Gmail Blocked Single eMail Domain - Temporary Workaround Required

Discussion in 'ISPConfig 3 Priority Support' started by mousebat, Aug 10, 2018.

  1. mousebat

    mousebat New Member HowtoForge Supporter

    Hi

    About 2 weeks ago - unbeknownst to myself one of my users accounts was hacked (even with strong password!) and for days we were sending spam. I've since changed the password and increased the strength of our firewalls with FireHOL blacklists etc...

    Within 24 hours I'd removed our IP's from every RBL going but we're still, 2 weeks later, having trouble with this particular domain not being able to send email to any gmail mx's. The domain is verified with Google Postmaster tools and I have valid DKIM, SPF and DMARC records. All other domains are functioning fine but the previously hacked domain are still bouncing with this message:
    I have another domain I could use temporarily whilst we wait for the reputation to rebuild (I've seen this take over a month in some cases). Is there a way to have all email from our problem domain, to gmail's mx's, rewritten to use another "fresh" domain? The fresh domain would of course have to have correct SPF and DKIM records (DKIM through amavis?). I could set up email aliases for each user's address so mail replied to on the fresh domain could be forwarded to the main domain, offering the users a seamless solution.

    The problem is compounded as some people tend to use gmail's G-Suite to send and receive email for their own domains so it would probably have to target gmail's mx's?

    Many thanks in advance

    Elliot
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That GMail return message tells you your server is still sending spam. My guess is the mails are in mail queue, and are still being delivered, or trying to be delivered.
    Check as root on the mail server host with command
    Code:
    mailq
    
    how many and what messages you have in the queue.
    You can see the contents of the message using the 10 charecter ID code, it is the first word on lines mailq prints. Use it like this:
    Code:
    postcat /var/spool/postfix/deferred/C/C1C4480322
    That is from Debian GNU/Linux 9.5, if you run some other operating system it may be in some other directory.
    Then if you want to remove stuff from mailq, there is nifty pfdel.perl script. My copy was installed by previous maintainer, but using Internet Search Engines now I found this: http://www.ustrem.org/en/articles/postfix-queue-delete-en/
     
  3. mousebat

    mousebat New Member HowtoForge Supporter

    We've definitely cured our problem and there is no mail in the mail queue other than genuine email. As I said before, we've cured the problems we were facing about 2 weeks ago and we're still blacklisted, only on gmail's mx's.

    It's well document how draconian gmail is with their blanket domain bans, this poor chap was on one for 34 days!
    https://productforums.google.com/forum/#!topic/gmail/ZmmC4bdo428
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. mousebat

    mousebat New Member HowtoForge Supporter

    Other domains hosted on our server (IP?) are unaffected, it's literally just one domain. I basically need mail destined for a Google hosted MX and coming from @foo.com to be rewritten to come from @bar.com (with @bar.com's SPF's, DKIM etc...)
     
    Last edited: Aug 10, 2018
  6. mousebat

    mousebat New Member HowtoForge Supporter

    Is there a way of using a combination of sender_dependent_transport_maps and check_recipient_mx_access to route all outgoing email from @mydomain destined for a google.com MX through my g-suite account?

    I thought about having a sender_dependent_transport_maps map like this:
    @mydomain.com gmail_transport:

    Then in master.cf:
    gmail_transport unix - - n - - smtp
    -o smtpd_recipient_restrictions = check_recipient_mx_access hash:/etc/postfix/outbound_mx

    Then in main.cf outbound_mx:
    *google.com FILTER smtp-relay.gmail.com:25

    I've no idea how the "Email Routing" tab works - I'm guessing this is the GUI for the sender_dependent_transport_maps?
     
  7. mousebat

    mousebat New Member HowtoForge Supporter

    Ok - just worked out the whole email routing tab - I rtfm'd :D

    Will the gmail_transport service I specify in the master.cf that includes the option check_recipient_mx_access work to forward all outgoing mail that is destined for a google hosted mx through my google account and the rest just drop into the normal transport?

    Feel like I'm so close to a solution here!
     
  8. mousebat

    mousebat New Member HowtoForge Supporter

    Ok - one other question I can't answer from the manual:

    In email routing, how do I specify the name of the "custom" type of transport?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    If I remember correctly, the name goes into the target field in that case.
     
  10. mousebat

    mousebat New Member HowtoForge Supporter

    Ok so I populated the fields like this:

    Server: MyServer (I only have one!)
    Domain: [email protected] (I just want to test with my email address not the whole domain)
    Type: custom
    Destination: gmail_transport
    Sort By: 5 (I've no other transport rules)
    Active: checked

    In my master.cf:
    Code:
    gmail_transport unix    -       -       n       -       -       smtp
            -o smtpd_recipient_restrictions=check_recipient_mx_access hash:/etc/postfix/outbound_mx,permit_sasl_authenticated,reject
            -o syslog_name=gmail-transport
    I've restarted postfix but when I send email it doesn't appear to be picking up the transport/service (no log entries for gmail-transport).
     
  11. mousebat

    mousebat New Member HowtoForge Supporter

    Also if I try and send mail to myself from another email address the mail is deferred:
    ...status=deferred (mail transport unavailable)
     
  12. mousebat

    mousebat New Member HowtoForge Supporter

    Ok I've established that master.cf does not like the space that is required in between "check_recipient_mx_access" and the reference to the hash, inserting a comma between removes the warning.
     
    Last edited: Aug 15, 2018
  13. mousebat

    mousebat New Member HowtoForge Supporter

    Really can't get this working, in the logs postfix doesn't even attempt to use the transport except for mail inbound from google!
     
    Last edited: Aug 15, 2018
  14. mousebat

    mousebat New Member HowtoForge Supporter

    Now I've changed the Email Routing with these settings, just to take the custom service out of the loop:

    Domain: [email protected]
    Type: SMTP
    No MX-Lookup: (unchecked)
    Destination: smtp-relay.gmail.com
    Sort by: 1
    Active (checked)

    Everything is set up fine at gmail's relay (IP is in whitelist, user is authorised to send mail without auth etc...)

    If I try and send mail to a gmail account, the mail just bounces around amavis until I get:
    554 5.4.0 Error: too many hops, dt: 1.0 ms

    I'm not so sure the Email Routing even works.

    Would really appreciate a hand with this if anyone is listening...
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    I haven't setup yet a system in the way you try to do it, so I can't help you that much with it.
     
  16. mousebat

    mousebat New Member HowtoForge Supporter

Share This Page