Question Opendkim, postfix and outgoing mail limit, the more the merrier!

[Xav2c]

Hi,

I know that plesk does not support opendkim, but like many other people, i have it running on my onyx server since plesk 11.5, and it is working fine.

Until i switch on outgoing mail limit. I suppose the outgoing mail limit mechanism bypasses the postfix transports, or milters, and renders the DKIM signature present, but invalid. The result is a "Fail" dkim check status by the receiving party.

I found several clues on where to get started, but nothing precise, and i do not want to experiment in ways that could break something, or worsen the situation.

Any idea on how to make both service coexist would be great. If you found a way to make it work, please share!

Thank you.

 

[UFHH01]

Hi XL2c,

since Plesk Onyx, DomainKeys has been replaced with DKIM. If you implemented OpenDKIM previously at Plesk servers with Plesk versions 11.5, you might have used an external tutorial like => Setting up SPF + DK + DKIM with Postfix in Plesk 11.5 on Debian Wheezy for example. This will still work and to investigate your issues/errors/problems, we need some step-by-step - guide from you, how you implemented OpenDKIM previously on your server, so that people willing to help you are able to reproduce and investigate your described issue(s).

It would help as well, if you provide corresponding entries from your "mail.log" and it is always wise to include the corresponding configuration files and a FQDN and last but not least, your current used operating system(s) on your server(s), so that decent investigations can be done. With your current descriptions, people willing to help you can only guess what might be misconfigured at the moment on your server(s).



Additional informations:

=> Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

 

[Xav2c]

Hello UFHH01,

Thank you for your answer, so finally, i restored an "stock" copy of main.cf, setting of course the correct FQDN for my server.
And then i went and activated Onyx DKIM for each domain, and DKIM signing is working fine!

I stopped opendkim service, but here are two quick questions:

• Can i safely remove opendkim, which was installed with apt-get on ubuntu 14.04, without breaking Onyx's DKIM signing mechanics
• Now that i have restored a main.cf stock copy, postfix is checking for RBL for incoming messages, which is great, but also for outgoing mails! Is this intended? or is there something wrong with my conf? You can see my main.cf attached. And also a copy of master.cf

Edit : ok so i can't upload a .cf file

 

[UFHH01]

Hi XL2c,

Can i safely remove opendkim, which was installed with apt-get on ubuntu 14.04, without breaking Onyx's DKIM signing mechanics

Yes.

Edit : ok so i can't upload a .cf file

You are able to RENAME *.cf files to *.txt - files and are then able to upload these files here at the forums.

Now that i have restored a main.cf stock copy, postfix is checking for RBL for incoming messages, which is great, but also for outgoing mails! Is this intended? or is there something wrong with my conf? You can see my main.cf attached. And also a copy of master.cf

Pls. add as well your "mail.log", if you desire further investigations.

 

[Xav2c]

Thanks for the info, i was tired yesterday, and didn't bother to find a solution, here are the two config files
unfortunately i cannot post the mail.log as it contains sensible information including people's email addresses, i am not allowed to publish on the internet.

But to explain further, my personal (home / office) ip address is listed on zen.spamhaus (along with almost all the ip range of my isp), it does not bother me because i am not hosting a mail server at home. But when i want to send emails using my Onyx server (which is not at home, but in a datacenter, and not listed on any RBL list, just to be clear), and outlook or any email SMTP client, i get checked for spamhaus correspondence, and denied SMTP process. Until of course i put myself in the whitelist. But i don't recall having this problem before restoring my main.cf.

I can see this line, which makes sense, but this line was identical in the main.cf before i restored it yesterday...

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org

 

[UFHH01]

Hi XL2c,

from my point of view, it is a bad idea to use "zen.spamhaus.org", as it's blocks as well an enormous lot of legimate users. I recommend: "cbl.abuseat.org;sbl.spamhaus.org;xbl.spamhaus.org", where I never experience complaints.

 

[Xav2c]

Ok thank you for your excellent advice, i have also seen this advice elsewhere, so i will stop using ZEN, and use the ones you recommend.
But lastly, is there a way to stop checking "outgoing" mail with the RBLs? Only check the incoming messages?

 

[UFHH01]

Hi XL2c,

as far that I know, there is no such option and it would be quite odd to block other "blacklisted" mails/IPs, but the own ones, don't you think so as well?

 

[Xav2c]

Hmmm, i may not have been clear enough, i do not want to block myself when i send a mail using my smtp, but it is happening today because my public ISP IP address is in a RBL. So when i send a mail using outlook, towards a gmail or live.com address for example, the mail is blocked halfway into my smtpd because my ip is listed in a RBL.
Also, I do not want to block, in any way my users from using my smtp. But i still want to protect them from incoming spam.

Here is a sample of the mail.log when this happens :

Oct  3 22:14:09 srv02 postfix/smtpd[18298]: connect from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]
Oct  3 22:14:10 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<[email protected]> proto=ESMTP helo=<xavPC>
Oct  3 22:14:10 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<xavier.####@mydomain.fr> proto=ESMTP helo=<xavPC>
Oct  3 22:14:10 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<[email protected]> proto=ESMTP helo=<xavPC>
Oct  3 22:14:10 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<xavier.####@mydomain.fr> proto=ESMTP helo=<xavPC>
Oct  3 22:14:10 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<[email protected]> proto=ESMTP helo=<xavPC>
Oct  3 22:14:10 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<xavier.####@mydomain.fr> proto=ESMTP helo=<xavPC>
Oct  3 22:14:12 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<[email protected]> proto=ESMTP helo=<xavPC>
Oct  3 22:14:14 srv02 postfix/smtpd[18298]: NOQUEUE: reject: RCPT from rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]: 554 5.7.1 Service unavailable; Client host [78.###.###.85] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/78.###.###.85; from=<xavier.####@mydomain.fr> to=<xavier.####@mydomain.fr> proto=ESMTP helo=<xavPC>

Note : i was trying to send a mail to [email protected], and a CC to myself
This is my hostname from my ISP at my home-office :
rem30-1-78-###-###-85.fbx.proxad.net[78.###.###.85]

 

[UFHH01]

Hi XL2c,

you were absolutely clear, but my thoughts are still the very same. Just think about the situation, that YOU send an eMail to someone with the very same IP provider that you use, which he/she receives, but if he/she desires to answer your eMail, it will be blocked, as you use a not recommended RBL. ;-)