outgoing mails bounce (after migration)

[Torsten_Rüger]

Hi,

i have a newly set up machine (debian 7.1) with plesk 12.0.18 update 70 and migrated domains from another identical (os/plesk versions) machine.

The plesk name is rubydesign.fi and the customer villataika.fi and when mail is sent from there (to gmail) it bounces.

Now google says that the smtp server banner is not correct, and they seem to be right.
http://mxtoolbox.com/SuperTool.aspx?action=smtp:mail.villataika.fi&run=toolpage#

But since i have not changed any settings i wonder how this can be. Off course also how to fix it.

I didn't find mention of outgoing configuration that one would have to do per used domain, and all the threads i read on smto banners seemed old or not applicable.

Please advise

Torsten

 

[UFHH01]

Hi Torsten_Rüger,

please don't care about this "SMTP banner mismatch" - issue:

mxtoolbox made that report falsely on a domain I support.

I verified with my vps provider, digital ocean, that my setup was valid. Then I called mxtoolbox. A guy named Jeremy answered. He said the mxtoolbox report was wroing. He provided me the following email:

 

[Torsten_Rüger]

Well, it's not so much that i care. But google seems to, and bounces mails sent from our server (to gmail), like this: (email before the gmail changed)


Reporting-MTA: dns; rubydesign.fi
X-Postfix-Queue-ID: 873C331E05AC
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Wed, 18 Nov 2015 16:50:12 +0100 (CET)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [2a01:4f8:162:3285::2] Our system has detected
that this message does 550-5.7.1 not meet IPv6 sending guidelines regarding
PTR records and 550-5.7.1 authentication. Please review 550-5.7.1
https://support.google.com/mail/?p=ipv6_authentication_error for more 550
5.7.1 information. aw7si4808813wjc.90 - gsmtp

 

[UFHH01]

Hi Torsten_Rüger,

well, sorry, but you shouldn't put all into one subject, because you have different issues. You can safely ignore the "SMTP mismatch" -issue, but please keep another eye on the provided link from Google: https://support.google.com/mail/?p=ipv6_authentication_error

Additional guidelines for IPv6

• The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
• The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

I can't find any IPv6 - entry at your SPF - setting. Consider to include your IPv4 AND your IPv6 address.

Example: "v=spf1 +a +mx +a:rubydesign.fi +ip4:5.9.100.145 +ip6:2a01:4f8:162:3285::2 ?all"​

Your actual REVERSE entry for your IPv4 resolves to: "static.145.100.9.5.clients.your-server.de" and not to "rubydesign.fi" . Please check this at the control panel of your domain registrar.
Your actual REVERSE entry for your IPv6 resolves to nothing - there is no record at all for a reverse check. Please check this at the control panel of your domain registrar.

There is no DKIM entry ( as for example: "default._domainkey.rubydesign.fi" ). Please check this at the control panel of your domain registrar.

There is no DMARC record for your domain "rubydesign.fi". Please check this at the control panel of your domain registrar.

 

[Torsten_Rüger]

Hi UFHH01,

you are sounding awfully certain about this "ignore the smtp mismatch".
From here it looks like that is the cause of the problem.
Plesk does a good job of making the web server "virtual" , ie usable for many domains without too much sys admin knowledge (which is off course why people like me buy it)
So why does it not make the postfix server respond correctly, so these mismatches would not occur, one wonders.

The spf mechanism seems a way to hack around this mismatch problem. A Hack that plesk documentation could at least mention i find.

As to your dns suggestions, my server acts as the main nameserver, so plesk has generated all those entries.

One thing that did occur when migrating was, that i apparently chose a different domain name for the new server. This caused the spf hack to break, because the migration tool does not check that (and i off course was unaware of the hack)
So i just put the +a:rubydesign.fi in there, because it was +a:auringostaitaan.fi, and it did seem to do the trick.

If this does come back i'll try with those other suggestions.
Though, off course i don't even know what DKIM and DMARC records are (which is as should be from my perspective)
So how i would create them in plesk is then another topic of joy (as the plesk help doesn't mention either)

 

[danallen1]

Plesk does a good job of making the web server "virtual" , ie usable for many domains without too much sys admin knowledge (which is off course why people like me buy it)

That is why I bought it. I don't think plesk understand people using the product this way

 

[UFHH01]

Hi Torsten_Rüger,

As to your dns suggestions, my server acts as the main nameserver, so plesk has generated all those entries.

Well, no.. please have a closer look at your own existent entries:

rubydesign.fi. NS 86400 ns1.first-ns.de.
rubydesign.fi. NS 86400 robotns2.second-ns.de.
rubydesign.fi. NS 86400 robotns3.second-ns.com.

As you can see, NOT your rented server with the IP "5.9.100.145" is your primary nameserver, it's... as I already stated, the nameserver of your domain provider.
Plesk "can" act as a primary nameserver, but if you don't change the nameserver setups at your domain registrar control panel, then there will be no changes, what so ever you do over Plesk.

I recommend to copy the Plesk generated DNS - entries over to your domain - registrars domain control panel and leave the nameservers as they are. If you need help with that, please consider to hire a linux administrator, or contact the Odin Support Team. To change the reverse entry of your IPs, please consider to ask your server hosting provider, because they are in charge of that, when you rent an IP ( they mostly provide as well a separate control panel, where reverse DNS entries for your IPs can be done! ).

 

[trialotto]

@Torsten_Rüger

I have to state explicitly that UFHH01 is completely right in this matter on hand.

Moreover, note that Google does not block your mail due to DKIM, SPF and/or DMARC related failures: they are not obligatory, in the perspective of Google.

Even the missing/incorrect IPv6 address does not have to be the reason that your mail delivery failed: Google is rather elaborate in giving error codes.

Even when the IPv6 address is the root cause of your problem, it still is something that has to be done by the hosting provider: when using the nameservers of the hosting provider (as is the case in your situation, as UFHH01 already pointed out), there should be an appropriate PTR record (for IPv4 AND IPv6, if this protocol is used).

In short, contact your hosting provider and ask them about the (apparently) missing PTR record.

Also have a look at senderbase.org, in order to establish that your server is not blacklisted (on various blacklists, which cause your mail to be blocked by any server).

Regards.....

 

[Torsten_Rüger]

Hmm, mails still bouncing. So i'll try the ip6 in spf thingie.

UFHH1 (HH == Hamburg ? I studied there, nice city)

Hetzner just copies the entries from my nameserver. It seemed the easiest way. They have a setting where to copy from, which is where my servers ip is, and my domains are set to act as master servers. Given that it says so in Plesk "This server acts as a primary nameserver ... " you may consider giving a little more consideration ( i mean when i say master, you don't just say no)

Does that make trialotto's point moot ? I'm fine in Senderbase. I do notice that none of you seem to take the possibility that this is actually a plesk bug too seriously.

As i said i migrated the server. Could it be that a new dns template would have the ip6 ptr set up , but the old did not ?

Well, i'll try the spf as suggested. (is that a typo the ?all , the dns template seems to have -all )

 

[UFHH01]

Hi Torsten_Rüger,

Hetzner has as well a quite good online documentation. Please visit http://wiki.hetzner.de/index.php/DNS-Reverse-DNS/en for further assistance, if you don't trust our words. ^^
Please keep a special eye onto: http://wiki.hetzner.de/index.php/DN..._name_server.2C_why_are_these_not_accepted.3F


Rented IPs on rented servers can never be the "real" primary nameserver, because an owner of an IP-Block doesn't give away the rights to administrate them. They mostly provide a hosting control panel, as you can read at the above links.
No, this is no "Plesk bug" at all - as you can read as well, in the above links.
... and "no", this is not a typo ( "?all" ) - it's MY recommendation for various reasons, which are not subject of your thread.

 

[trialotto]

@Torsten_Rüger

Again, I have to agree with UFHH01 and I want to give you some additional explanation.

With respect to the "nameservers", note the following.

There is the nameserver that handles the requests to point to your server(s) AND there is the nameserver that handles requests for specific domains.

Each of those separate (master) nameservers has one or more slave nameservers and, for the sake of convenience, we return to this topic later.

The PTR record is a DNS record that associates "domains" with IPs and/or IP blocks (as opposed to the A record, that points domains to IPs, a huge difference).

As such, the PTR record only is relevant for the association of hostnames with specific IP blocks.

A common usage of the PTR record is therefore to be found at the level of hosting providers, that assign various hostnames to IP blocks (and sub-blocks) they have.

In short, the nameserver that handles the requests to point to your server(s) is

- the nameserver that has to include the correct PTR records, appropriate for IPv4 and IPv6,
- the "true" (primary) nameserver, that associates traffic with your server,
- the responsibility of your hosting provider (and sure, they have to set it up properly).

and, in essence, it can be stated that this type of nameserver is barely relevant, in the sense that it is "out of reach".

The A records are present on the nameserver that handles requests for specific domains and this type of nameserver can be present in the form of

- external nameservers, for instance the nameservers of the domain registrar, OR
- local nameservers, as managed by Plesk (or even some other set of nameservers that are managed by you).

In short, traffic intended for specific domains is routed to some IP by means of A records, maintained at external or local nameservers.

With respect to primary and secondary (i.e. master and slave) nameservers (of the type that handle requests for domains) the following.

In general, the before mentioned local and/or external nameservers do not have to contain a PTR record for domains managed.

The only exception is the case in which Plesk functions as a primary nameserver, i.e. a local nameserver.

AND this exception only applies to the domain chosen: the <domain> in ns.<domain>.<tld> has to include a PTR record (and multiple other records).

In your case, you have used and/or have the intention to use Plesk as a primary nameserver.

Note that it requires some thorough knowledge to create a proper setup, in order to have Plesk function as a primary nameserver.

Also note that every primary nameserver has to have a secondary nameserver and this secondary nameserver can NOT be on the same physical server.

Furthermore, note that using an external secondary nameserver will not actually function as a "true" secondary nameserver: the primary nameserver, as setup with Plesk, will not propagate changes in DNS records automatically, unless some appropriate configuration and/or action is taken.

Finally, note that managing nameservers really is work for specialists, with the right equipment, hardware and infrastructure.

In conclusion, it often is not adviceable to manage your own nameserver, i.e. use Plesk as a primary nameserver (of the type that handles requests for domains).

With respect to the alleged typo "?all" the following.

Note that

- "-all" means "Fail": mail is REJECTED (i.e. SPF designates the host as NOT being allowed to send)
- "?all" means "Neutral": mail is ACCEPTED (i.e. SPF designates the host as being allowed to send)
- "~all" means "SoftFail": mail is ACCEPTED and MARKED (i.e. SPF designates the host as NOT being allowed to send, but it is in transition)

AND note that SPF syntax implements a sequential set of rules, meaning that every rule is checked in chronological order of occurrence.

For instance, "spf=v1 a mx ip4:<IP address> ?all" implies that, in chronological order:

- at "a": all A records are tested. If test succeeds, mails are accepted.
- at "mx": all A records for all the MX records are tested in order of priority. If test success, mails are accepted.
- at "ip4:<IP address>: mail related to the <IP address> is accepted.
- at "?all": all other mails are accepted (and not marked)

and, given the chronological order of testing, any test will probably end at the "a" level and, in worst case scenario´s, at "ip4" level.

In essence, the "?all" can do no real harm, since all previous (spf) tests will not allow that a test at the "?all" level occurs, at least in 99,999999% of the cases.

Sure, it is better to use a "~all", but you should not need that in most cases.

However, it is not good to use the strict "-all", since any misconfiguration (server-wide, or even spf configuration) can completely block all mail traffic.


In conclusion, there is not a bug that can be related to Plesk, at least not in your case.

Your issue has to do with either incorrect PTR records or your (primary) nameserver (managed by Plesk) not propagating DNS changes to the secondary nameserver.

If you ask me, you have more than one issue, I am pretty sure that both the "PTR problem" AND the "propagation problem" are occurring in your situation.

In my humble opinion, if you have an external nameserver, I cannot imagine why you would want to setup a local primary nameserver (just completely use external nameservers).

Regards.....