1

I'm tring to correctly setup a postfix server for our products for a couple of days. The server is running correctly but some emails sended to gmail are delivered to spam box. The server is configured like this:

/etc/postfix/main.cf

mydomain = example.com
myhostname = example.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, example.com, example.org, example.net
virtual_alias_domains = example.org, example.net
virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/master.cf

587      inet  n       -       n       -       -       smtpd -v
smtp      inet  n       -       n       -       -       smtpd -v

/etc/postfix/virtual

user1@example.com  user1
user2@example.com  user2
user3@example.com  user3

user1@example.net  user1
user2@example.net  user2
user3@example.net  user3
user4@example.net  user4

user2@example.org  user2

My working SPF rule is 10.0.0.1 is a fake IP for example.com, and it is applied to example.com, example.net and example.org: v=spf1 mx ip4:10.0.0.1 ~all

I've configured the MX DNS, rDNS, SPF and everything was fine and working. And only authenticated users can send e-mail through this server.

So, here is the problem, if a send an e-mail from user1@example.com (the same as mydomain and myhostname) the e-mail is delivered to inbox. If I send the email from user1@example.net the e-mail is delivered to spam box.

Looking at the e-mail's headers the diference is:

the one which arrives at spam box

Received: from example.com (mail.example.com. [10.0.0.1])
        by mx.google.com with ESMTP id e69si1483476yhm.50.2013.03.07.06.42.23;
        Thu, 07 Mar 2013 06:42:23 -0800 (PST)
Received-SPF: pass (google.com: domain of user3@example.net designates 10.0.0.1 as permitted sender) client-ip=10.0.0.1;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of user3@example.net designates 10.0.0.1 as permitted sender) smtp.mail=user3@example.net
Received: from new-host-5.home (177.205.99.64.dynamic.adsl.gvt.net.br [177.205.99.64])
    by example.com (Postfix) with ESMTP id 7EAB2D186F
    for <maykelsb@gmail.com>; Thu,  7 Mar 2013 09:42:22 -0500 (EST)
From: User3 <user3@example.net>

the one which arrives at in box

Received: from example.com (mail.example.com. [10.0.0.1])
        by mx.google.com with ESMTP id a30si1434990yhm.294.2013.03.07.06.45.39;
        Thu, 07 Mar 2013 06:45:39 -0800 (PST)
Received-SPF: pass (google.com: domain of user3@example.com designates 10.0.0.1 as permitted sender) client-ip=10.0.0.1;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of user3@example.com designates 10.0.0.1 as permitted sender) smtp.mail=user3@example.com
Received: from new-host-5.home (177.205.99.64.dynamic.adsl.gvt.net.br [177.205.99.64])
    by example.com (Postfix) with ESMTP id A55BCD186F
    for <maykelsb@gmail.com>; Thu,  7 Mar 2013 09:45:38 -0500 (EST)
From: User3 <user3@example.com>

I tryed to use transport to change the oubound e-mail to send eachone through its ip, but without luck. Here is my transport settings (tried with name and ip also):

example.com  smtp:10.0.0.1:25
example.net  smtp:10.0.0.2:25
example.org  smtp:10.0.0.3:25

Someone have any ideas in how to solve this? I think that if I could set the outbound of user3@example.net throught mail.example.net and not mail.example.com this problem will be solved. Thank you.

The DNS configuration of the 3 IPs are much like each other, as you can see bellow:

example.com A 10.0.0.2
example.com MX 10 mail.example.com
example.com TXT v=spf1 mx ip4:10.0.0.1 ~all
mail.example.com A 10.0.0.1
mail.example.com MX 1 mail.example.com
mail.example.com TXT v=spf1 mx ip4:10.0.0.1 ~all

example.net A 10.0.0.1
example.net MX 10 mail.example.net
example.net TXT v=spf1 mx ip4:10.0.0.1 ~all
mail.example.net A 10.0.0.2
mail.example.net MX 1 mail.example.net
mail.example.net TXT v=spf1 mx ip4:10.0.0.1 ~all

example.org A 10.0.0.3
example.org MX 10 mail.example.org
example.org TXT v=spf1 mx ip4:10.0.0.1 ~all
mail.example.org A 10.0.0.3
mail.example.org MX 1 mail.example.org
mail.example.org TXT v=spf1 mx ip4:10.0.0.1 ~all

Also, I have these interfaces

10.0.0.1: eth0
10.0.0.2: eth0.1
10.0.0.3: eth0.2

This are the rDNS settings created by my ISP:

10.0.0.1 - example.com
10.0.0.2 - example.net
10.0.0.3 - example.org

I'd asked to have:

10.0.0.1 - example.com, example.net, example.org

But he said that this could lead to problems identifying my e-mail server. It would like act something like a load balance, delivering a diferent one at time.

I've updated my /etc/postfix/master.cf to look as follow:

example.com:smtp      inet    n       -       n       -       -       smtpd -o myhostname=example.com
example.com:587       inet    n       -       n       -       -       smtpd -o myhostname=example.com
example.net:smtp      inet    n       -       n       -       -       smtpd -o myhostname=example.net -o smtp_bind_address=10.0.0.2
example.net:587       inet    n       -       n       -       -       smtpd -o myhostname=example.net -o smtp_bind_address=10.0.0.2
example.org:smtp      inet    n       -       n       -       -       smtpd -o myhostname=example.org -o smtp_bind_address=10.0.0.3
example.org:587       inet    n       -       n       -       -       smtpd -o myhostname=example.org -o smtp_bind_address=10.0.0.3

Postfix seems to ignore the -o smtp_bind_address=10.0.0.2 because it keeping delivering mail through 10.0.0.1.

Gardner
  • 11
  • 1
  • 4
  • What in the gmail headers indicates that it is the SPF records causing the mail to finish in the spam box? – NickW Mar 07 '13 at 15:42
  • @NickW, I don't think that the SPF is te problem. I think that the divergence between the domain which delivered the e-mail and the domain of the e-mail. More specifically here: **Received: from example.com (mail.example.com. [10.0.0.1])** and **user3@example.net**. I think that it need to be **Received: from example.net (mail.example.net. [10.0.0.2])** to work properlly. Am I wrong? – Gardner Mar 07 '13 at 16:47
  • Does the domain of the email have a valid MX record which corresponds to the mail server name? It can even be a CNAME record.. – NickW Mar 07 '13 at 16:51
  • I added then to the description. Thanks for your help. – Gardner Mar 07 '13 at 17:03
  • Yeah, now I see the MX records I understand more. – NickW Mar 07 '13 at 17:09

1 Answers1

1

The problem is that postfix is using 10.0.0.1 for all your mail. This itself isn't a problem, as you can easily add multiple virtual domains pointing to the same IP.

Basically I would change the records for example.org, etc in this manner.

example.org A 10.0.0.3
example.org MX 10 mail.example.org
mail.example.org CNAME mail.example.com

That way your SPF record will be valid, and the MX record, A record for the mail server, etc will correspond to the correct IP.

That is, unless you have some other reason to make use of multiple IPs.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • what did you send makes sense to me. I will try that. About the diferente IPs, let me add this: I've asked my ISP to put the the rDNS for this server in the same IP (10.0.0.1) which is the postfix use to send e-mails. So, it replied that all the rDNS pointing to the same IP could cause a problem when checking rDNS, so we used one IP for each entry. I will update my description with the rDNS entries. Thanks. – Gardner Mar 07 '13 at 17:24
  • Honestly, it would be much easier to adjust your DNS to your mail setup, than your mail setup to your DNS. – NickW Mar 07 '13 at 17:26
  • I understand the RDNS part, but as long as your MX returns a CNAME pointing to a valid server, and the server identifies itself as mail.example.com => 10.0.0.1 and RDNS says 10.0.0.1 => mail.example.com, you won't have that many issues with remote servers. Plus, this method makes adding more virtual domains much, much more simple. – NickW Mar 07 '13 at 17:29
  • Unfortunatelly, I tried to create these two records in our 3rd party DNS server, but it could not allow me: **mail.example.org CNAME mail.example.com** and **mail.example.org CNAME 10.0.0.1**. Do you think that there is another way to do that? – Gardner Mar 07 '13 at 17:48
  • What kind of server won't allow CNAMEs? What error does it give you? – NickW Mar 07 '13 at 17:50
  • mail.example.org CNAME has to point to another domain name, an IP cannot be placed there. CNAMES point to other domains, A records point to IP addresses. – NickW Mar 07 '13 at 17:52
  • I got it. Now I could create it. Waiting for the replication. I was adding CNAME just as you said and keeping the previous A record for the mail.example.org, by bad. – Gardner Mar 07 '13 at 17:55
  • Cool, I'm headed home, I'll check tomorrow hopefully, you'll have got it sorted :) – NickW Mar 07 '13 at 17:59
  • Well, I've just tried again, and no success. The e-mail arrived at spam box. To make things worst, I tried all the sender with a diferente receiver (still at google) and all three domains arrived at spam. So, right now, I have no clue about what is wrong. Have a good rest, my friend. I will try to figure out what is happening. Thank you. :) – Gardner Mar 07 '13 at 18:14
  • This: https://docs.google.com/document/d/1aCk7vvbP341FR2kd4zXqDVkZlE_8DArUrT6wlOZoiH0/edit pointed me for this: http://www.jpuddy.net/2008/how-to-email-from-specific-ips-using-linux-and-postfix/ which I'm checking right now. – Gardner Mar 07 '13 at 18:19
  • That's really odd, honestly, I've run servers using that same exact setup for years, the server has an A name and an RDNS record, then the virtual domains have CNAMEs for the MX record, all pointing to the primary A name record of the server.. – NickW Mar 08 '13 at 09:31
  • 1
    It's really bad idea to use CNAME in MX records. I'd recommend to avoid using CNAME in MX records. The host name must map directly to one or more address record (A, or AAAA) in the DNS, and must not point to any CNAME records. http://tools.ietf.org/html/rfc2181 – ALex_hha Sep 04 '13 at 08:16