Emails not delivered to microsoft mailservers (Outlook,live,hotmail etc)

Discussion in 'ISPConfig 3 Priority Support' started by sheshes, Jun 13, 2019.

  1. sheshes

    sheshes Member

    Hi guys,

    For the past feww weeks I am experiencing a very strange problems with my mailserver.

    All mail sent to outlook.com, live.com, hotmail.com and all domains using 365 or outlook as mailservers are silently discarded by the recipient. There are no queued mail in postfix and all no blacklists (besides the abandoned lngsblock). All tests with various tools score our domains with 8 or 9/10 and spf, ptr, dmarc and dkim are properly setup.

    Furthermore all mail sent to us are received and if we reply on any of them then the mail is delivered correctly.

    I have contacted microsoft 10 times, filling up the investigation form which in return replied that the ip cannot be mitigated (meaning there isnt any fault found)

    My only suspicion is that my postfix setup is not following microsoft best practises or policies but I cannot figure it out.

    Any help will be tremendously appriaciated.

    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Which exact errors do you get in the mail.log file? Have you setup spf records for the domain and did you enable dkim?
     
  3. sheshes

    sheshes Member

    No errors what so ever in mail.log.

    SPF records are in place as well as dkim. this is also proven in mxtoolbox lookup.
     
  4. sheshes

    sheshes Member

    I am using multiple domains each one with unique DKIM key, dmarc & spf record as well as PTR record. My clients use the main domain to send from different domains, e.g mail.domain.com is the mail server domain and mail is sent from [email protected]; does this affect the constant blacklisting? as they think that multiple dkim keys are sending through 1 mailserver with different dkim key?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the normal setup and will not cause a blacklisting.
     
  6. sheshes

    sheshes Member

    Till I ll explain my setup and maybe you will understand if I messed things up.

    I have a multiserver setup (web.domain.com,mail.domain.com,db.domain.com,ns1.nameserver.com,ns2.nameserver.com)

    I have setup several domains under these server and I am using mail.domain.com to send and receive emails from 10 of these domains and I use mail.specificdomain.com for specificdomain.com only. Each domain has the following DNS records setup:

    A www
    A mail
    A webmail
    A domain
    A ns1
    A ns2
    MX mail.domain.com
    ns xx.xx.x.xx.in-addr ns1.nameserver.com
    ns xx.xx.x.xx.in-addr ns2.nameserver.com
    ns domain ns1.nameserver.com
    ns domain ns2.nameserver.com
    PTR xxx xx.x.xx.in-addr.arpa
    TXT *._report._dmarc.domain.com. V=DMARC1
    DMARC (quarantine)
    DKIM
    SPF v=spf1 mx a ip4:xx.xx.x.xxx ~all

    Furthermore each domainn has a Let's encrypt cert issued and renewed every 3 months.

    Deliverability score is between 8-9.5/10, mxtoolbox gives only 1 warning of both ns servers are onn the same subnet.

    What am I doing wrong and microsoft and sometimes gmail gives us hard time?

    thx
     
  7. concept21

    concept21 Member

    Your IP? :rolleyes:
     
  8. sheshes

    sheshes Member

    69.6.31.170
     
  9. loonatik

    loonatik New Member HowtoForge Supporter

  10. sheshes

    sheshes Member

    After A LOT of digging, my ISP figured out that Microsoft is blocking a segment of the subnet and apparently there is a mechanism between Microsoft and ISPs to delist the blacklisted IP. So this issue has been partly resolved, BUT somethings need to be done so that this wont happen again. I am currently in LOST mode and I would like someone to check my configuration if anything I left out or I did somethinng wrong. (please ignnore the relay option as this is being used temporarily until the IP issue is resolved and the mailserver is configured correctly.

    Code:
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    compatibility_level = 2
    content_filter = amavis:[127.0.0.1]:10024
    disable_vrfy_command = yes
    dovecot_destination_recipient_limit = 1
    greylisting = check_policy_service inet:127.0.0.1:10023
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    inet_protocols = all
    invalid_hostname_reject_code = 554
    mailbox_size_limit = 0
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    message_size_limit = 0
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    multi_recipient_bounce_reject_code = 554
    mydestination = mail.occhio.com.cy, localhost, localhost.localdomain
    myhostname = mail.occhio.com.cy
    mynetworks = 127.0.0.0/8 [::1]/128
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    non_fqdn_reject_code = 554
    owner_request_special = no
    policy-spf_time_limit = 3600s
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_domains_reject_code = 554
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost = mail-out.cablenet.com.cy
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtp_tls_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL
    smtp_tls_loglevel = 2
    smtp_tls_mandatory_ciphers = high
    smtp_tls_mandatory_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL
    smtp_tls_mandatory_protocols = !TLSv1,!SSLv2,!SSLv3
    smtp_tls_protocols = !TLSv1,!SSLv2,!SSLv3
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name Linux
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    smtpd_error_sleep_time = 1s
    smtpd_hard_error_limit = 20
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo regexp:/etc/postfix/helo.regexp
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, reject_authenticated_sender_login_mismatch, reject_sender_login_mismatch, reject_unlisted_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_soft_error_limit = 10
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_loglevel = 2
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_exclude_ciphers = EXP,MEDIUM,LOW,MD5,DES,ADH,RC4,PSD,SRP,3DES,eNULL,aNULL
    smtpd_tls_mandatory_protocols = !TLSv1,!SSLv2,!SSLv3
    smtpd_tls_protocols = !TLSv1,!SSLv2,!SSLv3
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    strict_rfc821_envelopes = yes
    tls_preempt_cipherlist = yes
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    Any hhelp will greatly be appreciated
     
  11. sheshes

    sheshes Member

    till any views on this?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks ok to me. The server is located in a data center and has a dedicated external IP?
     
  13. sheshes

    sheshes Member

    Yes the server is located in my data center and has the dedicated IP for office use and ISPconfig. The guest network is forwarded to a different static ip

    Talking with my ISP, it's a matter of spoofing. No infections exists in our network, and the logs of the ISP's mailserver which I relay show other ips trying to send as our emails.
     

Share This Page