• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Google is blocking my mail server for some unknown reason

One of the things we have found is that users who forward to their gmail tend to forward a lot of spam. We wound up on lots of blacklists that way. One of the things we did that seems to have made a big difference is to run outgoing mail through spamassassin. The recipe I found wasn't for a plesk server, so after moving things around, this is what we do:

install spamassassin using plesk autoinstaller

yum -y install clamd clamav-db clamav amavisd-new perl-Error

Set Amavisd-new to start after reboot and start Amavisd-new:

chkconfig amavisd on
service amavisd start

Set ClamAV to start after reboot and start ClamAV:

chkconfig clamd.amavisd on
service clamd.amavisd start


Set Postfix to use amavids on port 10024:

edit /etc/postfix/main.cf

add after other parameters add:

#use amavisd as filter on port 10024
content_filter=amavisfeed:[127.0.0.1]:10024

Edit Postfix configuration file:

edit /etc/postfix/master.cf

Add the following lines at the bottom of the file to connect Postfix to Amavisd-new (explanation and updates found in /usr/share/doc/amavisd-new-2.6.4/README_FILES/README.postfix):

amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o lmtp_tls_note_starttls_offer=no

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=

reload postfix to get the change:

service postfix reload
 
trialotto said:
@Matt Grant

a) DKIM: go to "Tools & Settings > Mail > Mail Server Settings (click on it) > DomainKeys spam protection": enable sign outgoing mail

b) use an appropriate SPF record: add a TXT record to DNS (Note: Google has some simple documentation about this)

c) use DMARC: add a TXT record to DNS
Click to expand...
Trialotto, forgive my ignorance, but I am under the impression that DomainKeys that is available on Plesk 12.0 is the old Yahoo standard and is not the not the same as DKIM. Is that not the case?
 
@Ed Greenberg

Thanks for the excellent post, this is actually a setup that is similar to having a mail cluster filtering out spam, with some important differences.

The import differences are:

a) the custom configuration ofPostfix config files on a Plesk instance is not recommended: any upgrade/update can revert the customizations,

b) introducing Amavis and the somewhat buggy and inefficient ClamAV introduces additional resource usage: this stack is being known for knocking the system down, when being under the duress of a relatively small spam attack.

c) the solution does not offer or barely prevents any attacks from "local spam scripts": any spam script, installed on the server (i.e. a hack), that bypasses postfix (for instance, by calling any of the other possibilities to send mail, such as the mail() function) or qmail, will still result in outgoing spam. Note that this remark specifically applies to most WP instances.

For these (and other) reasons, most of the Amavis based filtering solutions are located on external mail clusters, with often a custom ClamAV and/or other solutions, like Pyzor.

Finally, I must add that, even though it is an excellent post, most mails are blocked by Google, not because they are spam, but because DNS cannot be resolved, which will result in Google marking mail as spam, since the "machine is not learning" that the mail sender can be trusted.

In essence, your solution can (and often will properly) work for mail forwards from the Plesk instance, but not for other types of mails.

Regards....
 
@Fronobulax

You stated

Fronobulax said:
but I am under the impression that DomainKeys that is available on Plesk 12.0 is the old Yahoo standard and is not the not the same as DKIM. Is that not the case?
Click to expand...

and I can answer that, at least if I am not mistaken, that in both Plesk versions (12.0.18 and 12.5.30) DKIM is being used.

You can verify that by having a look at the headers, for instance by opening the "original message" in Gmail.

Regards....
 
@trailotto We have the older DomainKeys in Plesk, it's fairly straightforward to add OpenDKIM though.
You obviously have to script the creation and adding to key and signing tables.
Regards

Lloyd
 
You must log in or register to reply here.

Similar threads

PeopleInside
Issue with Google Drive Backup
Replies
6
Views
557
PeopleInside
PeopleInside
F
Question SPF fail due to wrong IP?
Replies
1
Views
419
mow
M
carlsson
Resolved Outgoing administrator mail not authorized [missing SPF record in sender domain]
Replies
11
Views
1K
rkbonatto
rkbonatto
V
Resolved All sites hosted on Plesk server not delivering emails only to Google Workspace mail ids
Replies
2
Views
1K
vhon2022
V
carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
235
carlsson
carlsson
Back
Top