Sending Email from Subdomains: IP Setup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Sending Email from Subdomains: IP Setup

Greg Sims
We divided our outbound email into two streams: transactional and
bulk.  Each of the streams uses different ip addresses.  One ip for
transactional email and a randmap group of four ips for bulk email.
The transactional email is sent from domain @raystedman.org.  The bulk
email is sent from a subdomain @devotion.raystedman.org.

The ip addresses used for all of our outbound transfers are configured
using raystedman.org for both forward and reverse DNS.  For example,
if one of the bulk hostnames is t4.raystedman.org pointing to 1.2.3.4.
Dig -x 1.2.3.4 (reverse dns) points back to t4.raystedman.org.  The
master.cf transports are configured with:

    -o smtp_bind_address=1.2.3.4
    -o smtp_helo_name=t4.raystedman.org

I believe this is a fairly standard setup for the domain.

We are receiving a few entries in our maillogs that look like this:

Oct 23 02:04:12 mail0.raystedman.org t4/smtp[38639]: C422783FDAA:
to=<[hidden email]>,
relay=al-ip4-mx-vip1.prodigy.net[144.160.235.143]:25, delay=3.7,
     delays=0.04/0/3.6/0.02, dsn=5.7.1, status=bounced (host
al-ip4-mx-vip1.prodigy.net[144.160.235.143] said: 550 5.7.1
Connections not accepted from servers without a valid sender
domain.alph765 Fix reverse DNS for 1.2.3.4 (in reply to MAIL FROM
command))

We saw five of these maillog entries last night (out of 32K emails
sent) all from prodigy.net.  This results in not delivering the bulk
email and a "soft bounce" for the email address recorded in our
database.

Should we reconfigure our bulk ip addresses using the subdomain
devotion.raystedman.org?  If we do, the bulk from address
@devotion.raystedman.org will match the end of the  reverse DNS of the
IP address.

    Change the hostname of each bulk ip address to use the subdomain
    Change the reverse DNS for each bulk ip address to point to the new hostname
    Update master.cf transports to use the subdomain -o
smtp_helo_name=t4.devotion.raystedman.org

Is this the correct solution?  Is there something else we should
consider?  I am being cautious as we will need to make this change on
the production system.  If we implement this, I hope this transition
will go smoothly with all of the relays we are using to deliver the
bulk email.  Perhaps we will change only one of the bulk ip addresses
initially and observe the maillog.  Advice and counsel is welcome!

Thanks, Greg
www.RayStedman.org
Reply | Threaded
Open this post in threaded view
|

Re: Sending Email from Subdomains: IP Setup

Wietse Venema
Greg Sims:

> We divided our outbound email into two streams: transactional and
> bulk.  Each of the streams uses different ip addresses.  One ip for
> transactional email and a randmap group of four ips for bulk email.
> The transactional email is sent from domain @raystedman.org.  The bulk
> email is sent from a subdomain @devotion.raystedman.org.
>
> The ip addresses used for all of our outbound transfers are configured
> using raystedman.org for both forward and reverse DNS.  For example,
> if one of the bulk hostnames is t4.raystedman.org pointing to 1.2.3.4.
> Dig -x 1.2.3.4 (reverse dns) points back to t4.raystedman.org.  The
> master.cf transports are configured with:
>
>     -o smtp_bind_address=1.2.3.4
>     -o smtp_helo_name=t4.raystedman.org
>
> I believe this is a fairly standard setup for the domain.
>
> We are receiving a few entries in our maillogs that look like this:
>
> Oct 23 02:04:12 mail0.raystedman.org t4/smtp[38639]: C422783FDAA:
> to=<[hidden email]>,
> relay=al-ip4-mx-vip1.prodigy.net[144.160.235.143]:25, delay=3.7,
>      delays=0.04/0/3.6/0.02, dsn=5.7.1, status=bounced (host
> al-ip4-mx-vip1.prodigy.net[144.160.235.143] said: 550 5.7.1
> Connections not accepted from servers without a valid sender
> domain.alph765 Fix reverse DNS for 1.2.3.4 (in reply to MAIL FROM
> command))

The exact message, incluing the name 'alph765' of the cluster with
broken reverse DNS:
https://forums.att.com/conversations/att-internet-email-security/prodigynet-reverse-dns-lookup-is-broken/5f07b53ac17a063d9bfecdb8

It affects multiple domains hosted at AT&T:
https://community.spiceworks.com/topic/2093608-reverse-dns-record-for-email-rejected-by-sbcglobal
https://www.netsolinc.com/prodigy-email-issues/

This is what I did when GMAIL was randomly bouncing mail because
of some bogus DNS error:

/etc/postfix/main.cf:
    transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
     gmail.com google:

/etc/postfix/master.cf
    google     unix  -       -       y       -       -       smtp
        -o soft_bounce=yes

(there is no support to specify a lookup table for parameters such
as soft_bounce, smtp_bind_address, and so on).

Of course one would have to scale this up to your requirements, and
monitor logs for legitimate rejects. In your case setting a short
maximum_queue_life_time may be sufficient to avoid hannering sites
with dead recipient addresses.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Sending Email from Subdomains: IP Setup

Wietse Venema
Wietse Venema:

> The exact message, incluing the name 'alph765' of the cluster with
> broken reverse DNS:
> https://forums.att.com/conversations/att-internet-email-security/prodigynet-reverse-dns-lookup-is-broken/5f07b53ac17a063d9bfecdb8
>
> It affects multiple domains hosted at AT&T:
> https://community.spiceworks.com/topic/2093608-reverse-dns-record-for-email-rejected-by-sbcglobal
> https://www.netsolinc.com/prodigy-email-issues/
>
> This is what I did when GMAIL was randomly bouncing mail because
> of some bogus DNS error:
>
> /etc/postfix/main.cf:
>     transport_maps = hash:/etc/postfix/transport
> [... details omitted...]

That was years ago.

A more targeted approach is to use smtp_delivery_status_filter with
a regexp that targets that exact error message, and that changes a
'hard' reject into a soft one.

For inspiration to turn hard into soft rejects, see examples at
http://www.postfixlorg/postconf.5.html#default_delivery_status_filter

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Sending Email from Subdomains: IP Setup

Greg Sims
> A more targeted approach is to use smtp_delivery_status_filter with
> a regexp that targets that exact error message, and that changes a
> 'hard' reject into a soft one.

> For inspiration to turn hard into soft rejects, see examples at
> http://www.postfixlorg/postconf.5.html#default_delivery_status_filter

Thank you for your feedback on this Weitse.  I have read all the links
you provided.  There is a great deal of finger pointing at AT & T.
The general theme is some of the AT & T servers are more picky about
rDNS and the like.

I was not able to get the "inspiration" link above to work for some
reason.  I scanned "man postconf 5" but was not able to find relative
examples.

I would like to have some feedback on design and best practice if
possible.  We have a randmap set of four ips that are sending email
from @devotion.raystedman.org.  Should the rDNS associated with these
ips point to raystedman.org or devotion.raystedman.org?  I am not
familiar enough with the RFCs to research this.  Would it be a
positive change to move rDNS/master.cf from raystedman.org to
devotion.raystedman.org in this scenario?

Thanks again, Greg
www.RayStedman.org

On Fri, Oct 23, 2020 at 9:49 AM Wietse Venema <[hidden email]> wrote:

>
> Wietse Venema:
> > The exact message, incluing the name 'alph765' of the cluster with
> > broken reverse DNS:
> > https://forums.att.com/conversations/att-internet-email-security/prodigynet-reverse-dns-lookup-is-broken/5f07b53ac17a063d9bfecdb8
> >
> > It affects multiple domains hosted at AT&T:
> > https://community.spiceworks.com/topic/2093608-reverse-dns-record-for-email-rejected-by-sbcglobal
> > https://www.netsolinc.com/prodigy-email-issues/
> >
> > This is what I did when GMAIL was randomly bouncing mail because
> > of some bogus DNS error:
> >
> > /etc/postfix/main.cf:
> >     transport_maps = hash:/etc/postfix/transport
> > [... details omitted...]
>
> That was years ago.
>
> A more targeted approach is to use smtp_delivery_status_filter with
> a regexp that targets that exact error message, and that changes a
> 'hard' reject into a soft one.
>
> For inspiration to turn hard into soft rejects, see examples at
> http://www.postfixlorg/postconf.5.html#default_delivery_status_filter
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Sending Email from Subdomains: IP Setup

Wietse Venema
Greg Sims:

> > A more targeted approach is to use smtp_delivery_status_filter with
> > a regexp that targets that exact error message, and that changes a
> > 'hard' reject into a soft one.
>
> > For inspiration to turn hard into soft rejects, see examples at
> > http://www.postfixlorg/postconf.5.html#default_delivery_status_filter
>
> Thank you for your feedback on this Weitse.  I have read all the links
> you provided.  There is a great deal of finger pointing at AT & T.
> The general theme is some of the AT & T servers are more picky about
> rDNS and the like.
>
> I was not able to get the "inspiration" link above to work for some
> reason.  I scanned "man postconf 5" but was not able to find relative
> examples.

http://www.postfix.org/postconf.5.html#default_delivery_status_filter

There's a bunch of examples to change the status codes for TLS-related
errors. There is no need to tell me that TLS is not DNS, and that
changing '4' into '5' is not the same as turning '5' into '4'.

> I would like to have some feedback on design and best practice if
> possible.  We have a randmap set of four ips that are sending email
> from @devotion.raystedman.org.  Should the rDNS associated with these
> ips point to raystedman.org or devotion.raystedman.org?  I am not
> familiar enough with the RFCs to research this.  Would it be a
> positive change to move rDNS/master.cf from raystedman.org to
> devotion.raystedman.org in this scenario?

Your setup is fine. AT&T is effed up.

        Wietse

> Thanks again, Greg
> www.RayStedman.org
>
> On Fri, Oct 23, 2020 at 9:49 AM Wietse Venema <[hidden email]> wrote:
> >
> > Wietse Venema:
> > > The exact message, incluing the name 'alph765' of the cluster with
> > > broken reverse DNS:
> > > https://forums.att.com/conversations/att-internet-email-security/prodigynet-reverse-dns-lookup-is-broken/5f07b53ac17a063d9bfecdb8
> > >
> > > It affects multiple domains hosted at AT&T:
> > > https://community.spiceworks.com/topic/2093608-reverse-dns-record-for-email-rejected-by-sbcglobal
> > > https://www.netsolinc.com/prodigy-email-issues/
> > >
> > > This is what I did when GMAIL was randomly bouncing mail because
> > > of some bogus DNS error:
> > >
> > > /etc/postfix/main.cf:
> > >     transport_maps = hash:/etc/postfix/transport
> > > [... details omitted...]
> >
> > That was years ago.
> >
> > A more targeted approach is to use smtp_delivery_status_filter with
> > a regexp that targets that exact error message, and that changes a
> > 'hard' reject into a soft one.
> >
> > For inspiration to turn hard into soft rejects, see examples at
> > http://www.postfixlorg/postconf.5.html#default_delivery_status_filter
> >
> >         Wietse
>