I am running an ispconfig web/mail server on server1.fvdevelopment.com and the problem is that my mail ends up in spam at Google. I have everything set up rDNS, DKIM, SPF, dmarc, tested it on mail.tester.com and got 10/10 so I don't think that the record part would be an issue. However, my mail header contains at one place localhost. According to Google it's a bad practice.
The header would be as follows:
Delivered-To: hatrix05slk#gmail.com
Received: by 10.46.83.71 with SMTP id t7csp321551ljd;
Thu, 5 Oct 2017 01:44:12 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QDMToIk1MWaxUfmgNnk5OxLTcntcctaq1yCwSzOdCTObVb5C54D/RJ3P4u4hAh4aaMJIJqf
X-Received: by 10.223.184.246 with SMTP id c51mr12273556wrg.250.1507193052462;
Thu, 05 Oct 2017 01:44:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1507193052; cv=none;
d=google.com; s=arc-20160816;
b=fStO+P6zBspVbKy7h/F6IdpvGd0ED+o9ci/3Sopz2cRJfBkESefBHjtO24hKzTNYIx
w5djV02Cj71F4diVmYutOpoeP02plccscyLfhWs2HwxTQ9pjYpFxdmBLtEy1j+HEhVmT
FVb+StuxHBSMYWjNtqren7MSkJBmMIpVCkzebETAdotjDS9g96JU/gFaXqccJIF5NEz5
GVmtnL+S5dtH6Dv+fm9xZfRvTuTLyDvI+RidZ1ZHGW9ZHh2fkGV0EyZvTkboEe0okhQ7
n9PbyX+20xGmwKCfWD7sb3ey1CHlqPUZokXC/uIRAlJ4rldEWtlTPxEX/6PeD+34Ucq7
zfpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=user-agent:message-id:from:date:content-transfer-encoding
:mime-version:subject:to:dkim-signature:arc-authentication-results;
bh=1Z7p1Z5uGEIf+6AZhZ9l3wWsFBizphzS8t8qmhwcSfY=;
b=vGnssxKjYXLBobxlSLeMbWr7+1tXStKmXXCOpvVVhHQ+JAkrjr+4/ArjltNLGMybZT
7XwX3zKmnh2ZP8U39BXDDccVYIqvCE9EK7Zfkkd+M70nr0EWMpRzgdoFGZsJjg5DCQRD
6NymwJDulAKDhBYJocgjfZ06lok6vshrZqwMXcDJTzDwWjD+IUJTgBQy8py7vDlO4mPG
Es2AsVUFNEJGikHs3gj7wFBJRR27bskeYYyJ0Z3tnVswDGn6k0+U/Kj3XV9acQE29936
KgMcLX1eTE3/QiFiTRP7oW6gIrLoEynI5UU3b/Bgq3KppclHl9m4q3v1ASa6JyjmZL9n
u8AA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=#magnorbertfotografus.hu header.s=default header.b=a0SJ1z55;
spf=pass (google.com: domain of info#magnorbertfotografus.hu designates 207.154.236.132 as permitted sender) smtp.mailfrom=info#magnorbertfotografus.hu;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=magnorbertfotografus.hu
Return-Path: <info#magnorbertfotografus.hu>
Received: from server1.fvdevelopment.com (server1.fvdevelopment.com. [207.154.236.132])
by mx.google.com with ESMTPS id a53si2257050wra.424.2017.10.05.01.44.11
for <hatrix05slk#gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 05 Oct 2017 01:44:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of info#magnorbertfotografus.hu designates 207.154.236.132 as permitted sender) client-ip=207.154.236.132;
Authentication-Results: mx.google.com;
dkim=pass header.i=#magnorbertfotografus.hu header.s=default header.b=a0SJ1z55;
spf=pass (google.com: domain of info#magnorbertfotografus.hu designates 207.154.236.132 as permitted sender) smtp.mailfrom=info#magnorbertfotografus.hu;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=magnorbertfotografus.hu
Received: from localhost (server1.fvdevelopment.com [127.0.0.1]) by server1.fvdevelopment.com (Postfix) with ESMTP id C9E5285A71 for <hatrix05slk#gmail.com>; Thu,
5 Oct 2017 10:44:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= magnorbertfotografus.hu; h=user-agent:message-id:from:from:date :date:content-transfer-encoding:content-type:content-type :mime-version:subject:subject; s=default; t=1507193051; x= 1509007452; bh=L/xoTp7H4vQf9Krt99Qa65fJYkTcTAh3O6MbrxKyYR8=; b=a 0SJ1z55WFSLwHWYpsIZvEBVijKT05TW0LRozWmVp/xtV0W78vd6t5uzoEUgoESWd RHQCNz781PsXPaqqQVO5N7SK4IjceWXBd8mpubx/VxAk2hur81vEvIgTBy2oawUG d1M8rxc93Uir+3otzamGkBcV/UDCJURYbUNpLF4kCl7aYrpqkQ0lm1TPukfYkGvK dOjB+ERahcFini3S1v50yEAXeWIarEa3UN4vdA8gh3SG4FBJ9Zi/4C306xh/nml9 /00ynI53loJSatmH7I63oPmyJs5c2+iaW5N11/PMRWfUK8aGp54zs8gqb0r51jXw J8GBQD8e3vNN8AkVo42QQ==
X-Virus-Scanned: Debian amavisd-new at server1.fvdevelopment.com
Received: from server1.fvdevelopment.com ([127.0.0.1]) by localhost (server1.fvdevelopment.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8b0IS0eBLm7u for <hatrix05slk#gmail.com>; Thu,
5 Oct 2017 10:44:11 +0200 (CEST)
Received: by server1.fvdevelopment.com (Postfix, from userid 33) id 0E6148157A; Thu,
5 Oct 2017 10:44:11 +0200 (CEST)
To: hatrix05slk#gmail.com
Subject: Friss hirek jöttek
X-PHP-Originating-Script: 0:rcube.php
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Date: Thu, 05 Oct 2017 10:44:10 +0200
From: "Mag Norbert Fotográfus" <info#magnorbertfotografus.hu>
Message-ID: <066c4122a97faef9edce55bfcfcbc8bf#magnorbertfotografus.hu>
X-Sender: info#magnorbertfotografus.hu
User-Agent: Roundcube Webmail/1.2-beta
As you see there is a localhost at the "recieved from" part.
My /etc/hosts looks as follows:
207.154.236.132 server1.fvdevelopment.com
127.0.0.1 server1.fvdevelopment.com server1
127.0.1.1 server1.fvdevelopment.com server1
127.0.0.1 localhost.localdomain localhost
My /etc/hostname has server1.fvdevelopment.com.
Any ideas on how to get rid of that localhost part because I tried an awful lot of variations but can't get rid of it.
Best regards,
Trix
Check the smtp_header_checks option, for example in main.cf add this line:
smtp_header_checks = pcre:/usr/local/etc/postfix/header_checks.pcre
And in /usr/local/etc/postfix/header_checks.pcre you could use the following to hide some extra headers besides the ones starting with Received: like the User-Agent, sender IP or even the signature of RoundCube X-PHP-Originating-Script:
/^Received:/ IGNORE
/^X-PHP-Originating-Script:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
smtp_header_checks is applied only for outgoing mail (smtp client)
The mail headers in your log indicate that the message is forwarded internally on your host once or twice before it is sent out to gmail. I don't know what the internal server setup is, but it seems that 'postfix' is sending it to itself (or to a different instance of itself) internally before it goes out. On one of those 'hops', the sender is being detected or reported as 'localhost'.
To avoid this, do the following:
- modify /etc/hosts not to have the same IP address for localhost and for your actual server name, e.g., try this:
207.154.236.132 server1.fvdevelopment.com
127.0.1.1 server1.fvdevelopment.com server1
127.0.0.1 localhost.localdomain localhost
(note the 'external' name is NOT on 127.0.0.1)
check all config files related to the mail service for any references to 'localhost' and kill them (replace with the server name).
check all config files related to the mail service for any references to the IP address 127.0.0.1 and change them to 127.0.1.1. That way, a connection from the host to itself for the 'internal hop' will still be on the lo interface, but NOT on 127.0.0.1, so it will not have a chance to be back-resolved to localhost.
verify that the chosen secondary local address (e.g., 127.0.1.1) back-resolves to your full server name (e.g., python -c 'import socket as s ; print (s.gethostbyaddr("127.0.1.1"))'
verify that hostname --fqdn returns server1.fvdevelopment.com (this would normally be the case if your hostname is set to server1).
Just remember ^^ If you change something in the Global Filters in Ispconfig then all your manually edited regexes will disapear from /etc/postfix/header_checks
I've just added those fields directly under
Email -> Content Filter
Best regards
Related
Have a question about the structure of email headers.
I've been analyzing spam sent through my Postfix MTA, and have noticed a small amount (< 5%) have the localhost address 127.0.0.1 as the final 'received: from header'.
The 2nd-to-last header shows the IP of the spam mail server.
I'm assuming that the spammer is relaying through an MTA on his local box to a remote server, and that's why the last received header (which represents the first in the sending chain) is showing the localhost IP.
I have an example below of an actual header with my servers info changed for privacy (spammer's is real).
Just wanted confirmation that my assumption is correct on this.
Return-Path: <ProsventUltraBlend#operantish.com>
Delivered-To: acme2#mx.acme.net
Received: from localhost (localhost [127.0.0.1])
by mx.acme.net (Postfix) with ESMTP id XXXXXXXXX
for <me#acme.net>; Thu, 30 Mar 2017 16:08:16 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mydomain = acme.com
Received: from mx.acme.net ([127.0.0.1])
by localhost (mx.acme.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XXXXXXXX for <me#acme.net>;
Thu, 30 Mar 2017 16:08:15 -0400 (EDT)
Received: from layrbc.operantish.com (layrbc.operantish.com [66.118.137.94])
by mx.acme.net (Postfix) with ESMTP id 0A576D1FAE8
for <me#acme.net>; Thu, 30 Mar 2017 16:08:14 -0400 (EDT)
Received: from 025a1bf3.layrbc.operantish.com ([127.0.0.1]:19719 helo=layrbc.operantish.com)
by layrbc.operantish.com with ESMTP id 02DYCACOHN5A1BOPBVDGQKF3;
for <me#acme.net>; Thu, 30 Mar 2017 13:08:13 -0700
Date: Thu, 30 Mar 2017 13:08:13 -0700
I know hardly any more than Jon Snow, but I do know that 127.0.0.1 can appear in mail headers. I.e. when a spam filter takes the mail, checks it and sends it on it's way.
For the life of me I cannot figure out how spammers are sendmail mail through my server with relaying off. I'm running Sendmail 8.14.7 on Slackware Linux 14.1. The spammers have not figured out a user's password and are therefore logging in first via SASL with AUTH LOGIN or I would see that in the log.
Heres an example from my logs, a spammer/bot from 182.234.55.47, off the top of someones head what would allow this? Any IP randomly in the world can do this, yet when I try it sendmail says "relaying denied...". I could not be more lost. I firewall them but it happens again an hour later from a different IP.
Feb 23 12:18:44 server sendmail[28315]: t1NHIIgY028315: <-- MAIL FROM: <re>
Feb 23 12:18:44 server sendmail[28315]: t1NHIIgY028315: --- 250 2.1.0 <re>... Sender ok
Feb 23 12:18:45 server sendmail[28315]: t1NHIIgY028315: <-- RCPT TO: <htucker566#gmail.com>
Feb 23 12:18:45 server sendmail[28315]: t1NHIIgY028315: --- 250 2.1.5 <htunhtunnaing.goldpot#gmail.com>... Recipient ok
Feb 23 12:18:47 server sendmail[28315]: t1NHIIgY028315: <-- DATA
Feb 23 12:18:47 server sendmail[28315]: t1NHIIgY028315: --- 354 Enter mail, end with "." on a line by itself
Feb 23 12:18:48 server sendmail[28315]: t1NHIIgY028315: from=<re>, size=496, class=0, nrcpts=5, msgid=<B3BE0AC12425C02A1FB8C9201EE5CB9E#jyvicegy>, proto=ESMTP, daemon=MTA, relay=host-47.55-234-182.cable.dynamic.kbtelecom.net [182.234.55.47]
Feb 23 12:18:48 central sendmail[28315]: t1NHIIgY028315: --- 250 2.0.0 t1NHIIgY028315 Message accepted for delivery
It used to be working, but out of the blue, it stopped sending mail. I thought I set everything up in both linux and exchange to function correctly, but we're not receiving the emails - internally or externally.
I'm not that knowledgeable about linux, so I use webmin to get around.
So, we have our shopping cart and online forms on the linux server that will email users confirmations and such. It won't receive any mail, so I don't need to worry about that. It only sends mail out, both inside our network, and outside. Here is a recent addition to the mail log:
Dec 6 11:51:04 istalinux2 sendmail[1696]: rB6Gp4lr001696: from=www-data, size=246, class=0, nrcpts=1, msgid=, relay=www-data#localhost
Dec 6 11:51:05 istalinux2 sm-mta[1697]: rB6Gp4hY001697: from=, size=485, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Dec 6 11:51:05 istalinux2 sendmail[1696]: rB6Gp4lr001696: to="John Smith" jsmith#ista-in.org, ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30246, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (rB6Gp4hY001697 Message accepted for delivery)
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp4hY001697: to=jsmith#ista-in.org, delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=120485, relay=10.20.51.30, dsn=5.1.2, stat=Host unknown (Name server: 10.20.51.30: host not found)
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp4hY001697: to=www-data#istalinux2.ista-in.org, delay=00:00:01, mailer=local, pri=120485, dsn=5.1.1, stat=User unknown
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp4hY001697: rB6Gp5hY001699: postmaster notify: User unknown
Dec 6 11:51:05 istalinux2 sm-mta[1699]: rB6Gp5hY001699: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30000, dsn=2.0.0, stat=Sent
I have a receive connector set up in Exchange to receive incoming mail from our linux server and pass it through.
I am using sendmail in linux - but I honestly don't care how it's set up, as long as it works and doesn't break, lol. Please help me make sure all my settings in linux are correct ... and keep in mind that I am NOT a linux guy.
The problem seems to be this part:
relay=10.20.51.30, dsn=5.1.2, stat=Host unknown (Name server: 10.20.51.30: host not found)
I assume that 10.20.51.30 is the ip address of your exchange server. Now, without seeing the actual configuration files, it's a bit hard to find out what you did wrong, but normally, when you specify a mail relay, you have to use either a) a real dns name, not an ip, or b) enclose the ip in [] brackets - just like the line before that one, which says relay=[127.0.0.1].
Try enclosing the 10.20.51.30 in [] brackets, or, use the name of the exchange server instead of the IP, and make sure your DNS server can resolve that name.
Mail sent from my PHP is not delivered to some clients and this I am suspecting could be due to SPF test returning a softfail with domain of transitioning . The message details are below:
Delivered-To: eric.clapton#gmail.com
Received: by 10.50.73.42 with SMTP id i10csp74854igv;
Mon, 7 Oct 2013 03:21:52 -0700 (PDT)
X-Received: by 10.68.44.33 with SMTP id b1mr2455965pbm.53.1381141311313;
Mon, 07 Oct 2013 03:21:51 -0700 (PDT)
Return-Path: <craig#abc.com>
Received: from mtarelay2.ops.gq1.yahoo.net (mtarelay2.ops.gq1.yahoo.net. [98.136.240.39])
by mx.google.com with ESMTP id f6si4349525pba.278.1969.12.31.16.00.00;
Mon, 07 Oct 2013 03:21:51 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning craig#abc.com does not designate 98.136.240.39 as permitted sender) client-ip=98.136.240.39;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning craig#abc.com does not designate 98.136.240.39 as permitted sender) smtp.mail=craig#abc.com
Received: from p10db3.geo.gq1.yahoo.com (p10db3.geo.gq1.yahoo.com [67.195.61.18])
by mtarelay2.ops.gq1.yahoo.net (Postfix) with ESMTP id 764E0511EB
for <eric.clapton#gmail.com>; Mon, 7 Oct 2013 10:21:35 +0000 (UTC)
Received: (from root#localhost)
by p10db3.geo.gq1.yahoo.com (8.14.4/8.14.4/Submit) id r97ALZiJ005899;
Mon, 7 Oct 2013 03:21:35 -0700
Date: Mon, 7 Oct 2013 03:21:35 -0700
Message-Id: <201310071021.r97ALZiJ005899#p10db3.geo.gq1.yahoo.com>
To: eric.clapton#gmail.com
Subject: Client invoice
From: craig#abc.com
MIME-Version: 1.0
SPF settings for my domain is:
v=spf1 a mx ~all
Check what IPs are allowed to send emails from the sender domain. This website lets you see all allowed IPs:
http://spf.myisp.ch
If the sender IP does not match any IP or IP range it shows you then you might need to edit the SPF settings.
One thing that stands out are Received: (from root#localhost), which is bound to give an error. Many spam blockers, including googles, doesn't allow localhost to be inside the HELO string. I just had the same error on a Ubuntu Server using Postfix, and the solution was to edit /etc/postfix/main.cf to have:
myhostname = abc.com
and then restart the postfix service.
sudo nano /etc/postfix/main.cf
sudo /etc/init.d/postfix restart
this URL www.jinfuwu.com can be access in windows browser,windows telnet,
but in my ubuntu server, i can't get this page:
telnet (ubuntu):
root#ubuntu:~# telnet www.jinfuwu.com 80
Trying 121.199.111.176...
Connected to www.jinfuwu.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.jinfuwu.com
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sun, 05 Dec 2010 01:34:33 GMT
Accept-Ranges: bytes
ETag: "f671fd911c94cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sun, 05 Dec 2010 10:03:21 GMT
Content-Length: 1214Connection closed by foreign host.
wget (ubuntu):
root#ubuntu:~# wget http://www.jinfuwu.com
--18:10:29-- http://www.jinfuwu.com/
=> `index.html.2'
Resolving www.jinfuwu.com... 121.199.111.176
Connecting to www.jinfuwu.com|121.199.111.176|:80... connected.
HTTP request sent, awaiting response...
Read error (Connection reset by peer) in headers.
Retrying.
....
but in my windows ,i using telnet command, i can get the page
telnet (windows7):
run:
telnet www.jinfuwu.com 80
paste:
GET / HTTP/1.1
Host: www.jinfuwu.com
and press doubles Enter,i can see the page HTML code.
google it:
site:jinfuwu.com
google can access this site
can you tell me why?
btw: also www.joytg.com,same question
thanks a lot :)
Did some further digging for you and found the root cause is due to misconfigured routers. You can read about it all here.
The workaround that article mentions is to:
echo 0 > /proc/sys/net/ipv4/tcp_default_win_scale
However, this file has changed and on newer setups you need to instead:
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
You will need to be root when running that though.
$ wget http://www.jinfuwu.com
--2010-12-05 12:58:39-- http://www.jinfuwu.com/
Resolving www.jinfuwu.com... 121.199.111.176
Connecting to www.jinfuwu.com|121.199.111.176|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12145 (12K) [text/html]
Saving to: `index.html'
100%[====================================================>] 12,145 5.19K/s in 2.3s
2010-12-05 12:58:43 (5.19 KB/s) - `index.html' saved [12145/12145]
FWIW, I can get the page just fine using wget or curl from MacPorts.