Okay, Yahoo is bumming me. Only system my mail is having an issue with. All mail is accepted, but junked. I can only think it is the DKIM/Domain keys.
It is apparent that the dkim-milter is not part of the centos 5.x distro nor is it part of the mirrors, as far as I can tell.
So...have any of you done it with your servers for sendmail?
There are some sites that claim to have rpms and I have downloaded the tar from sendmail. But I would rather hear from anyone who has an opinion before I go with one or the other.
I do not trust any rpms except for their mirrors, so not sure if I want to do that. But maybe it is fine.
Open to suggestions, ideas for what works for you and yahoo.
No, I do not want to install postfix, thank you - /ninja'd ya
Okay, Yahoo is bumming me. Only system my mail is having an issue with. All mail is accepted, but junked. I can only think it is the DKIM/Domain keys.
It is apparent that the dkim-milter is not part of the centos 5.x distro nor is it part of the mirrors, as far as I can tell.
So...have any of you done it with your servers for sendmail?
There are some sites that claim to have rpms and I have downloaded the tar from sendmail. But I would rather hear from anyone who has an opinion before I go with one or the other.
I do not trust any rpms except for their mirrors, so not sure if I want to do that. But maybe it is fine.
Open to suggestions, ideas for what works for you and yahoo.
No, I do not want to install postfix, thank you - /ninja'd ya
Bob
Setup proper SPF records for your domain(s) for one.
As far as the dk or dkim stuff, there should be some howto's out there in relation to centos and other mailservers acceptance of signed emails
- rh
RobertH wrote:
Okay, Yahoo is bumming me. Only system my mail is having an issue with. All mail is accepted, but junked. I can only think it is the DKIM/Domain keys.
Setup proper SPF records for your domain(s) for one.
That's supposed to help with what regarding his problem? OTOH I have no idea which problem SPF solves anyway other than making it harder for others to use your domain for fake adresses (if receiving mail servers do some sort of check against SPF).
Ralph
Setup proper SPF records for your domain(s) for one.
That's supposed to help with what regarding his problem? OTOH I have no idea which problem SPF solves anyway other than making it harder for others to use your domain for fake adresses (if receiving mail servers do some sort of check against SPF).
Ralph
I think google/gmail pays attention to it and they add points for it.
That's supposed to help with what regarding his problem? OTOH I have no idea which problem SPF solves anyway other than making it harder for others to use your domain for fake adresses (if receiving mail servers do some sort of check against SPF).
Ralph
Ralph,
He asked for help with yahoo re: dkim and any other advice...
So I groped his dns a little and checked forward and reverse and then txt records etc etc
Then I said
"Setup proper SPF records for your domain(s) for one."
Most properly setup mail servers do some sort of SPF checking nowadays and use the info at SMTP time or later in something like spamassasssin scoring etc
- rh
RobertH wrote:
Then I said
"Setup proper SPF records for your domain(s) for one."
Most properly setup mail servers do some sort of SPF checking nowadays and use the info at SMTP time or later in something like spamassasssin scoring etc
That's probably the reason why much spam has valid spf records. Get yourself a throwaway domain, so you're getting through the domain check and give that domain a valid spf record which allows all machines in the world to send mail for that domain. Voilà - valid SPF record.
That's why I asked which problem SPF is trying to solve.
Ralph
That's probably the reason why much spam has valid spf records. Get yourself a throwaway domain, so you're getting through the domain check and give that domain a valid spf record which allows all machines in the world to send mail for that domain. Voilà - valid SPF record.
That's why I asked which problem SPF is trying to solve.
Ralph
Then you would get greeylisted, then blacklisted since they can trace the domain and ip for sure.... It is helpful to let them know mail is not from you...however, if a spammer were to legitimize him/herself, then I would assume blacklist of ip and domain would soon follow everywhere.
I have to say, in the 7 months or so since I got into this whole linux webserver, this is the most active thread I have ever encountered. I would assume most of us are a little unsure about the whole dkim/spf/sender id thing. And even according to the websites themselves, they are not sure of their own standards.
I think it would be safe to assume you need to program/configure for the mass email systems like gmail, yahoo, hotmail, aol, etc....and assume (quite rightly) that everyone else will not have any problems with your mail at all.
So I think anything done to the mail config at this point is just to make yahoo happy. Oh, cause nothing I like more than to make yahoo happy.
Ask their shareholders is yahoo makes them happy...lol
Bob Hoffman wrote:
I have to say, in the 7 months or so since I got into this whole linux webserver, this is the most active thread I have ever encountered. I would assume most of us are a little unsure about the whole dkim/spf/sender id thing. And even according to the websites themselves, they are not sure of their own standards.
No, I'm very sure about SPF. It's crap. Utter crap. And it can break mails in a very funny way.
Let's say you send me a mail to ralph@centos.org. That mail is just forwarded to a different mail account. Now I get a mail from someone@hoffman.com, but I get it via mail.centos.org which clearly isn't a server you would allow to send mails out as @hoffman.com when you set up SPF for your domain. So if I drop mails which don't have a "correct" SPF record - I'd drop that mail.
Although your domain has correct SPF records.
And yes, there are ways around it which make the whole thing even uglier.
Ralph
on 9-24-2008 2:23 PM Ralph Angenendt spake the following:
Bob Hoffman wrote:
I have to say, in the 7 months or so since I got into this whole linux webserver, this is the most active thread I have ever encountered. I would assume most of us are a little unsure about the whole dkim/spf/sender id thing. And even according to the websites themselves, they are not sure of their own standards.
No, I'm very sure about SPF. It's crap. Utter crap. And it can break mails in a very funny way.
Let's say you send me a mail to ralph-IFYaIzF+fle4UlQgPVntAg@public.gmane.org That mail is just forwarded to a different mail account. Now I get a mail from someone-kxpWdYJlNhdBDgjK7y7TUQ@public.gmane.org, but I get it via mail.centos.org which clearly isn't a server you would allow to send mails out as @hoffman.com when you set up SPF for your domain. So if I drop mails which don't have a "correct" SPF record - I'd drop that mail.
Although your domain has correct SPF records.
And yes, there are ways around it which make the whole thing even uglier.
But shouldn't a forwarder add its own envelope and a set of received headers?
Apparently now when I send an email from my yahoo account to the server, it just disappears. So now yahoo is eating the mail going to me.
Wonderful.
Egads.
on 9-24-2008 2:41 PM Bob Hoffman spake the following:
Apparently now when I send an email from my yahoo account to the server, it just disappears. So now yahoo is eating the mail going to me.
Wonderful.
Egads.
Are you positive that your server isn't eating it?
Egads.
Are you positive that your server isn't eating it?
I whitelisted yahoo in spam assassin. Now some of the domains can send mail and get junked, but the bobhoffman mail does not even get that far anymore.
I think yahoo must be worried as to the new ip addresses for my site. Maybe the new ip addresses were once spam.
I keep asking them in mails and they keep sending me a form answer to the faq that does not answer.
Other than yahoo, all is well though...this is definitely a yahoo thing I believe.
Bob Hoffman wrote:
Apparently now when I send an email from my yahoo account to the server, it just disappears. So now yahoo is eating the mail going to me.
can you try after changing your hostname from "mail.creativeprogramdesigners.com" to "bobhoffman.com". I mean the name that appears in your greeting:
$ telnet bobhoffman.com 25 ... 220 mail.creativeprogramdesigners.com ESMTP Sendmail ...
Wonderful.
life is wonderful, isn't it?
can you try after changing your hostname from "mail.creativeprogramdesigners.com" to "bobhoffman.com". I mean the name that appears in your greeting:
$ telnet bobhoffman.com 25 ... 220 mail.creativeprogramdesigners.com ESMTP Sendmail ...
You can only have one hostname for the server. There are multiple websites on it. Each site should have its own mail domain and the fact that you see that in the telnet tells you it is working right.
The mail.creati...com is from when the mail server gets it from my home computer. Unfortunately that is the way the mail works. That host is getting it and then moving it along.
And yep...just started a few yahoo accounts.
They cannot get any mail out ot my server and all mail going in is junk. Yahoo it self can send me mails as I asked them to in the account set up.
I think this is soley a yahoo issue and nothing to do with dkim, spf, or anything else. I think they are killing any mail to my server and greylisting anything from it.
Dang you yahoo!!!! Lol.
I will let you know if I ever get it resolved.
Thanks for all the input. I just think this is out of my hands completely now other than a letter begging yahoo to help...a real snail mail letter..
Update, spf did nothing for yahoo. Spf made gmail a little happier. Yahoo is getting through to my server, it just takes from 1 to 10 minutes right now.
Yea....to hell with yahoo. I will just make all members use a different email service. Aint worth the effort.
That'll show em whose boss
lol
Bob Hoffman wrote:
Update, spf did nothing for yahoo. Spf made gmail a little happier. Yahoo is getting through to my server, it just takes from 1 to 10 minutes right now.
Yea....to hell with yahoo. I will just make all members use a different email service. Aint worth the effort.
I think this conversation is at a point where it would make more sense on a yahoo / email specific list.
Karanbir Singh wrote:
Bob Hoffman wrote:
Yea....to hell with yahoo. I will just make all
members use a different
email service. Aint worth the effort.
I think this conversation is at a point where it would make more sense on a yahoo / email specific list.
Agreed! Its amazing to see the childishness of not being able to get one's server in order, ignoring Yahoo's FAQ's and then this kind of BS.
Thanks, Josh.
I think this conversation is at a point where it would make
more sense
on a yahoo / email specific list.
Agreed! Its amazing to see the childishness of not being able to get one's server in order, ignoring Yahoo's FAQ's and then this kind of BS.
Thanks, Josh.
Um, no one has ignored yahoos mail practices. My server is set up correctly. I even took the step of adding spf. I talked to others with the same issue that use dkim It is still grey listed.
After talking with yahoo, they indicate the change of ip addresses/server/hostname as main indicator. They asked for the old and the new ips, server, hostname to verify.
But of course you do not read.
So, you can stick your childishness up you arse and kiss mine while you are at it.
Bob Hoffman wrote:
Um, no one has ignored yahoos mail practices. My server is set up correctly. I even took the step of adding spf. I talked to others with the same issue that use dkim It is still grey listed.
After talking with yahoo, they indicate the change of ip addresses/server/hostname as main indicator. They asked for the old and the new ips, server, hostname to verify.
But of course you do not read.
So, you can stick your childishness up you arse and kiss mine while you are at it.
Looking at the headers of the mail you have just sent from a yahoo client you have not followed to the letter Yahoo's requirements 4-7.
http://lists.centos.org/pipermail/centos/2008-September/065243.html
Feel free to use the Contact Yahoo Customer Care button below the FAQ. Stop being belligerent on a public mailing list. People have issues other than Yahoo mail to discuss.
Thanks, Josh.
Josh wrote
Agreed! Its amazing to see the childishness of not being able to get one's server in order, ignoring Yahoo's FAQ's and then this kind of BS.
Looking at the headers of the mail you have just sent from a yahoo client you have not followed to the letter Yahoo's requirements 4-7.
4- consistent headers- there is nothing wrong with the headers. ...check. 5- can spam act..went there, nothing in my headers or mail suggests it ..check 6- mail authentication- no domain keys here, yahoo does not require except for bulk mailings, as per their faqs, spf and dkim taken off as useless and mail breaking. 7- reverse dns- not a dynamic ip...check.
So...we agree to disagree that each thinks the other does not know what is happening. Lets leave it at that.
Although your email headers have issues.....might want to look into that localhost 127.0.0.1 thing. That is a red flag. All those different mailservers from the same domain. Golly.
Received: from n27.bullet.mail.ukl.yahoo.com (n27.bullet.mail.ukl.yahoo.com [87.248.110.144]) Received: from [217.146.182.177] by n27.bullet.mail.ukl.yahoo.com with NNFMP; 25 Sep 2008 12:07:03 -0000 Received: from [87.248.110.117] by t3.bullet.ukl.yahoo.com with NNFMP; 25 Sep 2008 12:07:03 -0000 Received: from [127.0.0.1] by omp222.mail.ukl.yahoo.com with NNFMP; 25 Sep 2008 12:07:03 -0000 Received: from [79.65.135.77] by web28215.mail.ukl.yahoo.com via HTTP; Thu, 25 Sep 2008 12:07:03 GMT X-Mailer: YahooMailWebService/0.7.218.2 From: Josh Donovan josh.dvan@yahoo.co.uk
on 9-25-2008 5:21 AM Bob Hoffman spake the following:
Josh wrote
Agreed! Its amazing to see the childishness of not being able to get one's server in order, ignoring Yahoo's FAQ's and then this kind of BS.
Looking at the headers of the mail you have just sent from a yahoo client you have not followed to the letter Yahoo's requirements 4-7.
4- consistent headers- there is nothing wrong with the headers. ...check. 5- can spam act..went there, nothing in my headers or mail suggests it ..check 6- mail authentication- no domain keys here, yahoo does not require except for bulk mailings, as per their faqs, spf and dkim taken off as useless and mail breaking. 7- reverse dns- not a dynamic ip...check.
So...we agree to disagree that each thinks the other does not know what is happening. Lets leave it at that.
Although your email headers have issues.....might want to look into that localhost 127.0.0.1 thing. That is a red flag. All those different mailservers from the same domain. Golly.
Received: from n27.bullet.mail.ukl.yahoo.com (n27.bullet.mail.ukl.yahoo.com [87.248.110.144]) Received: from [217.146.182.177] by n27.bullet.mail.ukl.yahoo.com with NNFMP; 25 Sep 2008 12:07:03 -0000 Received: from [87.248.110.117] by t3.bullet.ukl.yahoo.com with NNFMP; 25 Sep 2008 12:07:03 -0000 Received: from [127.0.0.1] by omp222.mail.ukl.yahoo.com with NNFMP; 25 Sep 2008 12:07:03 -0000 Received: from [79.65.135.77] by web28215.mail.ukl.yahoo.com via HTTP; Thu, 25 Sep 2008 12:07:03 GMT X-Mailer: YahooMailWebService/0.7.218.2 From: Josh Donovan josh.dvan@yahoo.co.uk
An entry from localhost is very common on a webmail server. It shouldn't break anything, it is just a relay.
Scott Silva wrote:
An entry from localhost is very common on a webmail server. It shouldn't break anything, it is just a relay.
Enough time has been wasted on the DKIM thread so I'm not reading the main thread but what was Hoffman thinking looking up my headers on a webmail client? I'm not the one sending Yahoo email from a home server. Its crystal clear what needs to be done. Wait till he sends mail to AOL or Hotmail.
Thanks, Josh.
Bob Hoffman wrote:
I think this conversation is at a point where it would make
more sense
on a yahoo / email specific list.
Agreed! Its amazing to see the childishness of not being able to get one's server in order, ignoring Yahoo's FAQ's and then this kind of BS.
Thanks, Josh.
Um, no one has ignored yahoos mail practices. My server is set up correctly. I even took the step of adding spf. I talked to others with the same issue that use dkim It is still grey listed.
After talking with yahoo, they indicate the change of ip addresses/server/hostname as main indicator. They asked for the old and the new ips, server, hostname to verify.
But of course you do not read.
So, you can stick your childishness up you arse and kiss mine while you are at it.
this is really inappropriate. many people here have tried to help you with what is really _your_ problem and is clearly off topic here. while I don't like Josh mail, yours is worst.
mouss wrote: . . .
I don't like Josh mail, yours is worst.
I dunno about that. I mean after a long thread where you try to make sure you are doing the right thing on your end before going upstream to complain, you get to be called childish, ignorant and full of BS. I'd be pissed too.
BTW - very informative thread.
Toby Bluhm wrote:
BTW - very informative thread.
<thought> I wonder if someone might take the bits of info in this thread and put it into a wiki page around Mail Servers and perhaps start a best practices section...
Would http://wiki.centos.org/HowTos#head-49a3d6a9a0c95cff0676b0209eae985780e41678 be a good place to consolidate under ?
</thought>
Karanbir Singh wrote:
Toby Bluhm wrote:
BTW - very informative thread.
<thought> I wonder if someone might take the bits of info in this thread and put it into a wiki page around Mail Servers and perhaps start a best practices section...
Would http://wiki.centos.org/HowTos#head-49a3d6a9a0c95cff0676b0209eae985780e41678 be a good place to consolidate under ?
</thought>
This has been an excellent thread. Yet this thread has been only one tiny aspect of good email practices. Yet many folks 'respectfully' did not understand a lot that was corrected in several of the posts in just this one very basic aspect of email.
This leads me to ask for a CentOS mailing list for email....
For webserver/mailserver admins, it seems that email is by far the largest issue, spanning everything from DNS to server loads to choosing (and the configuration of) many applications... some not upstream packages. It's easy to get into a mess and not have a good way back to the base. MailScanner comes to mind. Great software, but dependency hell. I found that I could have used many Perl packages from the Dag repo instead of how MailScanner chose to do its install. This resulted in a much cleaner install with regards to package management. If there had been a CentOS email, mailing list, much of this could have been headed off and perhaps more wiki's would spring out of it? Yet again, the above is just one other tiny aspect of reliable email service on a CentOS server.
When I go off to other software and to their mailing list, the answers are more about 'how to get it to work' instead of 'how to get it to best co-exist within CentOS'. In fact, many hate rpm and insist on totally sidestepping it. Yes, sometimes it's a PITA, but most of the time staying within upstream keeps me out of trouble which is why I guess most of us are using CentOS in the first place.
This was what led to my thought for a CentOS specific mailing list for email. Yes, there is a huge amount of data out there, just like this thread. But these types of threads clog a general list and I've always hesitated to post any email issues here. Yet, it is extremely difficult to drill down a search to the good information with regards to CentOS specific help or good practices with regards to email. Google anyway you want.... you either miss what's good or get way the heck to much information that is not helpful to CentOS, in spite of using CentOS as a part of the search.... yes, even in quotes. And, on a list like this you get to know who to trust. General searches often times yield idiotic suggestions or old practices. The target is constantly moving. Large providers are constantly making 'new rules'. My clients don't care, they just want to be able to send an email to their clients no matter the receiving system.
So I again ask for this list... I wonder how many feel that it would be worth the trouble? But I don't really want to ask anything more of the CentOS team, as they are IMO doing plenty right now. I am very appreciative.
John Hinton
on 9-25-2008 9:58 AM John Hinton spake the following:
Karanbir Singh wrote:
Toby Bluhm wrote:
BTW - very informative thread.
<thought> I wonder if someone might take the bits of info in this thread and put it into a wiki page around Mail Servers and perhaps start a best practices section...
Would http://wiki.centos.org/HowTos#head-49a3d6a9a0c95cff0676b0209eae985780e41678 be a good place to consolidate under ?
</thought>
This has been an excellent thread. Yet this thread has been only one tiny aspect of good email practices. Yet many folks 'respectfully' did not understand a lot that was corrected in several of the posts in just this one very basic aspect of email.
This leads me to ask for a CentOS mailing list for email....
For webserver/mailserver admins, it seems that email is by far the largest issue, spanning everything from DNS to server loads to choosing (and the configuration of) many applications... some not upstream packages. It's easy to get into a mess and not have a good way back to the base. MailScanner comes to mind. Great software, but dependency hell. I found that I could have used many Perl packages from the Dag repo instead of how MailScanner chose to do its install. This resulted in a much cleaner install with regards to package management. If there had been a CentOS email, mailing list, much of this could have been headed off and perhaps more wiki's would spring out of it? Yet again, the above is just one other tiny aspect of reliable email service on a CentOS server.
When I go off to other software and to their mailing list, the answers are more about 'how to get it to work' instead of 'how to get it to best co-exist within CentOS'. In fact, many hate rpm and insist on totally sidestepping it. Yes, sometimes it's a PITA, but most of the time staying within upstream keeps me out of trouble which is why I guess most of us are using CentOS in the first place.
This was what led to my thought for a CentOS specific mailing list for email. Yes, there is a huge amount of data out there, just like this thread. But these types of threads clog a general list and I've always hesitated to post any email issues here. Yet, it is extremely difficult to drill down a search to the good information with regards to CentOS specific help or good practices with regards to email. Google anyway you want.... you either miss what's good or get way the heck to much information that is not helpful to CentOS, in spite of using CentOS as a part of the search.... yes, even in quotes. And, on a list like this you get to know who to trust. General searches often times yield idiotic suggestions or old practices. The target is constantly moving. Large providers are constantly making 'new rules'. My clients don't care, they just want to be able to send an email to their clients no matter the receiving system.
So I again ask for this list... I wonder how many feel that it would be worth the trouble? But I don't really want to ask anything more of the CentOS team, as they are IMO doing plenty right now. I am very appreciative.
John Hinton
Then others would want a list for the LAMP stack. Then a directory server list. And then ... etc.
If we all just try and keep on topic and not get our undies bunched up when we read something we don't like, or just take the argument off list until things cool down, this list is more than adequate. A "one stop shop" on everything CentOS.
Karanbir Singh wrote:
Toby Bluhm wrote:
BTW - very informative thread.
<thought> I wonder if someone might take the bits of info in this thread and put it into a wiki page around Mail Servers and perhaps
start a best
practices section...
From hotmail, thought this would be helpful to the thread...or the wiki. Rep
actually mentions the program they use.
Hello Bob,
My name is Anja from Windows Live Hotmail Domain Support. I understand that you have changed the servers you are sending your mail from and now messages are being delivered to the Junk Mail Folder in Hotmail accounts.
I have investigated the IPs that you have mentioned and only see connections from the IPs 72.35.68.58 and 72.35.68.61. For today, we do see filtering only on the IP 72.35.68.61.
( I only tested from a few virtualhosts on hotmail, some got through no problem.)
Hotmail bases its spam rating on the content of a message and the reputation of the sending IP address. When an IP is new, it will not have built a reputation yet. Therefore, it may happen that it is filtered more severely than a well used IP with a good reputation. However, if you keep following the industry best practices a good reputation will be built quickly and filtering will stop.
(reputation....takes time)
We may be able to help you over the beginning issues that you are experiencing, however, before we can do that we would like you to publish SPF records for each of your sending domains. This technology allows SmartScreen to better track emails from your IP, weeding out spoofed messages. In turn, this will help to improve the reputation of your IP address. You can find additional information on creating SPF records at http://www.microsoft.com/senderid. We have also published a document on email delivery at http://www.microsoft.com/postmaster.
(microsoft uses a different standard thqn regular spf, spf/pra or something like that. Where yahoo wants domain keys, google wants regular spf...again, all about time for new ip addresses, even if you have these things)
Once you have published SPF records for all your sending domains, please contact us again and we will further investigate the issue.
Best regards,
Anja
Windows Live Hotmail Domain Support
Scott Silva wrote: . . .
A "one stop shop" on everything CentOS.
I like that approach better. A new list for email only would probably lead to email threads on *both* lists, users being reminded to take the <select inappropriate subject> discussion to the other list, etc.
Toby Bluhm wrote:
Scott Silva wrote: . . .
A "one stop shop" on everything CentOS.
I like that approach better. A new list for email only would probably lead to email threads on *both* lists, users being reminded to take the <select inappropriate subject> discussion to the other list, etc.
My point is we go unhelped by CentOS. There is no way I'm going to post mail issues to this list. And this list would become unusable if we started this. Talking about spam filters, milters and on and on and on. Look what just happened. One single very simple question of the thousands to be dealt with and the thread went crazy... at which point it was suggested that we end this thread. So, basically, posts about 'all' things email are NOT welcomed on this list.... and should not be.
John Hinton
on 9-25-2008 11:43 AM John Hinton spake the following:
Toby Bluhm wrote:
Scott Silva wrote: . . .
A "one stop shop" on everything CentOS.
I like that approach better. A new list for email only would probably lead to email threads on *both* lists, users being reminded to take the <select inappropriate subject> discussion to the other list, etc.
My point is we go unhelped by CentOS. There is no way I'm going to post mail issues to this list. And this list would become unusable if we started this. Talking about spam filters, milters and on and on and on. Look what just happened. One single very simple question of the thousands to be dealt with and the thread went crazy... at which point it was suggested that we end this thread. So, basically, posts about 'all' things email are NOT welcomed on this list.... and should not be.
John Hinton
Posts about sendmail would go on the sendmail list, postfix on that list. Exim has a list, everyone has a list. The DKIM thread went out of control when anger and hurt feelings came into play. It started OK with opinions on whether DKIM is necessary or not, and crashed and burned soon after.
If the message said something like, "I'm having trouble installing dkim-milter on CentOS", that would be answered after some requests for information.
When you ask opinions on a mailing list, you will probably get a different one with every response.
If you are having mail issues, it is mostly related to your MTA and would go on their list. If you are using a binding software like Mailscanner or Amavis, you would start on their list.
If you want one place to get all your answers, you will probably have to pay for a support contract somewhere.
A list just for mail issues would still probably get ignored because there will be many less members. The ones that would join would be the people in trouble. It will look like the Ubuntu lists... many unanswered pleas for help, or answers from others that hacked their way through it and now think they are experts.
Toby Bluhm wrote:
Scott Silva wrote: . . .
A "one stop shop" on everything CentOS.
I like that approach better. A new list for email only would probably lead to email threads on *both* lists, users being reminded to take the <select inappropriate subject> discussion to the other list, etc.
We have no application specific lists yet (not counting centos-virt, true), and I don't think we should have. E-Mail is the same on *every* unix and sometimes even on windows. So someone having problems with sendmail or exim or postfix should go to the lists specific for those applications.
I know I also put some fuel into this fire, but I think we should let this thread die. As Karanbir said: There were some really interesting issues in this thread, so if someone wants to come up and put a summary of this thread on the CentOS Wiki, nobody will stop him or her.
Cheers,
Ralph
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Karanbir Singh Sent: Thursday, September 25, 2008 11:47 AM To: CentOS mailing list Subject: Re: [CentOS] Re: DKIM
Toby Bluhm wrote:
BTW - very informative thread.
<thought> I wonder if someone might take the bits of info in this thread and put it into a wiki page around Mail Servers and perhaps start a best practices section...
Would http://wiki.centos.org/HowTos#head-49a3d6a9a0c95cff0676b0209eae985780e41678 be a good place to consolidate under ?
</thought> ---------------------------------------------------------------------------- JohnStanley Writes:
An excellent thought Second That! Bob does indeed have some pretty decent notes up on his site.
JohnStanley
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Josh Donovan wrote:
Karanbir Singh wrote:
Bob Hoffman wrote:
Yea....to hell with yahoo. I will just make all
members use a different
email service. Aint worth the effort.
I think this conversation is at a point where it would make more sense on a yahoo / email specific list.
Agreed! Its amazing to see the childishness of not being able to get one's server in order, ignoring Yahoo's FAQ's and then this kind of BS.
Karanbir post was brief and to the point. yours is a personal attack. Even if Bob missed your excellent recommendation, there is no reason to get mad.
Karanbir post was brief and to the point. yours is a personal attack. Even if Bob missed your excellent recommendation, there is no reason to get mad. _______________________________________________
I gotta agree that we need to close this thread. It seems whether a mailing list or a forum thread that lasts too long starts going off topic and gets personal.
It is very easy to misinterpret what someone meant to say, either in jest or authority.
And as it grows, the original need is lost. The originail need was Do you use dkim and how did you implement it?
I think we found that DKIM is optional and not a realy need. On top of it we found, with argument, that spf is needed, but can cause mail problems.
Lets just end it. I think a lot of good information came out of it and a lot of people with different knowledge areas all inputted.
Karanbir said lets drop it, so lets drop it. No one meant to offend anyone, but it is not helping anymore.
I will check out spf in full, and not use dkim.
And to follow up on the whole Domain keys. I found at least 30 people online who have the same issue, but they have working DKIMs but still being junked.
Yea....yahoo...whee.
On Wed, 2008-09-24 at 19:00 -0400, Bob Hoffman wrote:
And to follow up on the whole Domain keys. I found at least 30 people online who have the same issue, but they have working DKIMs but still being junked.
Yea....yahoo...whee.
---- well it's not just yahoo as I know for certain that AOL also requires reverse DNS to match just like all the mail servers that I maintain also require matching reverse DNS.
Your problem - if you actually want to solve it instead of tossing the blame to others like yahoo is...
# host mail.creativeprogramdesigners.com mail.creativeprogramdesigners.com has address 72.35.68.58
# host 72.35.68.58 58.68.35.72.in-addr.arpa domain name pointer creativeprogramdesigners.com.
the forward doesn't match the reverse - it's that simple. Why not just fix it?
Craig
Craig White wrote:
On Wed, 2008-09-24 at 19:00 -0400, Bob Hoffman wrote:
And to follow up on the whole Domain keys. I found at least 30 people online who have the same issue, but they have working DKIMs but still being junked.
Yea....yahoo...whee.
well it's not just yahoo as I know for certain that AOL also requires reverse DNS to match just like all the mail servers that I maintain also require matching reverse DNS.
Your problem - if you actually want to solve it instead of tossing the blame to others like yahoo is...
# host mail.creativeprogramdesigners.com mail.creativeprogramdesigners.com has address 72.35.68.58
# host 72.35.68.58 58.68.35.72.in-addr.arpa domain name pointer creativeprogramdesigners.com.
the forward doesn't match the reverse - it's that simple. Why not just fix it?
as already said, there is no need for name->ip->name to "match". so-called FcrDNS is ip->name->ip. and in Bob's case, it matches.
Craig White wrote:
well it's not just yahoo as I know for certain that AOL also requires reverse DNS to match just like all the mail servers that I maintain also require matching reverse DNS.
Your problem - if you actually want to solve it instead of tossing the blame to others like yahoo is...
# host mail.creativeprogramdesigners.com mail.creativeprogramdesigners.com has address 72.35.68.58
# host 72.35.68.58 58.68.35.72.in-addr.arpa domain name pointer creativeprogramdesigners.com.
the forward doesn't match the reverse - it's that simple. Why not just fix it?
Because it is *NOT* needed. I have several machines which have lots of A records for just one ip address. But only one name when I do a reverse lookup. Anyone checking for that shouldn't be allowed to receive mail.
Ralph
Ralph Angenendt wrote:
Your problem - if you actually want to solve it instead of tossing the blame to others like yahoo is...
# host mail.creativeprogramdesigners.com mail.creativeprogramdesigners.com has address 72.35.68.58
# host 72.35.68.58 58.68.35.72.in-addr.arpa domain name pointer creativeprogramdesigners.com.
the forward doesn't match the reverse - it's that simple. Why not just fix it?
Because it is *NOT* needed. I have several machines which have lots of A records for just one ip address. But only one name when I do a reverse lookup. Anyone checking for that shouldn't be allowed to receive mail.
Mail isn't supposed to be rejected for this, but some places probably do. A more correct approach is to have one name with the A record and the matching ptr and make all of the other names CNAMEs.
Les Mikesell wrote:
Mail isn't supposed to be rejected for this, but some places probably do. A more correct approach is to have one name with the A record and the matching ptr and make all of the other names CNAMEs.
no, no, no! CNAMES are discouraged as they create additional work for everyone else's DNS servers. the only time its proper to use a CNAME is when you are referencing a host on someone else's network who's addressing and management is beyond your control and you won't get notifications if its changing.
for email, all the various domains should have MX records with the mail server's "true" name.
John R Pierce wrote:
Les Mikesell wrote:
Mail isn't supposed to be rejected for this, but some places probably do. A more correct approach is to have one name with the A record and the matching ptr and make all of the other names CNAMEs.
no, no, no! CNAMES are discouraged as they create additional work for everyone else's DNS servers.
Is there an RFC to that effect? I didn't realize DNS lookups were a scarce resource.
the only time its proper to use a CNAME is when you are referencing a host on someone else's network who's addressing and management is beyond your control and you won't get notifications if its changing.
I suppose something like this is overkill, though...
Non-authoritative answer: www.redhat.com canonical name = www.redhat.com.edgekey.net. www.redhat.com.edgekey.net canonical name = www.redhat.com.edgekey.net.globalredir.akadns.net. www.redhat.com.edgekey.net.globalredir.akadns.net canonical name = e86.b.akamaiedge.net. Name: e86.b.akamaiedge.net Address: 64.215.167.112
for email, all the various domains should have MX records with the mail server's "true" name.
MX records don't have much to do with the system sending mail.
Scott Silva wrote:
on 9-24-2008 2:23 PM Ralph Angenendt spake the following:
I get it via mail.centos.org which clearly isn't a server you would allow to send mails out as @hoffman.com when you set up SPF for your domain. So if I drop mails which don't have a "correct" SPF record - I'd drop that mail.
Although your domain has correct SPF records.
But shouldn't a forwarder add its own envelope and a set of received headers?
Envelope-To, yes. It doesn't touch the envelope From. And you don't get to see the received headers in the smtp dialog.
Ralph
That's probably the reason why much spam has valid spf records. Get yourself a throwaway domain, so you're getting through the domain check and give that domain a valid spf record which allows all machines in the world to send mail for that domain. Voilà - valid SPF record.
That's why I asked which problem SPF is trying to solve.
Ralph
The SPF Qmail patch we use on CentOS Opsys has a special case for SPF from ALL
And we discard on that signal...
At this site...
http://qmail.jms1.net/scripts/service-qmail-smtpd-run.shtml
SPF_BLOCK_PLUS_ALL=1
Some spammers have found a way to work around SPF filtering. They simply purchase their own bogus domain names for ten dollars each, give them SPF records which contain "+all" (which says that every IP on the planet has permission to send mail "From" their domain), and use their own domain name as the sender address in their spam.
If this variable contains a non-zero value, any such SPF record will be changed from "+all" to "-all" before the SPF test is performed. Since most spammers have "+all" as the only term in their SPF record, this effectively blocks every IP address.
Anyways, to get more back on topic, I cannot image it would take more than 2 minutes for you to do an SPF record for your main domains
Then, depending on whatever mail server software you are using, find the DK or DKIM howto and implement.
Should be easy right?
- rh
RobertH wrote:
That's why I asked which problem SPF is trying to solve.
The SPF Qmail patch we use on CentOS Opsys has a special case for SPF from ALL
And we discard on that signal...
I'd turn off the mail server if I don't want to get mails. So if I'm roaming and am not sure which mail server I can use to send out mails from, I'd also set the SPF record to +all (or - as I do now - don't set it at all). So I'm doing everything according to the book and still can't get mails through to you.
Ralph
on 9-24-2008 2:27 PM Ralph Angenendt spake the following:
RobertH wrote:
That's why I asked which problem SPF is trying to solve.
The SPF Qmail patch we use on CentOS Opsys has a special case for SPF from ALL
And we discard on that signal...
I'd turn off the mail server if I don't want to get mails. So if I'm roaming and am not sure which mail server I can use to send out mails from, I'd also set the SPF record to +all (or - as I do now - don't set it at all). So I'm doing everything according to the book and still can't get mails through to you.
Ralph
When I am roaming, I still use my own server and auth to it to allow me to send. If that site blocks me on sending from port 25, then I can either VPN to my servers, or send to the submission port. Worst case I plug in the CDMA card and send that way. Or log into the webmail system and use that. Some of my users roam all over the USA, and since they are exec's, I have to make sure that they can send and receive their mail. If not, I get a personal long distance a$$-chewing if I can't resolve it quickly.
"There is more than one way to skin a cat... but none that the cat will like!"
Ralph Angenendt wrote on Wed, 24 Sep 2008 20:23:50 +0200:
That's supposed to help with what regarding his problem?
Hotmail seems to delete all mail from domains without SPF if it's not coming from the MX. Yahoo might be doing the same.
Kai
Kai Schaetzl wrote:
Ralph Angenendt wrote on Wed, 24 Sep 2008 20:23:50 +0200:
That's supposed to help with what regarding his problem?
Hotmail seems to delete all mail from domains without SPF if it's not coming from the MX. Yahoo might be doing the same.
oh please no. hotmail don't delete my mail and I don't have an SPF record. no do yahoo/gmail. and this was before I implemented DKIM. and I've recently worked for a project where SPF didn't help with hotmail (delivery from an old server was ok, so we had to keep relaying to hotmail via the old server).
all the gorillas have complex filtering methods. An important part of this is the reputation of the sending IP. In particular:
- if you inherit an IP with a bad reputation, don't be surprised to start with a bad reputation.
- if you get a new IP for your domain, be ready to get "ignored". the default for a new IP is "this is probably not a mail server". you'll have to do some work to move to "this may be a mail server".
- if your IP is in a range and your IP is unknown, then you inherit the range reputation. This should be clear, whether you think it's good or not.
- if your range is unknown (no reputation data), the reputation is computed automatically. A range where a lot of IPs are "unknown" will get a bad reputation. A range where a lot of IPs "look dynamic" will get a bad reputation.
the common "I am innocent until proven guilty" doesn't apply here. sure, you're innocent and I am not going to put you in jail. but I am not going to let you in if "I don't feel it".
Mouss wrote on Thu, 25 Sep 2008 16:20:09 +0200:
oh please no. hotmail don't delete my mail and I don't have an SPF record. no do yahoo/gmail. and this was before I implemented DKIM. and I've recently worked for a project where SPF didn't help with hotmail
Well, then they have some other obscure reason to silently delete all mail from me to my daughter's Hotmail account. I thought it might be the missing SPF record on that specific domain I used. Their support is not able to tell the reason.
Kai
On Fri, 26 Sep 2008 19:31:13 +0200 Kai Schaetzl maillists@conactive.com wrote:
Well, then they have some other obscure reason to silently delete all mail from me to my daughter's Hotmail account.
I have found hotmail to be about the least reliable of the free webmail providers in terms of actually getting email through to their users. I think I average maybe 25% of sent email that actually arrives when the destination is hotmail.com -- the rest is usually silently dropped, though I occasionally get a "mailbox is unavailable" bounce message.
"Avoid hotmail" is the best solution. I've given up on hotmail users and pretty much ignore it. If you're using hotmail and you need to get in touch with me, phone me or send me a fax if you didn't get a reply to your email.
Kai Schaetzl wrote:
Mouss wrote on Thu, 25 Sep 2008 16:20:09 +0200:
oh please no. hotmail don't delete my mail and I don't have an SPF record. no do yahoo/gmail. and this was before I implemented DKIM. and I've recently worked for a project where SPF didn't help with hotmail
Well, then they have some other obscure reason to silently delete all mail from me to my daughter's Hotmail account. I thought it might be the missing SPF record on that specific domain I used. Their support is not able to tell the reason.
like all the gorillas, they have complex filtering mechanisms, mostly based on "reputation". among the freemail trilogy (gmail, yahoo, hotmail):
- gmail is more or less "workable". in short, they have better filtering mechanisms in the sense that if you don't have too much problems in your network, you can get your mail delivered provided you do some (reasonable) efforts.
- yahoo are lost in space. their filters probably block a lot of junk, but they also block a lot of legitimate mail, and it's hard to get around this. but at least, they either block you at smtp time or file your mail to a junk folder.
- hotmail is the worst. they simply discard mail. This is not surprising, because MS has never showed any "attachment' to standards. they still believe that they are the gods on earth and they can discard your mail "frivoulously" (to use the RFC term).
in short, if your business targets freemail users, it's time to review your target or your business. or do whatever you want, but accept this: "we" will not be able to help you. it's their server and their slaves. you can't talk to the kids if the parents don't agree.
On Fri, Sep 26, 2008 at 08:15:05PM +0200, mouss wrote:
Kai Schaetzl wrote:
Mouss wrote on Thu, 25 Sep 2008 16:20:09 +0200:
oh please no. hotmail don't delete my mail and I don't have an SPF record. no do yahoo/gmail. and this was before I implemented DKIM. and I've recently worked for a project where SPF didn't help with hotmail
Well, then they have some other obscure reason to silently delete all mail from me to my daughter's Hotmail account. I thought it might be the missing SPF record on that specific domain I used. Their support is not able to tell the reason.
like all the gorillas, they have complex filtering mechanisms, mostly based on "reputation". among the freemail trilogy (gmail, yahoo, hotmail):
- gmail is more or less "workable". in short, they have better filtering
mechanisms in the sense that if you don't have too much problems in your network, you can get your mail delivered provided you do some (reasonable) efforts.
- yahoo are lost in space. their filters probably block a lot of junk,
but they also block a lot of legitimate mail, and it's hard to get around this. but at least, they either block you at smtp time or file your mail to a junk folder.
What happens if a dozen of us add a yahoo filter that marks "blabermount@his.domain.com" as spam. i.e. what happens on large mailing lists when a service like yahoo sees a set of messages from a specific user as spam. Then what happens when a handful of users on that list fall into the spam category... at what point does the list server look like a spam source?
I have seen one or two junk mail messages in my list folders recently and see a bunch of normal posters end up in my spam folders both on google and on yahoo.
On Thu, Sep 25, 2008, Kai Schaetzl wrote:
Ralph Angenendt wrote on Wed, 24 Sep 2008 20:23:50 +0200:
That's supposed to help with what regarding his problem?
Hotmail seems to delete all mail from domains without SPF if it's not coming from the MX. Yahoo might be doing the same.
I don't think this is the case as we host several Mailman mailing lists with hotmail and yahoo subscribers, don't have SPF, and would *NEVER* send mail from an MX IP (they're for receiving mail, not sending it). Where the same machine is receiving messages as an MX, we configure postfix to listen on the MX IP address and send on a different IP. We also have postfix configured to reject e-mail from servers that announce themselves as one of our MX servers in HELO/EHLO as that is guaranteed to be a spammer.
Checking one of these lists, I see quite a few hotmail and yahoo addresses, all of which are getting mail from our server on a regular basis.
Many of the large ISPs (e.g. AOL, Road Runner, etc.) have feedback loops where one can sign up, providing an e-mail address to address their customer's complaints, and a list of e-mail servers from which your domain's mail originates. The ISP will send notifications when their customer hits the ``this is spam'' button. In the case of AOL, this notification includes the message with the recipient's address redactied, and they expect you to cease sending messages to that address. This requires that one use VERP so that each outgoing message has the recipient address somewhat munged in the headers so it's possible to identify the correct address to remove.
We are on the AOL feedback, but not on hotmail or yahoo so they're not accepting mail from our servers based on signing up for the feedback.
Bill
Bill Campbell wrote on Thu, 25 Sep 2008 09:46:54 -0700:
We are on the AOL feedback,
I once was. However, it became evident after a while that a lot of their "spam" was not spam, was not deemed by their customer to be spam (I contacted several of them) or was not originating from our servers. It became just a waste of time.
Kai
Bob Hoffman wrote:
Okay, Yahoo is bumming me. Only system my mail is having an issue with. All mail is accepted, but junked. I can only think it is the DKIM/Domain keys.
It is apparent that the dkim-milter is not part of the centos 5.x distro nor is it part of the mirrors, as far as I can tell.
So...have any of you done it with your servers for sendmail?
There are some sites that claim to have rpms and I have downloaded the tar from sendmail. But I would rather hear from anyone who has an opinion before I go with one or the other.
I do not trust any rpms except for their mirrors, so not sure if I want to do that. But maybe it is fine.
Open to suggestions, ideas for what works for you and yahoo.
No, I do not want to install postfix, thank you - /ninja'd ya
I'm running sendmail. The single number one issue is to never bounce email. Reject is fine, but if you have anything doing bounce you'll likely wind up on their blocklist for a day or few. Spammers love to use yahoo addresses as from addresses, so if you are bouncing any mail, you'll likely be spamming yahoo in their eyes and in fact most people's eyes these days.
I have multiple hosting accounts and not all have SPF records, although this might help as well, but if you keep outgoing clean, you'll get through to yahoo users as well. And if it winds up in their spam box, it is their responsibility to move it out and approve the sender. Yahoo does run extremely strict filtering and that's just how it is for everyone. If anything in an email is at all spammy (and it's really easy to cross that fine line), it'll wind up in the spam box.
John Hinton
I'm running sendmail. The single number one issue is to never bounce email. Reject is fine, but if you have anything doing bounce you'll likely wind up on their blocklist for a day or few. Spammers love to use yahoo addresses as from addresses, so if you are bouncing any mail, you'll likely be spamming yahoo in their eyes and in fact most people's eyes these days.
I have multiple hosting accounts and not all have SPF records, although this might help as well, but if you keep outgoing clean, you'll get through to yahoo users as well. And if it winds up in their spam box, it is their responsibility to move it out and approve the sender. Yahoo does run extremely strict filtering and that's just how it is for everyone. If anything in an email is at all spammy (and it's really easy to cross that fine line), it'll wind up in the spam box.
John,
I am pretty sure I am not bouncing mails...I have catchalls and they go to devnull..however I could be wrong since that only affects my domain mails only. I am sure there is something else I should do.
Yahoo is a propenent of DKIM and they say they would like mail better with it. Infact, I think it almost whitelists you with them, until you screw up. They highly suggest it if you are sending bulk mails or have large user lists. They say you should do it.
I am starting to look at headers from other mailings from other sites. So far all that have been tagged as spam do not DKIM/domain keys set up. So far... Yahoo will not answer my question.
One work around is to force all users to give a non yahoo mailing address... :)
on 9-24-2008 11:31 AM Bob Hoffman spake the following:
I'm running sendmail. The single number one issue is to never bounce email. Reject is fine, but if you have anything doing bounce you'll likely wind up on their blocklist for a day or few. Spammers love to use yahoo addresses as from addresses, so if you are bouncing any mail, you'll likely be spamming yahoo in their eyes and in fact most people's eyes these days.
I have multiple hosting accounts and not all have SPF records, although this might help as well, but if you keep outgoing clean, you'll get through to yahoo users as well. And if it winds up in their spam box, it is their responsibility to move it out and approve the sender. Yahoo does run extremely strict filtering and that's just how it is for everyone. If anything in an email is at all spammy (and it's really easy to cross that fine line), it'll wind up in the spam box.
John,
I am pretty sure I am not bouncing mails...I have catchalls and they go to devnull..however I could be wrong since that only affects my domain mails only. I am sure there is something else I should do.
Yahoo is a propenent of DKIM and they say they would like mail better with it. Infact, I think it almost whitelists you with them, until you screw up. They highly suggest it if you are sending bulk mails or have large user lists. They say you should do it.
I am starting to look at headers from other mailings from other sites. So far all that have been tagged as spam do not DKIM/domain keys set up. So far... Yahoo will not answer my question.
http://help.yahoo.com/l/us/yahoo/mail/postmaster/
See if your questions are answered here
I am pretty sure I am not bouncing mails...I have catchalls and they go to devnull..however I could be wrong since that only affects my domain mails only. I am sure there is something else I should do.
Bob
I am not sure why or what your basic policy on it is yet I think it is better to not accept an email for an email address that does not exist than to blanket accept anything and /dev/null it
Just an observation that might save you some abuse headaches in the future.
- rh
Okay, Yahoo is bumming me. Only system my mail is having an issue with. All mail is accepted, but junked. I can only think it is the DKIM/Domain keys.
Just a WAG, but make sure you have a PTR record for your machine that is sending email.
If you actually got the bounce, check the headers, it is the first best place to look.
-John
Back to the PTR RR:
$ dig +short MX bobhoffman.com 10 mail.bobhoffman.com. ^^^^^^^^^^^^^^^^^^^^ $ dig +short A mail.bobhoffman.com 72.35.68.59 $ dig +short -x 72.35.68.59 bobhoffman.com. ^^^^^^^^^^^^^^^
mail.bobhoffman.com != bobhoffman.com
This may not be your main problem, but it certainly isn't helping matters. Yahoo seems to be pretty picky on reverse DNS. I had a VPS running a mail server where the PTR matched the host. I was relegated to yahoo's spam folder until changed from the default PTR which looked mildly like a dialup.
Bob Hoffman wrote:
Just a WAG, but make sure you have a PTR record for your machine that is sending email.
If you actually got the bounce, check the headers, it is the first best place to look.
No, no bounce. They get delivered. Just show up in the spam folder everytime.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Andrew Norris wrote:
Back to the PTR RR:
$ dig +short MX bobhoffman.com 10 mail.bobhoffman.com. ^^^^^^^^^^^^^^^^^^^^ $ dig +short A mail.bobhoffman.com 72.35.68.59 $ dig +short -x 72.35.68.59 bobhoffman.com. ^^^^^^^^^^^^^^^
mail.bobhoffman.com != bobhoffman.com
so what? mail.bobhoffman.com is the MX. bobhoffman.com is an RMX.
$ host -t mx yahoo.com yahoo.com mail is handled by 1 e.mx.mail.yahoo.com. yahoo.com mail is handled by 1 f.mx.mail.yahoo.com. yahoo.com mail is handled by 1 g.mx.mail.yahoo.com. yahoo.com mail is handled by 1 a.mx.mail.yahoo.com. yahoo.com mail is handled by 1 b.mx.mail.yahoo.com. yahoo.com mail is handled by 1 c.mx.mail.yahoo.com. yahoo.com mail is handled by 1 d.mx.mail.yahoo.com.
no one of these is web23004.mail.ird.yahoo.com, ...
This may not be your main problem, but it certainly isn't helping matters.
If we ignore the surrounding IPs (too many without rDNS), he has a very simple setup, that should not cause any problems.
Yahoo seems to be pretty picky on reverse DNS. I had a VPS running a mail server where the PTR matched the host. I was relegated to yahoo's spam folder until changed from the default PTR which looked mildly like a dialup.
generic PTRs are a different matter.
If we ignore the surrounding IPs (too many without rDNS), he has a very simple setup, that should not cause any problems.
generic PTRs are a different matter.
Surrounding ips? A lot was from my computer to the smtp server..the rest was just mine. It is really simple, not much in there at all.
However....
I have full control over my ips...almost. The datacenter has to add a PTR record for each domain. They said they only need to add mydomain.com, only one record per ip and not anything like mail or ftp, etc.
Doing dns checks at pingbilly (strange ass name) Show everything is groovy.
http://pingability.com/zoneinfo.jsp?domain=bobhoffman.com
I think tonight we will see about spf. I also read that sometimes it takes a while, like a week or so before yahoo will respond joyfully to your spf. No instant happiness it seems.
I should just send letters via usps to yahoo and have them scan them to their users....be easier.
Bob Hoffman wrote:
If we ignore the surrounding IPs (too many without rDNS), he has a very simple setup, that should not cause any problems.
generic PTRs are a different matter.
Surrounding ips? A lot was from my computer to the smtp server..the rest was just mine. It is really simple, not much in there at all.
$ host 72.35.68.56 Host 56.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN) $ host 72.35.68.57 Host 57.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN) $ host 72.35.68.62 Host 62.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN)
same for the IPs that don't belong to you in that network.
anyway, that's not a big issue, except if your provider has a bad reputation...
However....
I have full control over my ips...almost. The datacenter has to add a PTR record for each domain. They said they only need to add mydomain.com, only one record per ip and not anything like mail or ftp, etc.
reverse DNS is to identify the machine, not the services running on it.
Doing dns checks at pingbilly (strange ass name) Show everything is groovy.
http://pingability.com/zoneinfo.jsp?domain=bobhoffman.com
I think tonight we will see about spf. I also read that sometimes it takes a while, like a week or so before yahoo will respond joyfully to your spf. No instant happiness it seems.
Go fill their web form (the "bulk" one. yes, even if you don't send bulk) and ask some of your recipients (you can setup yahoo accounts yourself) to "unmark" mail marked as spam, and to reply to your mail. These actions may move it from "probably not a mail server" to "may be a mail server" status.
I should just send letters via usps to yahoo and have them scan them to their users....be easier.
how about publishing the mail on TV? "Attention yahoo users, here is the mail you missed today..." ;-p
$ host 72.35.68.56 Host 56.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN) $ host 72.35.68.57 Host 57.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN) $ host 72.35.68.62 Host 62.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN)
same for the IPs that don't belong to you in that network.
anyway, that's not a big issue, except if your provider has a bad reputation...
Interesting. Where did you get that from?
This is what my datacenter gave me.. IP Assignment: 72.35.68.56/29 Gateway: 72.35.68.57 Useable: 72.35.68.58 - 62
I only can use 58-62. 62 is not set up for any domain. Where and how did those nubmers come up for me?
Now I is a scared...oh boy.
Bob Hoffman wrote:
$ host 72.35.68.56 Host 56.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN) $ host 72.35.68.57 Host 57.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN) $ host 72.35.68.62 Host 62.68.35.72.in-addr.arpa. not found: 3(NXDOMAIN)
same for the IPs that don't belong to you in that network.
anyway, that's not a big issue, except if your provider has a bad reputation...
Interesting. Where did you get that from?
This is what my datacenter gave me.. IP Assignment: 72.35.68.56/29 Gateway: 72.35.68.57 Useable: 72.35.68.58 - 62
I only can use 58-62. 62 is not set up for any domain. Where and how did those nubmers come up for me?
they are "near" your server IP. some people check ranges and will give a reputation to a range instead of to each IP.
Now I is a scared...oh boy.
there's no reason to be scared. it's just that some people want all IPs to have a reverse DNS (well, IPv6 is gonna change this...).
Back to the PTR RR:
$ dig +short MX bobhoffman.com 10 mail.bobhoffman.com. ^^^^^^^^^^^^^^^^^^^^ $ dig +short A mail.bobhoffman.com 72.35.68.59 $ dig +short -x 72.35.68.59 bobhoffman.com. ^^^^^^^^^^^^^^^
mail.bobhoffman.com != bobhoffman.com
Careful here. Email senders have nothing to do with MX records. Email receivers do.
I believe bobhoffman.com is the email sender in this case.
I would doubt this is an issue. Any split in/out mail server is going to have a different host for receipt (MX) than send.
-John
John Kordash wrote:
mail.bobhoffman.com != bobhoffman.com
Careful here. Email senders have nothing to do with MX records. Email receivers do.
I believe bobhoffman.com is the email sender in this case.
I would doubt this is an issue. Any split in/out mail server is going to have a different host for receipt (MX) than send.
-John
You're right, I was making an assumption I shouldn't have. Namely that there was a single host/ip for both sending and receiving email. Going back to the logs he posted I'd say that assumption was correct in the end.
From the yahoo headers: "Received: from 72.35.68.59 (EHLO mail.bobhoffman.com)"
So his MTA is EHLOing as mail.bobhoffman.com mail.bobhoffman.com resolves to 72.35.68.59 (matches the incoming ip) 72.35.68.59 reverses to bobhoffman.com (which doesn't match the host)
As far as I can tell this will hurt his score. Or am I missing something?
Andrew Norris wrote:
John Kordash wrote:
mail.bobhoffman.com != bobhoffman.com
Careful here. Email senders have nothing to do with MX records. Email receivers do.
I believe bobhoffman.com is the email sender in this case.
I would doubt this is an issue. Any split in/out mail server is going to have a different host for receipt (MX) than send.
-John
You're right, I was making an assumption I shouldn't have. Namely that there was a single host/ip for both sending and receiving email. Going back to the logs he posted I'd say that assumption was correct in the end.
From the yahoo headers: "Received: from 72.35.68.59 (EHLO mail.bobhoffman.com)"
So his MTA is EHLOing as mail.bobhoffman.com mail.bobhoffman.com resolves to 72.35.68.59 (matches the incoming ip) 72.35.68.59 reverses to bobhoffman.com (which doesn't match the host)
As far as I can tell this will hurt his score.
no, it won't. - his IP is 72.35.68.59. This resolves to bobhoffman.com, which resolves back to the IP. all good.
- his helo is mail.bobhoffman.com, which resolves to 72.35.68.59, which is the server that sends mail. that's more than perfect.
- his helo starts with "mail.". He gets a bonus in some places.
Or am I missing something?
"double lookup" is IP -> name -> IP. you don't do name -> IP -> name.
mouss wrote:
Andrew Norris wrote:
Or am I missing something?
"double lookup" is IP -> name -> IP. you don't do name -> IP -> name.
Ok, I guess I've always thought about it backwards. Thanks for setting me straight.
Andrew Norris wrote:
John Kordash wrote:
mail.bobhoffman.com != bobhoffman.com
Careful here. Email senders have nothing to do with MX records. Email receivers do.
I believe bobhoffman.com is the email sender in this case.
I would doubt this is an issue. Any split in/out mail server is going to have a different host for receipt (MX) than send.
-John
You're right, I was making an assumption I shouldn't have. Namely that there was a single host/ip for both sending and receiving email. Going back to the logs he posted I'd say that assumption was correct in the end.
From the yahoo headers: "Received: from 72.35.68.59 (EHLO mail.bobhoffman.com)"
So his MTA is EHLOing as mail.bobhoffman.com mail.bobhoffman.com resolves to 72.35.68.59 (matches the incoming ip) 72.35.68.59 reverses to bobhoffman.com (which doesn't match the host)
As far as I can tell this will hurt his score. Or am I missing something?
If that were the case, every domain would need a unique IP address and we'd be long out of numbers.
John Hinton
So his MTA is EHLOing as mail.bobhoffman.com mail.bobhoffman.com resolves to 72.35.68.59 (matches the incoming ip) 72.35.68.59 reverses to bobhoffman.com (which doesn't match the host)
As far as I can tell this will hurt his score. Or am I missing something?
I don't know enough of the specifics of yahoo's scoring.
However, in my experience it is better to have your sending host IP have a resolvable PTR record than not. I'm quickly loosing track of this thread, but it appears bobhoffman.com has that covered.
As an aside, it would be my expectation that forward/reverse DNS literal matching wouldn't be scored highly (if at all) simply due to the common use of virtual hosting and the like, let alone the split in/out mail architecture already discussed.
-John
Andrew Norris wrote:
Back to the PTR RR:
$ dig +short MX bobhoffman.com 10 mail.bobhoffman.com. ^^^^^^^^^^^^^^^^^^^^ $ dig +short A mail.bobhoffman.com 72.35.68.59 $ dig +short -x 72.35.68.59 bobhoffman.com. ^^^^^^^^^^^^^^^
mail.bobhoffman.com != bobhoffman.com
So why should the MX for a domain have the same name as the mailout for a domain has? And the name/ip of the mailout is what the receiving side sees.
This may not be your main problem, but it certainly isn't helping matters. Yahoo seems to be pretty picky on reverse DNS. I had a VPS running a mail server where the PTR matched the host. I was relegated to yahoo's spam folder until changed from the default PTR which looked mildly like a dialup.
That's something different (and still bad, but Yahoo is one of the gorillas who can decide not to follow RFCs when receiving mails). But scoring mails down because you don't like the hostname the PTR points to is plain bad and stupid. At least they don't reject those mails.
I'd still like to see logs or headers of mails which have been put into spam quarantine, because ALL people do here is GUESS what could go wrong and give advice which makes my toe nails curl up. As long as he is adhering to RFCs it's not him doing something wrong, it's Yahoo doing something wrong. But to know that some evidence is needed.
Ralph
That's something different (and still bad, but Yahoo is one of the gorillas who can decide not to follow RFCs when receiving mails). But scoring mails down because you don't like the hostname the PTR points to is plain bad and stupid. At least they don't reject those mails.
I'd still like to see logs or headers of mails which have been put into spam quarantine, because ALL people do here is GUESS what could go wrong and give advice which makes my toe nails curl up. As long as he is adhering to RFCs it's not him doing something wrong, it's Yahoo doing something wrong. But to know that some evidence is needed.
Ralph
I sent the headers in a previous mail from yahoo and from gmail.
I took out the useless stuff after the from line... You can see it looks for the DKIM and sees none so treats it neutral. Nothing about spf at all. This mail just had a normal message like "hi how ya doing" in it. It went straight to the spam box folder.
The last receive before the From header is the one sent from my computer to my smtp server.
YAHOO HEADERS
Return-Path: bob@bobhoffman.com
Authentication-Results: mta108.mail.re1.yahoo.com from=bobhoffman.com; domainkeys=neutral (no sig)
Received: from 72.35.68.59 (EHLO mail.bobhoffman.com) (72.35.68.59) by mta108.mail.re1.yahoo.com with SMTP; Wed, 24 Sep 2008 09:28:44 -0700
Received: from obiwan2 ([98.64.115.101]) (authenticated bits=0) by mail.creativeprogramdesigners.com (8.13.8/8.13.8) with ESMTP id m8OGSCwJ014172 for testaccount@yahoo.com; Wed, 24 Sep 2008 12:28:12 -0400
From: "Bob Hoffman" bob@bobhoffman.com
You might want to show some logs or other evidence if you want people to help you.
Ralph
You need logs to say you use DKIM/domain keys on your servers and how you did it, rpm or compile?
Well, if it will help you tell me on your experience with DKIM I am up for it!
YAHOO HEADERS
Return-Path: bob@bobhoffman.com
Authentication-Results: mta108.mail.re1.yahoo.com from=bobhoffman.com; domainkeys=neutral (no sig)
Received: from 72.35.68.59 (EHLO mail.bobhoffman.com) (72.35.68.59) by mta108.mail.re1.yahoo.com with SMTP; Wed, 24 Sep 2008 09:28:44 -0700
Received: from obiwan2 ([98.64.115.101]) (authenticated bits=0) by mail.creativeprogramdesigners.com (8.13.8/8.13.8) with ESMTP id m8OGSCwJ014172 for testaccount@yahoo.com; Wed, 24 Sep 2008 12:28:12 -0400
From: "Bob Hoffman" bob@bobhoffman.com
This is a virtualhost account, sent via smtp from my home, through the server. The mail.creativ...com is the hostname of the server.
When sending from a php application, all the info is about the same, however the 'received from' obviously says apache@mail.creat...com and the ip address of the server is listed instead of the website.
It is my contention that DKIM will tip it for yahoo, but not sure it is worth the work. As well as spf.
And to let you know what the gmail headers look like when downloaded via pop3
Return-Path: bob@bobhoffman.com
Received: from mail.bobhoffman.com (bobhoffman.com [72.35.68.59]) by mx.google.com with ESMTP id j13si11089358rne.4.2008.09.24.11.36.36; Wed, 24 Sep 2008 11:36:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of bob@bobhoffman.com designates 72.35.68.59 as permitted sender) client-ip=72.35.68.59;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of bob@bobhoffman.com designates 72.35.68.59 as permitted sender) smtp.mail=bob@bobhoffman.com
Received: from obiwan2 (adsl-233-181-10.mia.bellsouth.net [74.233.181.10]) (authenticated bits=0) by mail.creativeprogramdesigners.com (8.13.8/8.13.8) with ESMTP id m8OIaGou027661 for testaccount@gmail.com; Wed, 24 Sep 2008 14:36:16 -0400 From: "Bob Hoffman" bob@bobhoffman.com To: testaccount@gmail.com
on 9-24-2008 10:40 AM Bob Hoffman spake the following:
Okay, Yahoo is bumming me. Only system my mail is having an issue with. All mail is accepted, but junked. I can only think it is the DKIM/Domain keys.
It is apparent that the dkim-milter is not part of the centos 5.x distro nor is it part of the mirrors, as far as I can tell.
So...have any of you done it with your servers for sendmail?
There are some sites that claim to have rpms and I have downloaded the tar from sendmail. But I would rather hear from anyone who has an opinion before I go with one or the other.
I do not trust any rpms except for their mirrors, so not sure if I want to do that. But maybe it is fine.
Open to suggestions, ideas for what works for you and yahoo.
No, I do not want to install postfix, thank you - /ninja'd ya
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
No, I do not want to install postfix, thank you - /ninja'd ya
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
Good enough to go on. To start. I will pound out some spf's for the dns and see if it does anything.
on 9-24-2008 11:41 AM Ralph Angenendt spake the following:
Scott Silva wrote:
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
Out of curiosity: What happens if you don't have SPF records?
Ralph
Initially when I had to deal with sending to yahoo I would get a mix of mail dumping into the receivers spam box to downright rejections. Then it moved completely to rejections. I have exec's that send mail to all the big providers, usually to lawyers and lobbyists that are either too clueless or too cheap to have a better mail system. Aol and yahoo at the time just wanted SPF records and reverse DNS that resolves.
I have thought about DKIM in sending, but so far in using DKIM for receiving mail with spamassasasin I just get more false negatives with the yahoo spam because a lot of it actually is through their servers so it gets properly signed. I initially wanted DKIM to resolve mails from our bank not getting mixed in with all the phishing attemps. Adding a little bit of negative score helps it get through, but now maybe I will have to add a meta rule on some common combinations to catch the yahoo spam.
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
Out of curiosity: What happens if you don't have SPF records?
Ralph
Initially when I had to deal with sending to yahoo I would get a mix of mail dumping into the receivers spam box to downright rejections. Then it moved completely to rejections. I have exec's that send mail to all the big providers, usually to lawyers and lobbyists that are either too clueless or too cheap to have a better mail system. Aol and yahoo at the time just wanted SPF records and reverse DNS that resolves.
Been reading about this stuff for hours. I gotta say that spf might be the thing to try first. It does not prove who you are, but it is supposed to make the big mail companies feel warm and fuzzy to know you are trying to prove you 'are you'.
SO I will do that first (especially since it does not require any installation stuff)
On a side note...just got the RHEL annoucement. Huge kernel patch coming...woof.
Bob Hoffman wrote:
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
Out of curiosity: What happens if you don't have SPF records?
Ralph
Initially when I had to deal with sending to yahoo I would get a mix of mail dumping into the receivers spam box to downright rejections. Then it moved completely to rejections. I have exec's that send mail to all the big providers, usually to lawyers and lobbyists that are either too clueless or too cheap to have a better mail system. Aol and yahoo at the time just wanted SPF records and reverse DNS that resolves.
Been reading about this stuff for hours. I gotta say that spf might be the thing to try first. It does not prove who you are, but it is supposed to make the big mail companies feel warm and fuzzy to know you are trying to prove you 'are you'.
prove what?
if the machine with an rDNS of bobhoffman.com sends mail from *@bobhoffman.com, and is the MX of this domain, would anybody think this is a forgery?
SO I will do that first (especially since it does not require any installation stuff)
On a side note...just got the RHEL annoucement. Huge kernel patch coming...woof.
prove what?
if the machine with an rDNS of bobhoffman.com sends mail from *@bobhoffman.com, and is the MX of this domain, would anybody think this is a forgery?
Mouss... I mean Ratatouille :-)
Answer: Possibly
Depends on many factors doesn't it?
I know you are on other lists like SA so I am not sure why you are leading us down the infinite possibilities path...
...seeing as you are quite excellent at *nix and *net administration and implementations.
:-)
- rh
RobertH wrote:
prove what?
if the machine with an rDNS of bobhoffman.com sends mail from *@bobhoffman.com, and is the MX of this domain, would anybody think this is a forgery?
Mouss... I mean Ratatouille :-)
I'm feeling hungry now!
Answer: Possibly
Depends on many factors doesn't it?
Let me restate it: I don't care if it's a forgery. it's his site/domain/network. if I get spam, he has to fix the problem. he can't tell me: "a spammer forged my domain". the answer would be "a spammer _owned_ your machine".
gmail do what they call a "guessed spf": if the client rdns matches the sender domain, they consider that the client is "authorized" (as if it was listed in an SPF record). I can't say for yahoo, as speculation won't help Bob here. but I don't have an SPF record and my mail to yahoo users is delivered.
to say it another way: I think that clients with an rdns in the sender domain should be considered as "authorized" (like if they were in an SPF record). if the owner doesn't want, he can still firewall them. but in any case, he is responsible of any spam that gets out of these.
I guess spf would help deal with the whole apache@locahost or apache@myserver.myserver.com issues.
Sending from an application is not hard for the return, from and to and all that. But the received from headers are gotten by the receiving client going to sendmail for a helo/ehlo. However apache is the user that sent it and it is the user the ehlo will look for.
Since there is no way to magically make apache deal with all the virtual hosts, it is a constant problem with many webmasters. No one wants to see that in the headers anywhere.
However, maybe the spf can allow apache@hostname in the dns of each domain name...thus no redflags. I can see no other good alternative for that yet.
Scott Silva wrote:
on 9-24-2008 11:41 AM Ralph Angenendt spake the following:
Scott Silva wrote:
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
Out of curiosity: What happens if you don't have SPF records?
Ralph
Initially when I had to deal with sending to yahoo I would get a mix of mail dumping into the receivers spam box to downright rejections. Then it moved completely to rejections. I have exec's that send mail to all the big providers, usually to lawyers and lobbyists that are either too clueless or too cheap to have a better mail system. Aol and yahoo at the time just wanted SPF records and reverse DNS that resolves.
I really love it. There were times, when more spam had correct spf records than ham had. And SPF breaks mails in funny ways, especially for mailing lists or just plain email forwarding. Yes, there's SRS which tries to unbreak that but that's like trying to staple the staple on the dirty handkerchief you used for the large flesh wound to stop the bleeding.
The only problem SPF can solve is that it is easier for the *sender* to make it harder for others to use his domain name in forgeries. It doesn't solve any other problem. And people who reject mails because of SPF are plain stupid (IMNSHO). It can be used to score, yes, but it really doesn't do what most people think it does.
DKIM looks like it is better thought through - at least it doesn't break mail as spectacularly as SPF does.
Reverse DNS - I love it. Rejecting mails because of broken or non-existant DNS violates the mail RFCs, though.
In my eyes obsessive anti spam regulations destroys that part of email which spammers didn't destroy yet.
Ralph
Ralph Angenendt wrote:
Scott Silva wrote:
AFAIR yahoo only looks for proper SPF records and then looks at content so far. My users interact with them all the time.
Out of curiosity: What happens if you don't have SPF records?
you'll be beaten to death by SPF fans. other than that, nothing. I will put SPF records when outblaze does!
$ host -t txt mail.com mail.com has no TXT record
and since we're talking about yahoo: $ host -t txt yahoo.com yahoo.com has no TXT record
Besides, in the OP case, SPF will change nothing for mail getting out of his server, since his sender domain matches his client domain (this is what gmail calls "guessed SPF"), and in addition, his client is the MX of his domain, so he is not going to forge his own domain on his own server.
you'll be beaten to death by SPF fans.
Isn't beating someone to death is too good for them in regards to spf fights?
;->
Ummmm actually, spf records can possibly just help the cause in general.
There is no reason for people to get all bent outta shape in regards to SPF or DKIM or whatever.
It is just another potentially helpful tool in a toolbox.
Pick the tool up if you need or want to or do not if you don't.
- rh
Besides, in the OP case, SPF will change nothing for mail getting out of his server, since his sender domain matches his client domain (this is what gmail calls "guessed SPF"), and in addition, his client is the MX of his domain, so he is not going to forge his own domain on his own server.
Read a few dozen sites since the last post. The reason behind spf is as follows...i guess.
SPF says 'this domain and this ip sendmails' and you should say 'reject any mails you (yahoo, gmail, etc) receive that are not from 'this domain or this ip'
The ip can be one or many. The domains can be one or many.
What they are looking for is 'are you helping them weed out their own spam?' If someone forges your address, yahoo will then go to your site and find out that only 'this ip and this mail server' can send mail. If the mail they got is not agreeing with that, they crush it.
This tells yahoo you are somewhat trying to help and then they whitelist it, so to speak. Not doing this will tell yahoo you want 'any mail from anywhere with my email address or domains' to be accepted.
Since they do not like that, immediate greylist.
So, it is about helping them deal with forgeries and not much else. Many servers ignore or do not use it. From what I read, you should have it.
on 9-24-2008 1:03 PM Bob Hoffman spake the following:
Besides, in the OP case, SPF will change nothing for mail getting out of his server, since his sender domain matches his client domain (this is what gmail calls "guessed SPF"), and in addition, his client is the MX of his domain, so he is not going to forge his own domain on his own server.
Read a few dozen sites since the last post. The reason behind spf is as follows...i guess.
SPF says 'this domain and this ip sendmails' and you should say 'reject any mails you (yahoo, gmail, etc) receive that are not from 'this domain or this ip'
The ip can be one or many. The domains can be one or many.
What they are looking for is 'are you helping them weed out their own spam?' If someone forges your address, yahoo will then go to your site and find out that only 'this ip and this mail server' can send mail. If the mail they got is not agreeing with that, they crush it.
This tells yahoo you are somewhat trying to help and then they whitelist it, so to speak. Not doing this will tell yahoo you want 'any mail from anywhere with my email address or domains' to be accepted.
Since they do not like that, immediate greylist.
So, it is about helping them deal with forgeries and not much else. Many servers ignore or do not use it. From what I read, you should have it.
Since a valid spf record cane take all of 5 minutes to write, I don't see it as a big deal. Now DKIM takes a little longer. If it lets my boss send mail to whoever, that is also a plus.
-
Andrew Norris -
Bill Campbell -
Bob Hoffman -
Craig White -
Frank Cox -
John -
John Hinton -
John Kordash -
John R Pierce -
Josh Donovan -
Kai Schaetzl -
Karanbir Singh -
Les Mikesell -
mouss -
Nifty Cluster Mitch -
Ralph Angenendt -
RobertH -
Scott Silva -
Toby Bluhm