Ougoing SMF forum mail being rejected

I have a strange setup. Two SMF forums on Rocky.
Sendmail configured so no incoming mail but outgoing (from Forums).
My Mailserver is myDomain.com but I have a sub-domain office.MyDomain.com and the MX record for MyDomain.com, points to Office.MyDomain.com.

It worked OK on CentOS 7, but having moved to Rocky, mail output from the forums is being rejected.

The original message was received at Wed, 3 Aug 2022 18:47:37 +0200
from localhost [127.0.0.1]

----- The following addresses had permanent fatal errors -----
fbloggs@gmail.com

  • (reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both)*

  • ----- Transcript of session follows -----*
    … while talking to gmail-smtp-in.l.google.com.:
    >>> DATA
    <<< 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both
    <<< 550-5.7.26 do not pass). SPF check for [MyDomain.com] does not pass
    <<< 550-5.7.26 with ip: [999.999.999.999].To best protect our users from spam, the
    <<< 550-5.7.26 message has been blocked. Please visit
    <<< 550-5.7.26 Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for more
    <<< 550 5.7.26 information. ba12-numbersletters - gsmtp
    554 5.0.0 Service unavailable

Is there any way around this without leaving send mail open to would-be hackers and abuse?

Hi,

Does MyDomain.com have a dkim record? is so did you update this record when migrating, as during the process a dkim record would likely to have been generated.

Have you set up an SPF and is MyDomain.com’s IP in it?

Regards Tom.

Nope, myDomain.com is in Canada. oddice.MtDomain.Com is in the server room next door to me. My Mailserver for office.MyDomain.com is GroupWise 7, LONG before they even though of dkim and NO, I’m not planning to update it. There are no backdoors in it and I don’t trust ANYTHING that was left over after Microsoft gor rid of Novell… I KNOW there are no backdoors in GW7.
So Rocky (fail2ban, Logwatch etc) mail hits sendmail, which then reposts it to MyDomain.com, but because the MX Record is pointing to mymailserver.office.myDomain.com everything addresses to root, comes to office, but Forum mail is reposted from sendmail to the user. in this case gmail.

Her’s the header:
Received: from .Rocky-86.office.MyDomain.com (www.office.myDomain.com [192.168.0.213])
by Mymailserver.office.myDomain.com with ESMTP; Wed, 03 Aug 2022 18:47:39 +0200
Received: from localhost (localhost)
by .Rocky-86.office.myDomain.com (8.15.2/8.15.2) id 273Glc0b232931;
Wed, 3 Aug 2022 18:47:38 +0200
Date: Wed, 3 Aug 2022 18:47:38 +0200
From: Mail Delivery Subsystem MAILER-DAEMON@myDomain.com
Message-Id: <202208031647.273Glc0b232931@.Rocky-86.office.myDomain.com>
To: <apache@.Rocky-86.office.myDomain.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary=“273Glc0b232931.1659545258/.Rocky-86.office.myDomain.com”
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

Yeah, I know it’s complicated and probably stupid, but is there a way around it by using a relay or something?

Hi,

If their is no dkim. Have you got an spf configured?

Regards Tom.

OK, you have to be clear here. THREE mailservers are involved:
myDomain.com . Canada and I doubt it would help
Office.myDomain.com GW7 and I doubt if it’s posible
Sendmail on Rocky (no - would it help?)

Hi,

Is mydomain.com and public domain (like gmail.com for example, I’m assuming you have obscured the domain for sub reason)? Or it an internal (like .local for example)?

Regards Tom.

Of course I obscured them for a pretty obvious reason I would have thought, but NO, it’s what it says it is MyDomain is something.com and the subdomain is something.something.com

I’m not sure what sendmail is. It has no MX record and it doesn’t receive (thank God - no spam). All I know is what’s in the header. I’m guessing it masquerades as something.com, not something.something.com

Hi,

I would consider adding an SPF record to the dns zone of something.com. Of any your smtp servers which have a public IP address involved in this process. More details about SPFs can be found here:

https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/

Gmail can be PITA if any part of the process for sending mail changes. So even if it worked before, gmail can start throwing flags. I’ve found in the past adding an SPF tends to resolve these issues. Sometimes have to add a _dmarc as well, details of these can be found in the linked article.

Regards Tom.

Thanks Tom, but a question from all this arises.

Like SSL Certificates, does the SPF and the Dmarc achieve anything? THEORETICALLY is should stop (or at least SLOW, spam). It’s actually increasing, not decreasing.

Trying to block google bots is a waste of time OPNsense doesn’t stop them at all, they just keep coming. Bug or deliberate?

SSL should stop hackers, but since I installed SSL Certificates, the number of attacks by would-be hackers has increased by a factor of 4 or more.

Last night, I had a list of 18 attempts to hack my forums and 16 attempts to hack the mail server, one of which started at 23:00 and he was at it all night until I caught him and put him on the firewall at 06:30.

The night before ONE IP address was trying to send mail the entire night. My log file was HUGE.

So again, I have to ask the question in THEORY, all these things sound good, but are they actually achieving anything other than costing time, money and resources?

I asked my hosting company in Canada about an SPF, but they were unhelpful as my mail doesn’t come to their server, it comes to mine.

Correct me if I’m wrong, but as I read this, I would have to put an SPF record on myDomain.com, which says mail coming from the WAN interface of my ISP ( <<< 550-5.7.26 with ip: [999.999.999.999].To best protect our users from spam,)

999.999.999.999 is my ISP’s WAN interface.

This is the header of a mail sent from office.myDomain.com to a Protonmail account

Received: from mymailserver.office.myDomain.com (unknown [999.999.999.999]) by
mailin004.protonmail.ch (Postfix) with ESMTP id 4LsbjM3Wv5z9vNPJ for
Someonelse@protonmail.com; Tue, 26 Jul 2022 12:25:43 +0000 (UTC)
Received: from NTDom-MTA by mymailserver.office.myDomain.com with ;
Tue, 26 Jul 2022 14:25:32 +0200
Authentication-Results: mailin004.protonmail.ch; arc=none smtp.remote-ip=999.999.999.999
Authentication-Results: mailin004.protonmail.ch; dkim=none
Authentication-Results: mailin004.protonmail.ch; spf=none
smtp.mailfrom=myDomain.com
Authentication-Results: mailin004.protonmail.ch; dmarc=none (p=none dis=none)
header.from=myDomain.com
Message-Id: 62DFF949.5FED.0088.3@myDomain.com
X-Mailer:
Date: Tue, 26 Jul 2022 14:25:12 +0200
From: “My Name”
me@myDomain.com
To: someonelse@protonmail.com

There’s that Wan Interface again 999.999.999.999

Hi,

All an SPF advises is that an IP or a hostname is ok to send email for a domain.

Sorry getting confused by your setup. I think it as follows:

Sendmail (999.999.999.999) should send a copy of the email to Office.MyDomain.com and the forum user.

Is this correct?

Is the sendmail configuration the same as it was on centos7?

Regards Tom.

Copied straight across, no changes.
I lease a /29 subnet and I have 5 useable IP addresses one is the mailserver and one is the Rocky Server that has the 2 forums and sendmail all on the same IP.

From looking at the headers, the NAT sends everyting out o the ISP’s WAN interface 999.999.999.999.

Without going into the files, I recall the masquerade on sendmail is to myDomain.com, not the subdomain.

This seems to indicate that the mail goes out as comeing from myDomain.com

I’m no Linux expert, so I’m not sure.

Hi,

So sendmail should be relaying via mailserver, not straight out of the wan IP?

Regards Tom.

If you say so. Probably

Hi,

I’m trying to understand your config, to advise what to do for the best.

Answers like this do not help.

Basically gmail is rejecting as does not believe 999.999.999.999 is associated with myDomain.com . If mail is meant to come out of 999.999.999.999 and its a static IP, I would create and spf record with it.

If its not, you need to look at the sendmail config. Feel free to post it here.

Regards Tom.

@Mikheil you would be better, getting sendmail on that SMF server to authenticate with your mail server and send mail via that instead. I don’t use sendmail, hate it actually, much prefer postfix, so cannot help you with that but there are plenty of articles on the internet on how to configure sendmail with relay authentication. You ensure it uses a username and password on your mail server, can be your email account, or set one up especially for it, and then configure sendmail to talk with the IP address or domain name of your mail server. It will send as if it was a normal email client then, and you will save a whole load of problems you are having.

The biggest problem is Google sees your sendmail sending email, but knows that no DNS entry (an A record) doesn’t exist for it, so this causes a lot of problems. Every host that sends direct, must have a DNS entry, or MX records created, otherwise send it via your main mail server. Also, mail servers can and may/will check if a PTR (reverse DNS entry exists for the IP address in question). Since all mail servers should have a PTR that matches the DNS name of the mail server for all other mail servers to accept email from it. Anyone sending mail from a server that doesn’t have a PTR record that matches the mail server, can have the emails rejected. The same also, if the PTR record doesn’t match the name of the mail server - typical scenario, using residential broadband lines to attempt to send email when the PTR record won’t match, and the ISP is unlikely to change it for you either. So these can all be valid reasons for Google/Gmail rejecting emails sent via your SMF server purely because it believes it’s coming from an untrusted source. I have a server that sends emails from my web application, and I send them via my mail server in a similar method with SMTP relay authentication.

I know your domain name from previous help with opnsense, and I have checked, there are zero SPF or dkim records for the part that you use, or the main domain which is controlled by someone else. It will be far easier and quicker for you to configure the authenticated relaying via your email server, than to go through configuring SPF, DKIM, DMARC, etc. That said, adding DNS entries for SPF and DMARC can help. DKIM requires a lot more work, and using something like OpenDKIM and integrating with postfix/sendmail to get it to sign emails. Nice to have, but not necessary.

EDIT: this Red Hat article should help you relay via port 587 to your mail server: How to configure sendmail for relaying mail over port 587 using authentication. - Red Hat Customer Portal

1 Like

My skill sets are as follows. Tracker Dogs, Scent Dogs, Attack Dogs, martial arts, weight lifting, all things Novell, music (guitar) and writing Novels. Not emails or Linux, so I wasn’t trying to be facetious. I don’t know. THTAT is why I posted the headers. Quite frankly I find Linux and it’s command lines a pain in the butt. Even Novell Netware had a GUI of sorts. Having said than ANYTHING is better than bloody Windows.

It would appear (but I may be wrong) that that ALL mail leaving here goes out as myDomain.com, but gmail doesn’t reject mail from myserver.office.myDomain.com and the IP associated with it is 999.999.999.999. (See the header of the mail sent to Proton mail),

I tried to send an email from the forum to my protonmail account, but it never came through.

I sent one from the command line (I’m logged in as root) to my protonmail address and it arrived, the essential header is below
Return-Path: root@rocky-86.office.mydomain.com
X-Original-To: fred.frog@protonmail.com
Delivered-To: Frederick.Frog@protonmail.com
Received: from rocky-86.office.mydomain.com (unknown [999.999.999.999]) (using
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)

Does that give you any clues? I’ll gladly send you the sendmail config, but it will take quite a while to ‘sanitize’ it.

Hi,

I would try @iwalker’s suggestion.

Regards Tom.

I’ll backup the server and give it a try. I’ll let you know if it works.

1 Like

I carefully carried out the instructions in iwalkers post.

RESULT:
Carefully followed instructions - No errors Here’s what I got:

Please ingore root…
aliased to me@myDomain.com
me@myDomain.com… Connecting to mailserver.office.myDomain.com. via esmtp…
220 mailserver.office.myDomain.com GroupWise Internet Agent x.x.x Copyright (c) 1066-2999 Novell, Inc. All rights reserved. Ready

EHLO rocky-86.office.myDomain.com
250-mailserver.office.myDomain.com
250-AUTH LOGIN
250-8BITMIME
250-SIZE
250 DSN
MAIL From:<> SIZE=1108
250 Ok
RCPT To:me@myDomain.com
250 Ok
DATA
354 Enter mail, end with “.” on a line by itself
.
250 Ok
me@myDomain.com… Sent (Ok)
Closing connection to mailserver.office.myDomain.com.
QUIT
221 mailserver.office.myDomain.com Closing transmission channel

I receive it as :
From : root@rocky-86.office.myDomain.com
To : Me
Subject : Test

If I send mail from the command line or from Webmin, it arrives in my mailbox as above
If I send mail to my protonmail address from the commandline or webmin. It arrives at protonmail as above

If I send mail from the SMF Forum, it vanishes into that big bit bucket in the sky and disppears without a trace.

Seems protonmail rejects it.