Postfix how to set up relaying - smtp

I am new to Postfix.... used mostly qMail in the past. This is my config:
I have Postfix SMTP server set up on domain aaa.com
Emails should be sent with "From" and "Reply-to" headers for another domain bbb.com.
bbb.com is on a different dedicated server and not in the list of "mynetworks".
It all works fine, but I am getting "SPF: HELO does not match SPF record (softfail)" when testing emails for spam score. So, I need to add my aaa.com domain into the list of allowed relay hosts (rcmpthosts file for qmail).
How can I do this with Postfix? Should I add aaa.com to relay_domains or relayhost?
Thanks

You should check the dns records of aaa.com , the spf record does not contain the ip op your postix server, this is why you receive the SPF error.
Have a look at http://www.openspf.org/ & http://spfwizard.com/
Br,
E-raser

Related

Typo3 mailserver issues (Mailing list hitobito CRM)

We from the the Swiss umbrella association for youth parliaments (DSJ) use TYPO3 as the backbone of our website. Next to TYPO3, we also use the CRM software hitobito, which allows us to create "Abos" with "mailing lists". However, this service is currently not working since Hitobito has recently changed its mail server. I have already changed the server addresses manually in our 365 Admin microsoft account and the changes have been verified by the Hitobito support.
This is where TYPO3 comes into play. The support staff from Hitobito suspects that the mail server configurations must also be changed in TYPO3. I, as a layman, have no clue where to make such changes, however. I was hoping you could help me out here. I believe the following information must be updated in the TYPO3 configuration:
*For the new mail server:
crm.dsj.ch IN MX 10 app.hitobito.ch.
For the outgoing mail server:
crm.dsj.ch 3600 IN TXT "v=spf1 a:mxout.appuio.ch -all*
The information you gave has nothing to do with TYPO3 but is part of the domain record. You should approach your domain registrar (seems to be https://www.visol.ch/ according to whois) with that.
The 1st one is to designate the mail server app.hitobito.ch for all incoming mail to recipients ...#crm.dsj.ch (so-called MX record).
And the 2nd one is to lower the spam level for outgoing mails from senders ...#crm.dsj.ch from the server mxout.appuio.ch (so-called SPF).
Is your webserver supposed to send mails, too? If so and you have problems with receiving these mails, I suggest to use the InstallTool's "test mail" function and send a mail to https://www.mail-tester.com/ - a great tool to identify spam-related problems.

How to read all mails sent from my server

Currently, almost all mail sent from my server are all saved in receiver junk mail. I am thinking. Is it because my server is sending spam mail? I refer to this post How to check if server is sending out spam?. I can check all email sent from my server by entering this command.
cat /var/log/maillog | grep 'to=<[a-z0-9_\.-]\+#[\da-z\.-]\+\.[a-z\.]\{2,6\}>' -o
I did send a few email by myself but the above command doesn't list out anything. If I cat /var/log/maillog, below is what I got. Not sure how to read this.
...
Jul 3 12:38:32 abcde-id467301 spamd[16679]: spamd: connection from localhost [::1]:37410 to port 783, fd 5
Jul 3 12:38:32 abcde-id467301 spamd[16300]: prefork: child states: I
Jul 3 12:38:32 abcde-id467301 dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<XaTr4hBwNNJ/AAAB>
Jul 3 12:38:33 abcde-id467301 dovecot: lmtp(10026): Connect from local
Jul 3 12:38:33 abcde-id467301 dovecot: lmtp(10026): Disconnect from local: Successful quit
...
Any suggestions to check spam mail? Thanks.
EDIT after fix DMARC, DKIM and SPF (They all pass) - Now gmail is ok but hotmail is NOT ok.
Did several tests
https://www.mail-tester.com/
```
SpamAssassin does not like you
-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Great! Your signature is valid
0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
Great! Your signature is valid and it's coming from your domain name
-1.999 FSL_HELO_BARE_IP_2 IP used in the HELO request
The hostname should be a domain name, not an IP address
-1.985 PYZOR_CHECK Similar message reported on Pyzor (http://pyzor.org)
Please test a real content, test Newsletters will always be flagged by Pyzor
Adjust your message or request whitelisting (http://public.pyzor.org/whitelist/)
-0.865 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
-1.274 RDNS_NONE Delivered to internal network by a host with no rDNS
This may be a false-positive, please check the reverse DNS test below to confirm or not this issue
0.001 SPF_PASS SPF: sender matches SPF record
Great! Your SPF is valid
You're not fully authenticated
We didn't find a server (A Record) behind your hostname .......net.
We check if there is a server (A Record) behind your hostname .......net.
You may want to publish a DNS record (A type) for the hostname .......net or use a different hostname in your mail software.
```
send an email to auth-results#verifier.port25.com
```
"iprev" check: fail
SpamAssassin check: ham
"iprev" check details:
Result: fail (reverse lookup failed (NXDOMAIN))
ID(s) verified: policy.iprev=---.--.---.--
DNS record(s):
---.--.---.--.in-addr.arpa. PTR (NXDOMAIN)
SpamAssassin check details:
SpamAssassin v3.4.0 (2014-02-07)
Result: ham (-0.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
-0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
[score: 0.0157]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
```
By default, on a cPanel server, emails are sent using EXIM. So the email log (for received and sent emails) is located at /var/log/exim_mainlog. There you can see detailed info about whatever emails were sent to or by your server.
A lot of factors can lead to your emails being delivered to junk. Just to name a few:
- your server's ip address is blacklisted (you can check it using tools like http://mxtoolbox.com/)
- you do not have a proper hostname defined for your server
- you do not have a proper reverse DNS for your server
- SPF and/or DKIM are not configured properly
Try sending an email from your server to a Gmail address for example, a Gmail address that you own. Then go to Gmail and even if the email landed on Junk, please check the email headers. There you get info about what checks have been made, what Spam score you got for your email and so on. That would be a good starting point for you to figure out why the sent emails land in Spam/Junk.
Since you have provided very little information, is hard to guess or provide a proper answer...

Two domain URL connect single reporting service? is it possible? how to achive this

i am facing issues in SSRS configuration:
A. i have two domain URL (https://xyz.domain1.com) and (ttps://abc.domain2.com).
B. i have certificate for each domain like
xyz.domain1.com - certificate one (*.domain1.com) -- 443
abc.domain2.com - 2nd certificate (*.domain2.com) -- 443
C. In SSRS - i have one virtual directory in web service URL
SSRS-> Webservice URL -> virtual directory name : "Report Service"
[enter image description here][1]
D. in advance setting
[enter image description here][2]
E. in Report manager URL, i am trying to bind two 443 domain but i cannot
while i bind both url and port 443 then i got this error
Microsoft.ReportingServices.WmiProvider.WMIProviderException: An SSL binding already exists for the specified IP address and port combination. The existing binding uses a different certificate from the current request. Only one certificate can be used for each IP address and port combination. To correct the problem, either use the same certificate as the existing binding, or remove the existing SSL binding and create a new binding using the certificate of the current request.
Question:
now i need to connect my report server using two different URL and unique SSL certificate each URL.
But i cant bind this two urls using 443 to connect report server.
I can bind one url and certificate then its working for one URL only.
How do i bind two URLS and certificate to one report server and make it work for two URL's
please help on this issue.
I suggest you try ignoring the error on the first URL ('Web Service URL') and proceed to bind the certs to the 'Report Manager URL' as well. You may have to manually edit the bindings in Advanced Settings, but once you get them looking right in Advanced Settings, SSRS should work.
And a second suggestion, though it looks like you already have done this: be sure the common name (CN) for the wildcard certs are *.domain1.com and *.domain2.com. SSRS will only accept host names that match the CN, and in your case, where you're binding 2 certs to same port, the CNs must be different.
Here's a related point for anyone trying to make the multiple hosts in a single subdomain case work: e.g, https://foo.localdomain/reports and https://bar.localdomain/reports.
Request your SSL cert with Common Name (CN) = *, not the server name or anything specific. Then list all the permutations of DNS names that you want to support in the Subject Alternate Name (SAN) field. The url looks funny in SSRS Configuration Manager (https:+:443), but it Works on the Wire(tm).
If you specify some non-wildcard for the CN, you'll get 'resource not found' error tryng to connect, although the SSL handshake will work.
To achieve the objective you need a Multi-Domain SSL or Wildcard SSL certificate, for example:
Multi-Domain SSL(Multiple Domains)
xyz.domain1.com
abc.domain2.com
Wildcard SSL(Sub-domains)
xyz.domain1.com
abc.domain1.com
Reference:
Multiple Domain (UCC) SSL
Secure multiple domains and
sub-domains on one certificate

SMTP Fully-qualified domain name configuration

I have trouble with receiving of email from from my SMTP to internal (the same domain) email.
I mean that when I sent email from my registration#example.com email to private email somename#yahoo.com this email was delivered. But when I sent from registration#example.com to info#example.com this email was not delivered.
Then I found that in my SMTP the parameter "Fully-qualified domain name" set to name of computer "COMPUTERNAME" but not real domain. When I changed FQDN from "COMPUTERNAME" to "example.com" it is not resolved the problem with info#example.com. But emails still successfully delivered to private emails like #yahoo.com.
When I changed FQDN from "example.com" to "www.example.com" the problem was resolved and emails are successfully delivered to my internal email info#example.com.
I need to know what is the difference between "example.com" and "www.example.com" FQDN-s and why it is not works in first case ("example.com")? Have you any ideas?
Thanks a lot!
Victor
see wikipedia
http://en.wikipedia.org/wiki/Fully_qualified_domain_name
but basically example.com may be the same as www.example.com as far as your DNS routing is set up, but could also point to ww1.example.com, api.example.com or boogiemonster.example.com. without the actual full hostname, the 'aaa' part of aaa.bbb.ccc, the reference is ambiguous and not fully qualified...

sendmail error 452 Too many recipients received this hour

We are sending hell lot of e-mails to our BREW devices ( in sprint network ) and after a while our mail server queues the messages and gets stuck. When we try to flush them, we get following from the server. Is there a solution to this problem? Is this error 452 from our mail server or sprint's mail server? How to tune up sendmail for faster e-mail processing?
Running /var/spool/mqueue/n7QNOrsZ072192 (sequence 1 of 3)
<6198466914#messaging.sprintpcs.com>... Connecting to mx.messaging.sprintpcs.com. via esmtp...
220 lxnipc6003.nmcc.sprintspectrum.com ESMTP
>>> EHLO smtp.xyz.com
250-lxnipc6003.nmcc.sprintspectrum.com
250-8BITMIME
250 SIZE 20480
>>> MAIL From:<LocateNow#xyz.com> SIZE=1148
250 sender <LocateNow#xyz.com> ok
>>> RCPT To:<6198466914#messaging.sprintpcs.com>
452 Too many recipients received this hour
<6198466914#messaging.sprintpcs.com>... Deferred: 452 Too many recipients received this hour
>>> DATA
503 #5.5.1 RCPT first
>>> RSET
250 reset
This is called grey-listing. When you send too many e-mails (or more often - a certain number of e-mails where a recipient does not exist) a destination mail server does not black list you, but instead they temporarily block access from your mail server (essentially the IP address of your mail server). Usually this block is set for 1 hour but obviously can vary depending on the configuration.
You can do several things:
Contact the admins of the domain in question (e.g. postmaster#messaging.sprintpcs.com) and request your IP address to be whitelisted. (They may refuse)
Check/increase time e-mails can stay in your local queues (to have more chances of them to retry and finally get delivered
Add more public IP addresses to your server
That's from their server. It looks like email flood prevention.
One alternative is to use app-directed SMS's to get data to your BREW application.
It looks like the mx.messaging.sprintpcs.com is throttling you. Perhaps try sending your mail with different IP addresses to beat this. It is probably an attempt at spam control.