DevHeads.net

Semi-OT: Getting blacklisted by hotmail/Google again and again

Hi there,

I know this is a bit off-topic here, but I'm completely desparate right
now and am clueless if there's anything wrong with my MTA configuration
that I completely overlook. I have a Postfix mail server running that
serves multiple domains. All users are fully authenticated and need to
use TLS to authenticate. Since about six month I have issues that my
users cannot send mails to services from Microsoft or Google
(hotmail.com, outlook.com, gmail.com) because the messages bounce:

<REDACTED> host
eur.olc.protection.outlook.com[104.47.125.33] said: 550 5.7.1
Unfortunately, messages from [37.120.172.118] weren't sent. Please contact
your Internet service provider since part of their network is on our block
list (S3150). You can also refer your provider to
<a href="http://mail.live.com/mail/troubleshooting.aspx#errors" title="http://mail.live.com/mail/troubleshooting.aspx#errors">http://mail.live.com/mail/troubleshooting.aspx#errors</a>.
[SG2APC01FT051.eop-APC01.prod.protection.outlook.com] (in reply to MAIL
FROM command)

or something like

<REDACTED>: host gmail-smtp-in.l.google.com[74.125.140.27]
said: 550-5.7.1 [37.120.172.118 12] Our system has detected
that this
message is 550-5.7.1 likely unsolicited mail. To reduce the amount
of spam
sent to Gmail, 550-5.7.1 this message has been blocked. Please visit
550-5.7.1
<a href="https://support.google.com/mail/?p=UnsolicitedMessageError" title="https://support.google.com/mail/?p=UnsolicitedMessageError">https://support.google.com/mail/?p=UnsolicitedMessageError</a> 550
5.7.1 for more information. z2si12224425wro.400 - gsmtp (in reply
to end
of DATA command)

Of course I went through the troubleshooting guides and applied for
lifting of the ban (for Microsoft, this is possible -- Gmail offers no
such thing). It always has been lifted, but with no explanation why it
was in effect. I.e., something along the lines of:

Here's what I've checked/tried:

* Neither I nor any of my users send spam. The mail volume is VERY low.

* I use a reputable service provider for my server (i.e., I suspect if
there were other customers in my IP range doing bad things, they'd be
kicked out).

* I have not configured an open relay. In fact, I've even written a
testsuite to check my MTA configuration:
<a href="https://github.com/johndoe31415/mtatest" title="https://github.com/johndoe31415/mtatest">https://github.com/johndoe31415/mtatest</a> which passes.

* I've a valid reverse DNS:

$ host johannes-bauer.com
johannes-bauer.com has address 37.120.172.118
johannes-bauer.com mail is handled by 10 johannes-bauer.com.

$ host 37.120.172.118
118.172.120.37.in-addr.arpa domain name pointer spornkuller.de.

$ host spornkuller.de
spornkuller.de has address 37.120.172.118
spornkuller.de mail is handled by 10 spornkuller.de.

* I have setup SPF:
$ host -a johannes-bauer.com
[...]
johannes-bauer.com. 3600 IN TXT "v=spf1 mx -all"

* I'm using DKIM.

In my desparation I've even registered to the Google Postmaster thing
and demeaningly "verified" my domain by altering the DNS:
<a href="https://postmaster.google.com/" title="https://postmaster.google.com/">https://postmaster.google.com/</a> -- all data is entirely empty (even
though there were positively mails blocked since I've registered with them).

If anyone has any ideas of what could be wrong, I'm absolutely grasping
for straws here. Any help is greatly appreciated.

All the best,
Johannes

Comments

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Bastian Blank at 03/16/2019 - 06:28

Hi Johannes

On Sat, Mar 16, 2019 at 10:56:11AM +0100, Johannes Bauer wrote:
So your _provider_ is on the the MS blacklist. Netcup did not show up
on my radar, but I don't know what else.

It is really low, so low that DNSWL did not pick the IP up as recurrent
sender or refuse to.

Not according to the rejection by MS services.

For the correct domains? I don't see any verification records for
spornkuller.de.
Let's point out the obvious(?):

You MTA is known under different names:

It does not advertise ESMTP (how the heck did you manage to
miss-configure it this much?):

| % nc spornkuller.de 25
| 220 Hi there

Claim your info at dnswl.org.

Regards,
Bastian