link https://support.google.com/mail/answer/81126.

replay
  • 3,180
  • 13
  • 16
  • I'm not sure how that should help me. My server is forwarding mail for multiple domains, so I can't use rdns. As I'm relaying mails from third party senders, I don't think neither spf nor dkim applies. – troelskn Aug 20 '13 at 12:41
  • If you send from multiple domains, the easiest/best thing to do is to allocate one IP for each of them. If this is not possible, you can also add multiple PTR records into the rdns of the sending IP, one for each of the domains. It's also possible to use SPF and DKIM when you send emails from multiple domains, because SPF is stored in the domain's DNS anyway and in the DKIM filter you can have different keys for each sending domain. But all of these things only apply if you have control over the domains that you are sending from. – replay Aug 20 '13 at 13:15
  • If you have no control at all over the domains that you are sending from, I can't help you. But then I would ask why you even let them relay over your mail server, that sounds like a recipe for trouble. – replay Aug 20 '13 at 13:17
  • I don't control the senders because I'm the recipient. Basically I have a lot of mail addresses that I want forwarded to a single common location (In this case a gmail account). My mail server receives them and then relays them to the final destination. – troelskn Aug 20 '13 at 14:25
  • That sounds like forwarding would be more appropriate than relaying. The difference is that if you do forwarding, the sender address will be set to one domain that you have control over. You can implement that via alias maps or virtual alias maps, like described here: http://www.cyberciti.biz/faq/linux-unix-bsd-postfix-forward-email-to-another-account/ – replay Aug 20 '13 at 14:37
  • That's what I do. – troelskn Aug 20 '13 at 14:38
  • Sorry, my fault, this won't actually change the sender address. Have you tried the Postfix `masquerade_domains` parameter to rewrite the sender domains? http://www.postfix.org/postconf.5.html#masquerade_domains – replay Aug 20 '13 at 14:46
  • No, but I have installed [srs](http://blog.phusion.nl/2012/09/10/mail-in-2012-from-an-admins-perspective/), which seems to fix the spf problem. It still rejects mails from outside senders though. One last thing, is that I didn't have rdns configured, so I have now set that, but I guess I'll have to wait at least 24 hours before I know if that fixes the problem. (TTL is 24 hours) – troelskn Aug 20 '13 at 14:49
  • 1
    @troelskn Note well that since you're using IPv6, you need reverse DNS set on your IPv6 address also. – Michael Hampton Aug 20 '13 at 15:13
  • @MichaelHampton Yeah, good call. That was my next problem indeed. – troelskn Aug 20 '13 at 18:40
  • I see that settin up everything is useful, but this change definitely won't help IPv6 adoption. Great. – SztupY Aug 22 '13 at 20:19