I'm using nodemailer with Gmail OAuth authentication to send emails on behalf of my customers.
When running a mail spam test on a mail that is sent from a personal Gmail account, I'm getting a 3.6 penalty on the FSL_HELO_FAKE rule.
Looking anywhere online, I couldn't find a description for this rule.
I'd love to get help understanding this rule and what needs to be done to avoid triggering it for other customers.
I found this article that generally describes it.
https://flylib.com/books/en/3.44.1.28/1/
From what I've gathered, it basically means that you are sending Gmails NOT FROM Gmail.
3.4.2 20_fake_helo_tests.cf
This file defines a set of rules that use the eval test check_for_rdns_helo_mismatch( ) . This test takes two arguments: a regular expression pattern to match against the reverse DNS lookup of the connecting client's IP address, and a regular expression pattern to match against the hostname provided by the client during in the SMTP HELO command. Spammers often use mail programs that forge the HELO hostname, and these tests look for such forgeries when the clients have hostnames that match those of major commercial ISPs. Here's an example of a test from this file:
header FAKE_HELO_AOL eval:check_for_rdns_helo_mismatch("aol\.com","aol\.com") describe FAKE_HELO_AOL Host HELO did not match rDNS: aol.com
This test matches if the client connects from an IP address that reverse-resolves to an aol.com hostname but claims in the HELO to have a hostname that does not match "aol.com". These tests are applied to all of the Received headers from untrusted relays.
You can use this eval test to reject messages that claim, in their HELO, to be from your own host.
Related
Honestly, I think I have a fundamental gap in understanding how SMTP works. I can't seem to find a good explanation of what is happening behind the scenes and I think this is preventing me from being able to do what I am attempting to do.
To explain, I'm trying to setup an application which sends notifications to users by connecting to an SMTP server. Fair enough. I figure, since I'm using my own domain, I have SPF/DKIM/DMARC configured, I can add an MX record for the host I set the application up on (my SPF record has the mx keyword to authorize any hosts in my MX records to send/receive mails). Then, I can have that same host run a super lightweight SMTP server that can accept mails from the application, and send them on to recipients.
Almost crucially, I want this server to basically just run on localhost so that only this application can connect and send mails through it, but so that it can't really "receive" mails sent to my domain (I have set the MX priority very low (well, a high number) for this app server). I figure since I'm running my own SMTP server, that I don't really need to authenticate against it (it's running on localhost), just take in any mail and send it on to recipient domains.
When sending on to recipient domains... does the SMTP server need to authenticate to say, the gmail SMTP server as a user in order to send mails over there? That seems weird, since it's not a user logging into gmail to send mails, it's an SMTP server that is authorized within SPF sending mail from my domain (From address from my domain as well) to where ever the app server user's email is based (in this example, the user would be e.g., some_user#gmail.com).
I tried using python's aiosmtpd command-line and telnet to send a mail from test#MY_DOMAIN.TLD to test#MY_DOMAIN.TLD and it didn't seem to deliver the message; I figured aiosmtpd would connect to the preferred MX servers for my domain (my "real" MX's) to transfer the message, which would then put it in my inbox. That didn't seem to be the case, and I'm not sure why.
Exact repro steps, where example.com is my domain, and terminals are running on a box with a hostname listed in my MX records.
Terminal A:
$ aiosmtpd -n
Terminal B:
$ telnet localhost 8025
EHLO <example.com>
MAIL FROM: test#example.com
RCPT TO: test#example.com
DATA
FROM: Application Notifications <test#example.com>
TO: User Name <test#example.com>
SUBJECT: App Notify Test
This is a test!
.
QUIT
How do SMTP servers normally send mail between each other? Do they each get some login to each other's SMTP servers to authenticate with, and since I'm not doing that, this is a problem? Can I run a SMTP server on localhost and have it send mail out of the network without receiving mails (a no-reply service)? Is there something obvious that I'm just missing here that solves all my problems?
Thanks
It sounds like you want to run a mail transfer agent (MTA) that relays email to remote SMTP servers. An MTA will typically act as an SMTP server to receive messages, and then it will act as an SMTP client when it relays the messages to remote hosts.
MTAs generally operate in two different modes: (1) They will relay messages from authenticated users to remote hosts, and (2) they will receive messages from remote hosts to its users and store them somehow. The combination of those two modes - where the MTA will accept messages from remote hosts and relay them to different remote hosts - is called an open relay and is sure to attract spammers and place your server on spam blacklists.
aiosmtpd is not an MTA or an email relay out of the box - it is merely an SMTP server that will receive messages and do whatever with the messages you program it to do. By default it will do nothing - that is, it will receive the messages and throw them away. If you want to implement an email relay in aiosmtpd, then you need to implement the SMTP client portion of the MTA, e.g. by implementing an aiosmtpd handler that instantiates smtplib.SMTP to connect to remote hosts.
However, if all you want is an email relay, then you most likely don't need aiosmtpd at all - postfix is probably a better choice.
aiosmtpd can be a good choice if you need to implement mailing list software or perform some automation tasks based on incoming emails from e.g. cameras or scanners.
If you want to implement an email relay in aiosmtpd, then you need to ensure that both the software and your server are configured in a way that you don't relay unauthenticated messages from the outside internet.
See also: Python aiosmtpd - what is missing for an Mail-Transfer-Agent (MTA)?
So, I actually figured out what was missing here.
I need to run an SMTP server, yes, but I also needed to write code to parse the "to" domain (the recipient domain), perform a DNS request for the MX server(s) of the recipient domain, and then use the smtplib client to then send mail over to the recipient domain. Authentication is not needed to relay that message to the recipient server, authentication is only required for reading from a given inbox or authenticating a sender to send on behalf of a domain (I trust myself and myself only to send mail). I can do all this while also only listening for mail on localhost so that only my local server can use the local SMTP server for relaying messages/emails off to recipient domains.
Additionally, I don't need to have my external IP listed as an MX server since it's not accepting mail for the domain, only sending. I do need an SPF record for it though so that it is an authorized relay/sender for email from my domain.
My postfix server is working on a particular domain name through a relay, so it's like that:
Client send to abs#subdomain.domain.com -> domain.com production mail server -> internal mail server on subdomain.
All messages for subdomain.domain.com are being forwarded. But the thing is, the application that I'm supporting uses mailing system for some internal stuff and many addresses that are being CC when client is sending e-mail doesn't exist on subdomain mail server, they serve another purpose. When app on subdomain receives e-mail, it parses headers and uses all CC addresses in it's algorithms.
Here comes the problem. When client sends an e-mail, he'll receive as many error responses as there are fake addresses in CC.
There is only one real address that is listed in /etc/aliases and it's just piping incoming mails to stdin for some script.
Question. How do I prevent sending error responces to the client and just /dev/null all fake addresses? I need only 1 address, that is listed in aliases.
Thanks in advance.
Ok, I figured it out.
This can be achieved through virtual_alias_maps.
Add an virtual alias for domain and for address. Redirect domain to /dev/null and address to local alias.
virtual_alias_maps file:
target_addr#subdomain target#localhost
#subdomain devnull#localhost
/etc/aliases:
target: "| /path/to/script"
devnull: /dev/null
Following Problem: I have written a mailing-list via PHP, SwiftMailer and Postfix. On my Old server it worked without any problems, but Since I moved to another Server (Exactly same configuration, but other IP) the list-mails stuck in the Spamfilter of the Receivers. (Espacially in Google Mail)
Is there anything I have to do escept rerouting the URL DNS-Records, that Google sees, that "I am that Server" and the mail is no spam?
First, check that your outgoing mail server is identifying itself correctly in the HELO command (or EHLO command) when it connects to a receiving mail server. There should also be an A record for this name that should point to the IP address of the mail server. Also, this IP address should reverse to some name (possibly, but not necessarily, the same name as above), and this name should point to the mail server's IP. If any of this is not right, then most spam filters will not consider your server to be a 'real' mail server, and will most likely flag any message sent from your server as spam. This is how many spam filters block spam that originates from computers that have been taken over as 'zombies'.
Another thing to do is to check that you mail server IP is not on any blacklists. You can use MXToolbox for this: http://mxtoolbox.com/blacklists.aspx
Another thing you can do is use port25's verifier tool. This tool will spot any red flags that might be causing your messages to be flagged as spam. See http://www.port25.com/support/authentication-center/email-verification/ for more info.
Last but not least, you might want to setup an SPF record for the domain that you are sending these messages from, to indicate that the IP of your mail server is authorized to send mail from this domain. This will help a lot. For more info, see: www.openspf.org.
I am trying to avoid running through DNS servers to get an email message to an address on one of my hosted virtual accounts.
I know I can surround the IP address with square brackets but how do I designate the mailbox username for the (virtual) hosted account on the server?
In other words,
I have multiple domains hosted on a virtual server -- all sharing the same IP address
obviously, user#domain.com works fine
but how do I send to user#[123.456.78.90]
Is what I want to do, possible?
Thanks.
A virtual host needs a domain name in order to figure out what to do. You want to send it to an IP address instead of a domain name. Thus it is not going to work through normal methods. You might be able to specify a "default" domain if none match Otherwise, your only hope is to manually forge email. By this, I mean:
telnet 123.456.78.9 25
HELO myhostname.mydomain
MAIL From: <myemail#mydomain>
RCPT To: <user#domain.com>
DATA
From: myemail#mydomain
To: user#domain.com
Subject: Testing
This is a test
.
QUIT
What you want to do is possible, and even secure when using Cjdns IPs. Some clients (e.g. mutt) are "broken" and choke on raw ips as domain. (While technically broken, it is an uncommon use case - mutt is a good client.)
You'll need to tell your MTA to accept the raw ip. E.g. on sendmail, add
[123.456.78.9]
to /etc/mail/local-host-names
You'll also have to turn on accept_unresolvable_domains as sendmail doesn't seem to regard already resolved domains as "resolvable". (Other MTAs may require different tweaks.)
I use thunderbird to send to raw ips, and it works just fine. A friend uses claws-mail with no problems.
I've recently setup my Ubuntu web server with exim4 so my PHP website applications can send email such as "thank you" and "confirmation" notices.
I've got it setup and working such that I can send email to gmail, Yahoo! and my work address. However, my work email gets caught up in our spam filter. I'm new to setting up mail servers so I'm not sure what I might need to look for in making this mail server more trusted, while keeping is secure.
Here are some details:
Server is NATed behind a firewall.
Firewall has port 25 open for outgoing SMTP traffic (from server to anywhere).
Server is virtual hosting a couple different of our websites
The server is running the following exim4 config:
dc_eximconfig_configtype='internet'
dc_other_hostnames='web-serv.example1.com;example2.com'
dc_local_interfacees='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='' dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
Questions:
Do I need to open port 25 to incoming SMTP mail (anywhere to server)? I wonder if other mail servers need to talk to my mail server to verify itself, in a sort of handshake attempt.
I have not created any MX records primarily because the server has different websites on it the mail server should send mail for all the websites. Do I need to pick/create a domain address and create MX records for it?
One thing of note is that the mail headers look like this:
Return-Path: <www-data#example2.com>
Received: from web-serv.example1.com ([Firewall public IP Address])
Received-SPF: neutral (google.com: [Firewall public IP Address] is neither permitted nor denied by best guess record for domain of www-data#example2.com)
"web-serv" is the host name of the server, such that you get this if you type it into the command line:
$ hostname
web-serv
and "www-data" is the account name for the Apache2 server that Ubuntu gave it as default.
Any other general advice would be appreciated. It's all new to me.
Cheers!
One item of note, since I posted this question time time ago (almost 10 months) is that I found out the biggest issue I had was with setting up the DNS for reverse DNS on our hosting providers side of things.
In other words, our hosting provider (the people who give us our IP address and manage our hardware) had to enter a record to match my server(s) hostname to whatever IP address it used.
There's a specific name for this. I believe it's a "PTR" record but the name escapes me at the moment, but you basically tell them "my server hostname is ..." and they do a quick update to the DNS for reverse DNS purposes.
When I asked this question, we had a different hosting provider who didn't really help explain this to me, and after switching providers, I got to talk to someone who was happy to help me understand that side of the equation.
And as I understand it, this is setup by the people who assign you the IP addresses. But there's probably more to it than that.
Once I got that setup properly, email had no problem getting through the spam filters and Gmail/Yahoo showed SPF as "passed". It was showing neutral before.
Our company email was set to drop any email that would not resolve reverse DNS, which is why I could not even receive the email or find it in the spam filter. Of course, that situation would be dependent on the company and what email policy and software they're using to manage spam. Some might just drop all email that does not reverse DNS and some might dump it in to spam filters instead.
Hope that might help some people with similar issues.
Cheers!