SMTP Banner Question

[slayer1ss]

Hi, sorry to bother you guys and i am pretty sure that this has been asked before but since i didnt know what to search for here on forums i had to ask... If you can help me or at least push me to the right direction i would be really happy... I am not going to hide any domain names or ip address below here so i hope that is alright...

General info about server;
I have a Centos 7 x64 server with Plesk 12.5 that has 8 shared ip addresses... Primary domain is domain1.com which is hosted at ip1 and server hostname is ns.domain1.com, also all ip addresses have rdns defined to ns.domain1.com, "Send from domain IP addresses and use domain names in SMTP greeting" is selected at "Mail Server Settings", i dont know if it is related but this domain is using office365 mail service so it doesnt use plesk mail services...

My question begins here;
On ip2 ip address there is another domain domain2.com , when i test this domain on mxtoolbox and mail-tester i am getting below errors

- Reverse DNS does not contain the hostname
- Delivered to internal network by a host with no rDNS

Below are some reports that i gathered;
Mail-tester report -> https://www.mail-tester.com/web-AvTPPK
Port25 report

========================================
Summary of Results
========================================
SPF check:  pass
DomainKeys check:  pass
DKIM check:  pass
Sender-ID check:  pass
SpamAssassin check: ham

========================================
Details:
========================================

HELO hostname: domain2.com
Source IP: ip2
mail-from: [email protected]

----------------------------------------
SPF check details:
----------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
  domain2.com. SPF (no records)
  domain2.com. 85375 IN TXT "v=spf1 +a +mx ?all"
  domain2.com. 85375 IN A ip2

----------------------------------------
DomainKeys check details:
----------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
  default._domainkey.domain2.com. 85376 IN TXT "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEKaY9OfRuU+8bwREzmfSacx3KD+QTuZLKeSTZm0lQE+MV0IH0Fy6Ao+KA95VLOH8u1pJrlWC/ODHUJpqMPbdVbmeYcGDbjnjO8k6D6XNck3m4ihc71IFTCE3rGO3COD/QsAPXjNXJNvFUcTMnebgmddj5xPV9i8nQKVSGVDxBgwIDAQAB;"

----------------------------------------
DKIM check details:
----------------------------------------
Result: pass (matches From: [email protected])
ID(s) verified: header.d=domain2.com
Canonicalized Headers:
  date:Fri,'20'04'20'Sep'20'2015'20'16:33:01'20'+0300'0D''0A'
  from:[email protected]'0D''0A'
  to:[email protected]'0D''0A'
  subject:Authentication'20'Test'0D''0A'
  dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=domain2.com;'20's=mail;'20't=1441373581;'20'bh=jaxAFSIKClS6gg+31QfVWwAX7FYR18Sbz4PX3P5JRjU=;'20'h=Date:From:To:Subject;'20'b=

DNS record(s):
  mail._domainkey.domain2.com. 85288 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTF2UduaXb1vL62XR/Ht3jckmx+A2id5oKDJFm8Sjfu8twL5RkNHcQehKvutIi8Zp9AFB62YRj8cZJhc626h1tzsc9bQmRBiZ5GfLh2hiRMHpX+1U1IOc71+xeFApIGrNeKzZ3IHy39f6EtGOp+0mp0X54dNb45QddnFyG2uT6EwIDAQAB"

Public key used for verification: mail._domainkey.domain2.com (1024 bits)

----------------------------------------
Sender-ID check details:
----------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
  domain2.com. SPF (no records)
  domain2.com. 85375 IN TXT "v=spf1 +a +mx ?all"
  domain2.com. 85375 IN A ip2

----------------------------------------
SpamAssassin check details:
----------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result: ham(-2.0 points, 5.0 required)

pts rule name  description
----------------------------------------
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS  SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD  Envelope sender domain matches handover relay domain
-1.9 BAYES_00  BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from author's domain
0.1 DKIM_SIGNED  Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID  Message has at least one valid DKIM or DK signature

Can you please tell me what i am missing, what is wrong with my configuration and how i can fix it...

I dont know if you guys need master.cf or main.cf so i am sending all just to be sure...

Master.cf

smtp  inet  n  -  n  -  -  smtpd
pickup fifo n - n 60 1 pickup
cleanup  unix  n  -  n  -  0  cleanup
qmgr fifo n - n 1 1 qmgr
tlsmgr  unix  -  -  n  1000?  1  tlsmgr
rewrite  unix  -  -  n  -  -  trivial-rewrite
bounce  unix  -  -  n  -  0  bounce
defer  unix  -  -  n  -  0  bounce
trace  unix  -  -  n  -  0  bounce
verify  unix  -  -  n  -  1  verify
flush  unix  n  -  n  1000?  0  flush
proxymap  unix  -  -  n  -  -  proxymap
proxywrite unix -  -  n  -  1  proxymap
smtp  unix  -  -  n  -  -  smtp
relay  unix  -  -  n  -  -  smtp
showq  unix  n  -  n  -  -  showq
error  unix  -  -  n  -  -  error
retry  unix  -  -  n  -  -  error
discard  unix  -  -  n  -  -  discard
local  unix  -  n  n  -  -  local
virtual  unix  -  n  n  -  -  virtual
lmtp  unix  -  -  n  -  -  lmtp
anvil  unix  -  -  n  -  1  anvil
scache  unix  -  -  n  -  1  scache
plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

plesk-domain1.com-ip1- unix - n n - - smtp -o smtp_bind_address=ip1 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domain1.com
plesk-domain2.com-ip2- unix - n n - - smtp -o smtp_bind_address=ip2 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domain2.com

Main.cf

smtpd_banner= $myhostname ESMTP $mail_name
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = localhost.$mydomain, localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , 127.0.0.0/8, 127.0.0.1/32, [::1]/128
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:12768, inet:127.0.0.1:8891
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 102400000
smtp_tls_protocols = TLSv1,TLSv1.1,Tlsv1.2,!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols = TLSv1,TLSv1.1,Tlsv1.2,!SSLv2,!SSLv3
mailbox_size_limit = 0
virtual_mailbox_limit = 0
myhostname = ns.domain1.com
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5smtp_bind_address = ip1

 

[UFHH01]

Hi slayer1ss,

in most cases, you setup your reverse DNS - entries over the Control Panel from your domain provider. Some provider charge an extra amount for rDNS - entries.
If you don't have a control panel for rDNS - entries from your domain provider, please consider to ask your server provider, how to setup rDNS - entries, because the initial nameserver for your rented IP is not your rented server, but the nameservers from your provider.

To be more clear:

185.86.15.202 reverses to ns.century21.com.tr and not to any other domain.
​

If someone tries to connect to "185.86.15.202" it states clearly, that you are connected to "ns.century21.com.tr", which could as well be included in your SPF - entries:

actual entry:

"v=spf1 +a +mx ?all"​

preferred entry:

"v=spf1 +a +mx +a:ns.century21.com.tr +ip4:185.86.15.202 ?all"​

You could as well consider to change the host - name of your server ( /etc/hosts ) or define some more entries, as for example:

127.0.0.1    localhost.localdomain    localhost
185.86.15.202    server1.audiophile.org    server1
127.0.0.1    server1.audiophile.org    server1

...while the definition "server1" might be what ever you choose. I addition, you would change then as well your file "/etc/hostname" from "ns.century21.com.tr" to "server1.audiophile.org".

 

[slayer1ss]

Hi, first of all thank you for your response... You are right, cant believe how i didnt think of that, after all ns.domain1.com is defined as ip1 at dns records so how can it be defined to 8 ip addresses... I told my hosting provider to change rdns record of ip2 to ns.domain2.com but since this ip address will be hosting about 10 other domains will i have to do anything else? I guess rDNS will not be a problem for this ip address anymore but will below errors come again for other domains on this ip address? Also do i have to add records to /etc/hosts or defining rDNS correctly be enough?

- Delivered to internal network by a host with no rDNS
- Reverse DNS does not contain the hostname

 

[UFHH01]

Hi slayer1ss,

please just try the recommendations ( as well the one for your SPF - TXT - setup ) and wait for the update of your reverse DNS - entry. You will then notice IF the resolutions work for you.
If you still experience any issues afterwards, please post another actual link from mail-tester.com, so that further investigations and other suggestions could be made.

 

[slayer1ss]

Appearently i had to change master.cf for postfix to give correct hostname's to their ip addresses so i changed
smtp inet n - n - - smtpd
to

127.0.0.1:smtp inet n - n - - smtpd
ip1:smtp inet n - n - - smtpd
ip2:smtp inet n - n - - smtpd -o myhostname=ns.domain2.com

This helped me get rid of mxtoolbox error since now it shows correct SMTP Banner but mail-tester still complains with below error
- Delivered to internal network by a host with no rDNS
Btw if there was a place on ip adding screen or mail server settings to change these values i think it would be great...

Edit:
Nevermind, i manage several servers but i never ever in my life restarted spamassassin service had always restarted postfix, dont know how it came to me so for the first time i restarted spamassassin service and mail-tester seems to be happy with me, score is 10/10, thank you for your helps...

Here is a mail-tester report -> http://www.mail-tester.com/web-G2rZEz

 

[UFHH01]

Hi slayer1ss,

please have a look at "/etc/mailname" ... does is still contain your old setting? If yes, please change it as well, like you did in "/etc/hostname".

Please be aware that DNS - changes may take up 48 hours, untill even the last DNS - server uses the new setting for "185.86.15.202". For me, your IP reverses now to "ns.audiophile.org.".


But your MX is still set to "audiophile.org. MX 86400 10 mail.audiophile.org." and your SPF is still set to "v=spf1 +a +mx ?all", which is not like suggested. After your change, the new SPF - suggestion would be:

"v=spf1 +a +mx +a:ns.audiophile.org +ip4:185.86.15.202 ?all"​

If you changed mailname, hostname and hosts. Please consider to use equal settings, in order to avoid failures.

 

[slayer1ss]

I guess you wrote last message while i was editing mine I reverted /etc/hosts and spf record to way it was because it started working without them... I am the kind of guy that always finds 1 extra screw when re-assembling stuff so i thought what the hell why would i need them if it is working this way...

Would changing spf record to way you suggested make any difference for spam filters?

 

[UFHH01]

Hi slayer1ss,

correct settings are always better and avoid possible issues/failures/problems. A discussion about all possible issues will take much longer, than setting correct values... but it's YOUR choice and YOUR server... and YOUR time, that is needed to investigate issues/failures/problems. - Feel free to setup what ever you like.

 

[slayer1ss]

I edited spf record like you suggested... Thank you for your help again...