I have a strange setup. Two SMF forums on Rocky.
Sendmail configured so no incoming mail but outgoing (from Forums).
My Mailserver is myDomain.com but I have a sub-domain office.MyDomain.com and the MX record for MyDomain.com, points to Office.MyDomain.com.
It worked OK on CentOS 7, but having moved to Rocky, mail output from the forums is being rejected.
The original message was received at Wed, 3 Aug 2022 18:47:37 +0200
from localhost [127.0.0.1]
----- The following addresses had permanent fatal errors ----- fbloggs@gmail.com
(reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both)*
----- Transcript of session follows -----* ā¦ while talking to gmail-smtp-in.l.google.com.: >>> DATA <<< 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both <<< 550-5.7.26 do not pass). SPF check for [MyDomain.com] does not pass <<< 550-5.7.26 with ip: [999.999.999.999].To best protect our users from spam, the <<< 550-5.7.26 message has been blocked. Please visit <<< 550-5.7.26 Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for more <<< 550 5.7.26 information. ba12-numbersletters - gsmtp 554 5.0.0 Service unavailable
Is there any way around this without leaving send mail open to would-be hackers and abuse?
Does MyDomain.com have a dkim record? is so did you update this record when migrating, as during the process a dkim record would likely to have been generated.
Have you set up an SPF and is MyDomain.comās IP in it?
Nope, myDomain.com is in Canada. oddice.MtDomain.Com is in the server room next door to me. My Mailserver for office.MyDomain.com is GroupWise 7, LONG before they even though of dkim and NO, Iām not planning to update it. There are no backdoors in it and I donāt trust ANYTHING that was left over after Microsoft gor rid of Novellā¦ I KNOW there are no backdoors in GW7.
So Rocky (fail2ban, Logwatch etc) mail hits sendmail, which then reposts it to MyDomain.com, but because the MX Record is pointing to mymailserver.office.myDomain.com everything addresses to root, comes to office, but Forum mail is reposted from sendmail to the user. in this case gmail.
Herās the header:
Received: from .Rocky-86.office.MyDomain.com (www.office.myDomain.com [192.168.0.213])
by Mymailserver.office.myDomain.com with ESMTP; Wed, 03 Aug 2022 18:47:39 +0200
Received: from localhost (localhost)
by .Rocky-86.office.myDomain.com (8.15.2/8.15.2) id 273Glc0b232931;
Wed, 3 Aug 2022 18:47:38 +0200
Date: Wed, 3 Aug 2022 18:47:38 +0200
From: Mail Delivery Subsystem MAILER-DAEMON@myDomain.com
Message-Id: <202208031647.273Glc0b232931@.Rocky-86.office.myDomain.com>
To: <apache@.Rocky-86.office.myDomain.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary=ā273Glc0b232931.1659545258/.Rocky-86.office.myDomain.comā
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Yeah, I know itās complicated and probably stupid, but is there a way around it by using a relay or something?
OK, you have to be clear here. THREE mailservers are involved: myDomain.com . Canada and I doubt it would help Office.myDomain.com GW7 and I doubt if itās posible
Sendmail on Rocky (no - would it help?)
Is mydomain.com and public domain (like gmail.com for example, Iām assuming you have obscured the domain for sub reason)? Or it an internal (like .local for example)?
Of course I obscured them for a pretty obvious reason I would have thought, but NO, itās what it says it is MyDomain is something.com and the subdomain is something.something.com
Iām not sure what sendmail is. It has no MX record and it doesnāt receive (thank God - no spam). All I know is whatās in the header. Iām guessing it masquerades as something.com, not something.something.com
I would consider adding an SPF record to the dns zone of something.com. Of any your smtp servers which have a public IP address involved in this process. More details about SPFs can be found here:
Gmail can be PITA if any part of the process for sending mail changes. So even if it worked before, gmail can start throwing flags. Iāve found in the past adding an SPF tends to resolve these issues. Sometimes have to add a _dmarc as well, details of these can be found in the linked article.
Like SSL Certificates, does the SPF and the Dmarc achieve anything? THEORETICALLY is should stop (or at least SLOW, spam). Itās actually increasing, not decreasing.
Trying to block google bots is a waste of time OPNsense doesnāt stop them at all, they just keep coming. Bug or deliberate?
SSL should stop hackers, but since I installed SSL Certificates, the number of attacks by would-be hackers has increased by a factor of 4 or more.
Last night, I had a list of 18 attempts to hack my forums and 16 attempts to hack the mail server, one of which started at 23:00 and he was at it all night until I caught him and put him on the firewall at 06:30.
The night before ONE IP address was trying to send mail the entire night. My log file was HUGE.
So again, I have to ask the question in THEORY, all these things sound good, but are they actually achieving anything other than costing time, money and resources?
I asked my hosting company in Canada about an SPF, but they were unhelpful as my mail doesnāt come to their server, it comes to mine.
Correct me if Iām wrong, but as I read this, I would have to put an SPF record on myDomain.com, which says mail coming from the WAN interface of my ISP ( <<< 550-5.7.26 with ip: [999.999.999.999].To best protect our users from spam,)
999.999.999.999 is my ISPās WAN interface.
This is the header of a mail sent from office.myDomain.com to a Protonmail account
Copied straight across, no changes.
I lease a /29 subnet and I have 5 useable IP addresses one is the mailserver and one is the Rocky Server that has the 2 forums and sendmail all on the same IP.
From looking at the headers, the NAT sends everyting out o the ISPās WAN interface 999.999.999.999.
Without going into the files, I recall the masquerade on sendmail is to myDomain.com, not the subdomain.
This seems to indicate that the mail goes out as comeing from myDomain.com
Iām trying to understand your config, to advise what to do for the best.
Answers like this do not help.
Basically gmail is rejecting as does not believe 999.999.999.999 is associated with myDomain.com . If mail is meant to come out of 999.999.999.999 and its a static IP, I would create and spf record with it.
If its not, you need to look at the sendmail config. Feel free to post it here.
@Mikheil you would be better, getting sendmail on that SMF server to authenticate with your mail server and send mail via that instead. I donāt use sendmail, hate it actually, much prefer postfix, so cannot help you with that but there are plenty of articles on the internet on how to configure sendmail with relay authentication. You ensure it uses a username and password on your mail server, can be your email account, or set one up especially for it, and then configure sendmail to talk with the IP address or domain name of your mail server. It will send as if it was a normal email client then, and you will save a whole load of problems you are having.
The biggest problem is Google sees your sendmail sending email, but knows that no DNS entry (an A record) doesnāt exist for it, so this causes a lot of problems. Every host that sends direct, must have a DNS entry, or MX records created, otherwise send it via your main mail server. Also, mail servers can and may/will check if a PTR (reverse DNS entry exists for the IP address in question). Since all mail servers should have a PTR that matches the DNS name of the mail server for all other mail servers to accept email from it. Anyone sending mail from a server that doesnāt have a PTR record that matches the mail server, can have the emails rejected. The same also, if the PTR record doesnāt match the name of the mail server - typical scenario, using residential broadband lines to attempt to send email when the PTR record wonāt match, and the ISP is unlikely to change it for you either. So these can all be valid reasons for Google/Gmail rejecting emails sent via your SMF server purely because it believes itās coming from an untrusted source. I have a server that sends emails from my web application, and I send them via my mail server in a similar method with SMTP relay authentication.
I know your domain name from previous help with opnsense, and I have checked, there are zero SPF or dkim records for the part that you use, or the main domain which is controlled by someone else. It will be far easier and quicker for you to configure the authenticated relaying via your email server, than to go through configuring SPF, DKIM, DMARC, etc. That said, adding DNS entries for SPF and DMARC can help. DKIM requires a lot more work, and using something like OpenDKIM and integrating with postfix/sendmail to get it to sign emails. Nice to have, but not necessary.
My skill sets are as follows. Tracker Dogs, Scent Dogs, Attack Dogs, martial arts, weight lifting, all things Novell, music (guitar) and writing Novels. Not emails or Linux, so I wasnāt trying to be facetious. I donāt know. THTAT is why I posted the headers. Quite frankly I find Linux and itās command lines a pain in the butt. Even Novell Netware had a GUI of sorts. Having said than ANYTHING is better than bloody Windows.
It would appear (but I may be wrong) that that ALL mail leaving here goes out as myDomain.com, but gmail doesnāt reject mail from myserver.office.myDomain.com and the IP associated with it is 999.999.999.999. (See the header of the mail sent to Proton mail),
I tried to send an email from the forum to my protonmail account, but it never came through.
If I send mail from the command line or from Webmin, it arrives in my mailbox as above
If I send mail to my protonmail address from the commandline or webmin. It arrives at protonmail as above
If I send mail from the SMF Forum, it vanishes into that big bit bucket in the sky and disppears without a trace.