DevHeads.net

Semi-OT: Getting blacklisted by hotmail/Google again and again

Hi there,

I know this is a bit off-topic here, but I'm completely desparate right
now and am clueless if there's anything wrong with my MTA configuration
that I completely overlook. I have a Postfix mail server running that
serves multiple domains. All users are fully authenticated and need to
use TLS to authenticate. Since about six month I have issues that my
users cannot send mails to services from Microsoft or Google
(hotmail.com, outlook.com, gmail.com) because the messages bounce:

<REDACTED> host
eur.olc.protection.outlook.com[104.47.125.33] said: 550 5.7.1
Unfortunately, messages from [37.120.172.118] weren't sent. Please contact
your Internet service provider since part of their network is on our block
list (S3150). You can also refer your provider to
<a href="http://mail.live.com/mail/troubleshooting.aspx#errors" title="http://mail.live.com/mail/troubleshooting.aspx#errors">http://mail.live.com/mail/troubleshooting.aspx#errors</a>.
[SG2APC01FT051.eop-APC01.prod.protection.outlook.com] (in reply to MAIL
FROM command)

or something like

<REDACTED>: host gmail-smtp-in.l.google.com[74.125.140.27]
said: 550-5.7.1 [37.120.172.118 12] Our system has detected
that this
message is 550-5.7.1 likely unsolicited mail. To reduce the amount
of spam
sent to Gmail, 550-5.7.1 this message has been blocked. Please visit
550-5.7.1
<a href="https://support.google.com/mail/?p=UnsolicitedMessageError" title="https://support.google.com/mail/?p=UnsolicitedMessageError">https://support.google.com/mail/?p=UnsolicitedMessageError</a> 550
5.7.1 for more information. z2si12224425wro.400 - gsmtp (in reply
to end
of DATA command)

Of course I went through the troubleshooting guides and applied for
lifting of the ban (for Microsoft, this is possible -- Gmail offers no
such thing). It always has been lifted, but with no explanation why it
was in effect. I.e., something along the lines of:

Here's what I've checked/tried:

* Neither I nor any of my users send spam. The mail volume is VERY low.

* I use a reputable service provider for my server (i.e., I suspect if
there were other customers in my IP range doing bad things, they'd be
kicked out).

* I have not configured an open relay. In fact, I've even written a
testsuite to check my MTA configuration:
<a href="https://github.com/johndoe31415/mtatest" title="https://github.com/johndoe31415/mtatest">https://github.com/johndoe31415/mtatest</a> which passes.

* I've a valid reverse DNS:

$ host johannes-bauer.com
johannes-bauer.com has address 37.120.172.118
johannes-bauer.com mail is handled by 10 johannes-bauer.com.

$ host 37.120.172.118
118.172.120.37.in-addr.arpa domain name pointer spornkuller.de.

$ host spornkuller.de
spornkuller.de has address 37.120.172.118
spornkuller.de mail is handled by 10 spornkuller.de.

* I have setup SPF:
$ host -a johannes-bauer.com
[...]
johannes-bauer.com. 3600 IN TXT "v=spf1 mx -all"

* I'm using DKIM.

In my desparation I've even registered to the Google Postmaster thing
and demeaningly "verified" my domain by altering the DNS:
<a href="https://postmaster.google.com/" title="https://postmaster.google.com/">https://postmaster.google.com/</a> -- all data is entirely empty (even
though there were positively mails blocked since I've registered with them).

If anyone has any ideas of what could be wrong, I'm absolutely grasping
for straws here. Any help is greatly appreciated.

All the best,
Johannes

Comments

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Dominic Raferd at 03/18/2019 - 06:11

On Sat, 16 Mar 2019 at 09:57, Johannes Bauer < ... at gmx dot de> wrote:
Do any of your users relay incoming emails via your server into their
own mailboxes on Gmail/hotmail? In this case, spam they are
*receiving* (not sending) is nevertheless being passed to
Gmail/Hotmail by your mail server which might explain why you
repeatedly get blacklisted. Tackle this with effective spam blocking
on your server and by having your server react when it receives a
warning from an onward server about a 'bad' email (e.g. by banning the
sender for a period).

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Bastian Blank at 03/16/2019 - 06:28

Hi Johannes

On Sat, Mar 16, 2019 at 10:56:11AM +0100, Johannes Bauer wrote:
So your _provider_ is on the the MS blacklist. Netcup did not show up
on my radar, but I don't know what else.

It is really low, so low that DNSWL did not pick the IP up as recurrent
sender or refuse to.

Not according to the rejection by MS services.

For the correct domains? I don't see any verification records for
spornkuller.de.
Let's point out the obvious(?):

You MTA is known under different names:

It does not advertise ESMTP (how the heck did you manage to
miss-configure it this much?):

| % nc spornkuller.de 25
| 220 Hi there

Claim your info at dnswl.org.

Regards,
Bastian

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Johannes Bauer at 03/16/2019 - 08:59

Hi Bastian,

I wasn't aware of DNSWL before this, so I'm going to look into it for
sure. Thanks for the pointer.

True. However, I don't understand why, even after whitelisting my
server's IP it gets blacklisted again shortly thereafter.

Ah, I thought it would be sufficient to register the domain which the MX
record points to (johannes-bauer.com in my case, which aliases with
spornkuller.de). But I'll register spornkuller.de as well and see what I
get.

Is this a problem? In other words, should I refer to the MTA always
under the same name, i.e., have the MX record of johannes-bauer.com
point to spornkuller.de? If this is somehow an issue I definitely
overlooked it.

Ugh!

smtpd_banner = Hi there

My best guess is that I was testing something and had it half-configured
or whatever. I'm fairly sure that it was previously disclosing full
version numbers and that's why I was poking around with that setting to
avoid it. Fixed and thanks for the pointer.

Is the banner however also used when Postfix connects to a different
MTA? Because I only have problems delivering messages, no issues
receiving at all.

I will, thanks a bunch for the info. Your support is greatly
appreciated! If we ever meet in person, please remind me and beers are
on me :)

All the best,
Joe

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Bill Cole at 03/16/2019 - 13:37

[...]
It should not be. There are no CNAMEs involved, so no room for obvious
failure modes.

That really shouldn't matter. Just never point an MX at a name that is
resolved via a CNAME.

However, using multiple names for a mail server is generally pointless
beyond satisfying human urges. Some might call it "branding" or
"narcissism" or "nominalism."

It is simplest to just use one name for the server and have the PTR for
the IP and the MX for each domain it serves point to that name. In
Postfix that is set by smtp_helo_name, which defaults to $myhostname.

Which is really quite harmless.

The text part of the connection greeting banner is not subject to any
formal requirements. There are recommendations in various RFCs but no
robust SMTP client cares what comes after the 220.

No. Again: that's smtp_helo_name (default: $myhostname)

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Johannes Bauer at 03/16/2019 - 17:33

Hey Bill,

Yup, I knew about the CNAME issue, therefore refering to an entry that
has an actual A record.

Nah, I really don't care about the name in a DNS record -- no narcissism
here :) There is a technical reason for the MX entries always pointing
to their own domains (which then point all to the same IP): Previously,
some of these ran their own MTAs and were hosted on different hosts
before I consolidated them. I simply had not had to (and haven't)
changed anything in DNS.

Yes, think I'll change that in the future so the FQDNs of the MX and the
indicated smtp_helo_name match up. Right now they don't (except of
course for spornkuller.de).

Humor me as paranoid, I work in IT security. Postfix has an excellent
security track record, but no need to share any info that only benefits
a potential attacker in my opinion.

Thanks for your support,
All the best,
Joe

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Matthew McGehrin at 03/17/2019 - 03:44

Hi Johannes,

Gone are the days of being able to send normal emails to these
providers. They use automated algorithms that block your email
automatically. Your IP reputation has a lot to do with it as well, along
with the IPs in your /24. For example, looking up your IP reputation, I
see that this /24 has several mail providers, so while you might not be
sending the actual spam, other IPs in your /24. Also, forwarded email
can have the same impact, as you are forwarding spam, and not
necessarily sending it directly.

See also:

<a href="https://www.talosintelligence.com/reputation_center/lookup?search=37.120.172.118" title="https://www.talosintelligence.com/reputation_center/lookup?search=37.120.172.118">https://www.talosintelligence.com/reputation_center/lookup?search=37.120...</a>

37.120.172.166 mail.digi-media-net.de    Yes    0.0    1.7 No    Poor

You might need to use one of the commercial providers, such as Amazon or
Sendgrid, to send your outbound emails, since the large providers will
not block them as easily.

Matthew

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Erwan David at 03/17/2019 - 08:22

Le 17/03/2019 à 08:44, Matthew McGehrin a écrit :
I had some problem ending emails to some businesses and found they used
MS for hosting their email system. In taht case, I always signal in the
customer satisfaction form that their email hoster destreoys the
messages sent by their customers and that made me less likely to do
business with them again.

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Czarek at 03/17/2019 - 08:44

Check if you are not an open relay. Configure SPF, DKIM, DMARC and Reverse
DNS.
Than contact to the spam lists.
Here you can check where your IP is listed.
Rgds
Wesley.

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Erwan David at 03/17/2019 - 15:59

Le 17/03/2019 à 13:44, Czarek a écrit :
In my case thaere is no spam list, I am not an open relay, I have DKIM,
DMARC and SPF, I even registered to MS as a sender. They accept my
emails, but the recipient does not receive it or it is in the spam.

They just consider that only bug email provider should exist.

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Robert Schetterer at 03/17/2019 - 16:11

Am 17.03.19 um 20:59 schrieb Erwan David:
google seems to have another policy for ipv6 income mail, a workaround
is to deliver mail to them via ipv4 only, but i has been reported that
this helps only sometimes , having SPF, DKIM, DMARC
and Reverse DNS are is a must have these days....sometimes ipv6 settings
are forgotten or not ok, perhaps double check it

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By michaelof@rocke... at 03/17/2019 - 16:27

Same for me, finally I gave it up and inform my hotmail recipients, good luck not that many, manually.

I agree only partially, my experiences sorted by relevance:

1. Reverse DNS: no chance without
2. SPF: increases propability to get Mails delivered

I up to now don't use neither DKIM nor DMARC, and I'm getting all my mails delivered. Execept the hotmail issue above. So IMHO "a must" is to rigid.

My 5 cents,
Michael

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Peter at 03/17/2019 - 20:54

On 18/03/19 09:27, Michael wrote:
The main reason to set up DKIM and DMARC is to tick their boxes so that
when you try to contact them to fix it you can rightfully say that
you've followed all their recommended practices. DKIM requires a milter
to sign your messages (usually opendkim) but DMARC is quite easy and
only requires that you add a DNS record. I generally use this:

_dmarc.example.com. TXT "v=DMARC1;p=none;adkim=r;aspf=r;pct=0"

... it basically just says not to enforce any DMARC policies, it
satisfies ESPs recommendation for setting DMARC but otherwise does nothing.

Also you should sign up for dnswl.org which is free to do and has been
known to help sometimes.

Peter

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Johannes Bauer at 03/17/2019 - 15:10

Hi Wesley,

On 17.03.19 13:44, Czarek wrote:
Except for DMARC I have all of the above.

How so?

Best regards,
Johannes

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By =?UTF-8?Q?Franc... at 03/17/2019 - 15:18

u can check dnsbl list here <a href="https://hetrixtools.com/blacklist-check/" title="https://hetrixtools.com/blacklist-check/">https://hetrixtools.com/blacklist-check/</a>

El 17/03/2019 a las 20:10, Johannes Bauer escribió:

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Robert Schetterer at 03/17/2019 - 03:59

Am 17.03.19 um 08:44 schrieb Matthew McGehrin:
thats whats named collective punishment ( german Sippenhaft )
this feels like big companies use their market power to shift users
to their site cause in between their noble big players club everything
is promoted as running fine.

Re: Semi-OT: Getting blacklisted by hotmail/Google again and aga

By Ben Greenfield at 03/16/2019 - 08:22

Hey All,

I thought I would try to hijack this this semi-OT thread.

I while back I was getting mail rejected by not signing my domain up with DNSWL.
I was then either weekly or monthly to emailed confirm my set-up was still valid.
I found this annoying as my information rarely changes.
I stopped responding they still send me prompts and I think they now accept my mail.

I bring it this up because my un-informed opinion from my experience with DNSWL is that it sort of extortion for control of email traffic.

Thoughts?

Ben