Is my email being blocked?

You can always test mail acceptance using telnet. Example:

# telnet mailin-03.mx.aol.com smtp
Trying 64.12.137.249...
Connected to xa.mx.aol.com.
Escape character is '^]'.
220-rly-xa04.mx.aol.com ESMTP mail_relay_in-xa4.4; Mon, 21 Mar 2005 02:49:55 -0500
220-America Online (AOL) and its affiliated companies do not
220-     authorize the use of its proprietary computers and computer
220-     networks to accept, transmit, or distribute unsolicited bulk
220-     e-mail sent from the internet.  Effective immediately:  AOL
220-     may no longer accept connections from IP addresses which
220      have no reverse-DNS (PTR record) assigned.
helo mydomain.com
250 rly-xa04.mx.aol.com OK
mail from: <>
250 OK
rcpt to: <jsmith@aol.com>250 OK
quit
221 SERVICE CLOSING CHANNEL
Connection closed by foreign host.</jsmith@aol.com> 

In this case, the 250 OK tells us everything went fine. A code in the 500s means a permanent failure, and a code in the 400s means a temporary failure.

If I had to guess what your problem is, I'd say it's the reverse DNS that the greeting says may be required. Do you have reverse DNS set up?

@Xan:

If I had to guess what your problem is, I'd say it's the reverse DNS that the greeting says may be required. Do you have reverse DNS set up?
Even if you don't set up reverse DNS, caker provides a default of the form li?-???.members.linode.com where the '?'s are digits.

Worth checking it's actually there in your case.

AOL have also started to require SPF entries for the domain.

Adam

@adamgent:

AOL have also started to require SPF entries for the domain.

Adam

Thanks for the response. Sorry if this has been covered elsewhere, but how would I go about checking for and setting SPF entries?

Thanks!

This page has information on how to set up SPF.

@pclissold:

@Xan:

If I had to guess what your problem is, I'd say it's the reverse DNS that the greeting says may be required. Do you have reverse DNS set up?
Even if you don't set up reverse DNS, caker provides a default of the form li?-???.members.linode.com where the '?'s are digits.

Worth checking it's actually there in your case.

Thank you. How exactly would I go about checking to see if my reverse DNS is working / configured?

I appreciate any help you can offer, or point me in the right direction if this has been covered.

Paul

@adamgent:

AOL have also started to require SPF entries for the domain.
If AOL require SPF entries then they are losers big time. Well, nothing new there! If AOL take advantage of SPF, if it's available, then good good good!

The SPF specs say that no SPF entries count as "unknown"; anyone rejecting mail based purely on that are losers.

AOL doesn't require SPF. They use it themselves and block if valid SPF rules exist and they prove the incoming message is forged.

SPF is easy to set up if you have control of your zone, and can add TXT records. I highly recommend it. It won't stop spam, but if everyone were to use SPF, it would certainly stop the from-address forging.

@pmmenneg:

How exactly would I go about checking to see if my reverse DNS is working / configured?

dig -x aaa.bbb.ccc.ddd

where 'aaa.bbb.ccc.ddd' is the IP address whose reverse DNS you want to check. If you get an answer containing something like: aaa.bbb.ccc.ddd.in-addr.arpa. 86400 IN PTR your.domain.com. then RDNS is working. If the reply doesn't contain an in-addr-arpa record, then RDNS is either not configured or broken.

I believe the confusion over AOL using / requiring SPF arises because they are using it for incoming mail but are about to require it for senders on their global whitelist.

To see if you're on any of the ~30 RBL lists, go to:

http://www.openrbl.org

and enter the IP address of your mail server.

If you see any positive matches, means you're on someone's RBL list.

I believe one of Linode's upstream ISPs (ThePlanet, specifically) is on the FIVETEN RBL, so you will have at least one hit… but should not be on more than one RBL list.

Hurricane Electric seems to be listed by blackholes.us and spews level 2.

http://spews.org/html/S2100.html is quite interesting.

Anyone else want to email HE and tell them if they don't get the scum

off their netblocks we don't want to deal with them directly or indirectly?

Even if we don't mean it they may do something.

You can check your IP against a long list of RBLs here as well:

http://rbls.org/

As far as I can tell, it checks against about 50 blacklists, so it should cover a lot. And as the page says, input your IP address, click the button, red means you're listed, green means you're not listed, yellow means unknown, the results are sorted with the red listings on top.

pmmenneg,

Can you post the section of your maillog that shows your mail being rejected?

That will give us more clue what is going on.

The problem with SPEWS has been around since the second half of 2003 - at least. SPEWS was very poorly run - they had a policy of blocking a service provider's entire address space if that provider failed to resolve a problem involving a single IP on SPEWS' terms. They did this to both The Planet and Hurricane Electric, caker took it up with them, nothing ever got resolved. Bottom line - if your correspondents have an ISP who uses SPEWS then they need a new ISP.

@sednet:

pmmenneg,

Can you post the section of your maillog that shows your mail being rejected?

That will give us more clue what is going on.

OK, more information. dig returns a valid reverse dns, so that looks to be working. No blocking taking place, so that is cool.

I did find something in the mail log for every single user@aol.com message:

<code>Mar 23 15:15:38 localhost postfix/smtp[5071]: 0CF3417575: to=<user@aol.com>, relay=mailin-04.mx.aol.com[64.12.137.184], delay=6, status=bounced (host mailin-04.mx.aol.com[64.12.137.184] said: 550 REQUESTED ACTION NOT TAKEN: DNS FAILURE)</user@aol.com></code>

Any ideas? It looks like it is saying that it couldn't resolve the name, but my IP address does resolve back to mydomain.com. Could it be that mail is being sent by Postfix from mail.mydomain.com? (it appears like this in the log)

I have another entry that might indicate this…

Mar 21 18:39:09 localhost postfix/smtp[950]: E78591758D: to=<user@cox.net>, relay=mx.east.cox.net[68.1.17.3], delay=9, status=bounced (host mx.east.cox.net[68.1.17.3] said: 553 mail.mydomain.com does not exist)</user@cox.net>

I am not sure where postfix got the mail.mydomain.com from… any suggestions? Does this look like it could be the problem? I am using zoneedit to do dns routing for my domain. Do I need to add a mail.mydomain.com CNAME entry to handle and resolve this?

Thanks again everyone, you have been extrememly helpful.

mydomain.com is one of the examples in the default postfix files.

Take a look through main.conf, you will probably find it in there, update it to the correct domain.

Adam

@adamgent:

mydomain.com is one of the examples in the default postfix files.

Take a look through main.conf, you will probably find it in there, update it to the correct domain.

Adam

It is he correct domain… I was using mydomain.com in place of my real domain, as I didn't want to spam my domain here looking for attention.

Anyone else know why mail. is getting appended to my outgoing mail?

Check the output of: postconf | grep '^myhostname|^smtp_helo_name'
Parameter myhostname defaults to the value obtained from the gethostname() function (the value in /etc/hostname dot concatenated with the value in /etc/dnsdomainname, on most systems).

Parameter smtpheloname defaults to the same as myhostname.

Whatever names you have for these two parameters need to be resolvable in the DNS.

It was an improperly configured dns. I added mail.mydomain.com as a CNAME and it cleared the problem right up (mail.mydomain.com was being rejected when the receiving server could not resolve it…)

Thanks everyone!

Don't use CNAMES for mail servers. Use A records.

The RFC's say use A records and if you don't some mailers

will not exchange mail with you.

Yep, a good rule of thumb is that anything that goes in the "header" portion of your zone (that is, MX, NS, etc) should never point to a CNAME. Only A records. It's amazing how much wierdness and breakage it can cause in seemingly unrelated areas.

Or, you can use A records for everything, like me.

Never heard a good argument as to why not.

@Jay:

Or, you can use A records for everything, like me.

Never heard a good argument as to why not.

Ok, I can't resist.

Suppose you have a web server that serves a large number of websites on the same IP. They are different sites for different people. You need to change the IP of your server for whatever reason.

If you use A records only you have to make a lot of dns changes to fix this.

Anyone can write a one liner to change a hundred instances of to ,

increment the serial, HUP named, and your done.

If you have a hundred DNS zone files you can write a little loop to do the same thing to each file.

But, what if you don't control all the zonefiles. What if you need to email or phone a hundred different people to get the changes made to their zonefiles. In that case using CNAMES would save you quite a lot of time.