Offloading Mail Services

I have been running my own business email server for literally almost 20 years.
Currently it’s a very simple postfix setup with 3 accounts.

But apparently this is no longer an option because my linode.com IP regularly pops up on lists that block entire ranges of IPs like UCEPROTECT-Level3.
As a result, I’m starting to find that customers are not getting emails.
Most recently, gmail has started flagging everything I send as spam:

someone@example.com: host gmail-smtp-in.l.google.com[142.251.163.26] said:
550-5.7.1 [45.33.71.173 12] Our system has detected that this message
is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
Why has Gmail blocked my messages? - Gmail Help 550 5.7.1 for
more information. eq5-20020ad45965000000b004b400eaa80asi11011068qvb.466 -
gsmtp (in reply to end of DATA command)

So I need to change my mail setup but I’m not sure how exactly.
The way I see it there are two options:

a) Offload all mail responsibilities to a third-party service

b) Only send / receive through a third-party service

Obviously option b is better in that I keep my business private but I recognise that this might not be practical.

Do you have advice about what I should do here?

Can you recommend a specific service?

Sorry for the slightly off-topic question but I’m not sure where to ask about stuff like this.

Mike

Hi,

That UCE one, I had similar issues because of MS’s servers blocking me even though I wasn’t a source of spam. That said, it was a subnet block for the provider I was using at the time (OVH).

Linode support are good, I suggest you open a ticket, since the subnet block can only be removed by the person that owns the IP range - that being Linode. I tried that with OVH, but they didn’t take responsibility and didn’t solve the problem. Linode I expect would actually address your issue if you open a ticket with them. I have used Linode in the past, and never had an issue that they didn’t resolve.

That said, I did migrate to Zoho Mail, since I am similar to you, only 4 mail accounts, but have quite a few domains. And a 10GB mailbox for 1 euro per month is great value - so 4 mailboxes, 4 euro. Not only that, DKIM, SPF, DMARC can all be set up real easy and ensure you have a good reputation.

Hi Mike,

I’m assuming that you have a valid reverse DNS (PTR) record for your mail domain and that the TTL is 24 hrs (86400 seconds). These are the most common reasons (aside from actually sending out SPAM) that an email server is blocked. AND operators of email servers like Gmail etc., are getting way more picky about those sorts of things. What is the domain that your email goes out as? Is that showing correctly in the mail.log?

At my old $dayjob, we ran our own mail servers for years and basically did OK with it. We had a lot of mail accounts and uses a cluster-based qmail system. There was a lot of work involved in keeping it clean and making sure mail went out (and came in) as desired. Ultimately, our small IT shop ended up using a Linux Magic (MagicMail) system. It was imperfect but was easier to maintain than the qmail cluster. I can’t say that moving to MagicMail was the “right” decision, but that’s what we ended up with anyway.

There are a lot of hosted options out there, including corporate Gmail. There’s unfortunately no “right” answer to your question. Instead, there are a lot of “right” answers. In your case, MagicMail would be overkill, as you are only talking about 3 accounts.

Yeah, the ptr record is resolving correctly.
I did notice my spf record was on example.com and not mail.example.com so I added it.

Some messages do get through to gmail.
Messages like invoice requests generated by the website and sent using the PHP mail agent seem to get blocked more.
I did an invoice request email to my gmail account last night and did not go through at all.
I did the same exact thing this morning and it went through but it was marked as spam.

I’m not using DKIM. The 550-5.7.1 code suggests this might be the immediate issue.

But given the UCE listing, I think it’s time to just move on and offload to a service.

I’m not looking for the cheapest thing as that might not equate to being the most secure storage-wise.

Ideally I would like to continue to host the email myself and then just route email through another sender that has clean IPs and maintains the latest security options.

Can I not just create an account with whatever ISP and then configure postifx to just send / receive email through their servers?

If your PHP app sends from a different IP address than your mail server, than you have to include this in the SPF as well. Otherwise you need to configure the PHP app to send via your mail server either using sendmail, or particular SMTP settings. Usually with ip4:x.x.x.x I also noticed from your SPF that you include the IP of your mail server, but you don’t include mx. Eg:

IN TXT "v=spf1 mx ip4:x.x.x.x ip4:y.y.y.y -all"

this is enough at the domain level, you don’t necessarily need it for the actual mail.domain.com record.

I wouldn’t attempt to relay through an ISP unless you can have the PTR record configured for your mail server DNS records. Because the source of your email is then their IP, which most likely will have a different PTR.

The webserver and mail server are the same IP so PHP is sending from the one IP.

Linode doesn’t allow you to explicitly set the PTR record.
It seems it dynamically adds it and then picks a hostname somehow.
The name “mail” is listed before “www” in the list of A records.
Maybe that’s why the PTR resolves to mail.example.com and not www.

So you’re saying I should just have:

v=spf1 mx ip4:45.33.71.173 -all

but just for the domain and not set it at all for mail?

Understood about not relaying.
I have no problem making mail.example.com the service provider.
I just don’t really want to store mail on that provider if possible.

We had to move our email to Google workspace from our linode server due to ever increasing problems with outgoing email being rejected due to UCEPROTECT and from undisclosed reputation checking from Google, MS, and CenturyLink, Apple, and others. It didn’t matter if using strict DKIM, SPF, and DMARC policy was set to reject on linode. We still had email bounced by various companies.

After the move to workspace, no more bounces except for the occasional soft bounce from icloud accounts.

You can set the PTR for Linode as I did this when I had my mail server with them before I later moved it to OVH. You should see the IP address when you view the Linode Console for managing your VM.

Seems like what I really want is a mail forwarding service like improvmx or duocircle (mailgun looks expensive) to act as the MX host but forward everything to / from my existing postfix server.

However, this is not a typical forwarding scenario since mail would be forwarded to / from a specific IP and not a server with a proper MX record.

Does anyone know of a mail forwarding service that allows you to just hard-code an IP as the destination / source?

Services like Google Workspace seem to require migrating all email into their storage which is not desirable for a variety of reasons.

Mike

The first thing is to find out why it ended up on the list; is it just your IP or the whole of linode, and what level, because changing provider without finding out what’s wrong may not be a solution.

What do you think of this?

It’s just an SMTP relay. Similar services are apparently SendGrid and Mailchimp Transactional.

So even though my MX would not point to their system, I can relay through their SMTP service and apparently delivery is “highly reliable”.

It looks like I just give them a username and password and use those creds with whatever uses SMTP services.

I could configure postifx using relayhost:

https://www.postfix.org/postconf.5.html#relayhost

I could configure my mail agent to just send directly to this SMTP relay and shutdown the SMTP port on my server (although PHP mail() would need it on localhost).

This seems to be exactly what I’m looking for.

Am I missing something here?

1 Like

@gerry666uk UCEProtect Level 3 is a full subnet block, basically that subnet has been seen to spam which is a pain, because innocent bystanders get caught up in it. Unfortunately, only the ISP can clean up their act and remove the spammers as well as request unblocking the subnet from the UCE list. Linode are usually pretty good when it comes to support, OVH unfortunately when I was with them were not. They seem not to understand where the responsibility lies when an entire subnet has been completely blocked.

@ioplex the service looks good, I guess you can do inbound and outbound via them. You’ll obviously have to reconfigure your domain accordingly in terms of MX and SPF so that it goes via their service for inbound/outbound delivery, but could help resolve a lot of your issues, pushing it away from your IP. I still think though that you could open a support ticket with Linode to get the subnet removed from the UCEProtect Level 3 list though - in which case you wouldn’t need this service as such at least until the next time. Either way, it’s up to you really if you try with Linode or take up that service.

See this Linode thread: Linode blacklisted on UCEProtect RBL | Linode Questions

1 Like

This is also an interesting article from Sucuri: UCEPROTECT: When RBLs Go Bad which basically slams UCE as a scam service. I’ve never used their RBL, and the Linode also hints that anyone using it are just plain stupid. The Sucuri security guys seem to back that prognosis up as well.

1 Like

That does look really bad, and specific to ‘linode’, and was reported over a year ago.

Yep, although after I spent considerable time reading those links, and other information, I cannot understand why UCE is still operating or still able to operate. Especially now, the ASN’s on it also include anyone doing legitimate security research ensure the list is even bigger than what it was before, and has nothing to do with spam whatsoever.

Remember that inbound and outbound are separate services. They don’t need to use the same server. I receive mail on my Linode VM where I have lots of control over aliases and can merge multiple domains into one set of folders. But my outbound just uses my ISP’s servers.

My email is a bit of overkill for the number of people, but is quite efficient and saves me from most hassle.

  • On the edge of my network, I use the Email Filter Appliance (eFa) from https://efa-project.org/ . It pulls together Postfix, MailScanner, MailWatch, realtime blacklists, greylist and more. I use this system as an external email gateway only; no local mailboxes. This is a very low maintenance option.

  • DNS is setup with MX record to point to my external email gateway. I have DMARC records set up as well.

  • I use the DuoCircle outbound SMTP service and have that configured into my gateway

  • Inside my network, I have a mailbox server built from PostfixAdmin, Postfix, Dovecot and SquirelMail. Most clients connect via IMAP. The whole thing is based on SSL, so I based my LetsEncrypt setup there. The one pull for the cert renewal has action routines that facilitate internal distribution. This system relies on the email gateway for all mail going to/from the Internet.

I like this because my email stays private on my systems. It also segments the functions across multiple VMs, so that I may maintain each separately. Had I started this entire exercise today, I’d probably consider containers, but this VM approach works quite well.

FYI

I have been using DuoCircle’s outbound SMTP service for well over a week now and it’s working great. There is a nice “client area” where you can see everything about each message, the content, the attachments, etc (at first I was alarmed that they save messages but later relieved to see it’s only cached for what appears to be about 24 hours). I was able to do everything predicted in my message above. I will likely disable SMTP on my server.

Linode thinks my immediate issue was DKIM and not the UCEPROTECT scammers and I’m inclined to agree. But I’m not sure I see the point in running your own SMTP server anymore. I’m using the DuoCircle free plan at the moment. That looks like it’s set to expire in December. Then I’ll have to sign up for the $4 / month plan. That’s just fine.

Apparently there are SMTP servers that are free. Linode has a page about using Google’s for free. But for a variety of reasons I think I would rather pay a company who’s principal business is not advertising.