DKIM fails on (some) autoforwards...

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-08 17:08

Finally was able to get DKIM setup and now GMAIL will accept messages from my server. I thought I was out of the woods, but was reported to me by a friend that a message they sent to me came back to them as rejected by GMAIL.

I have my mailbox set to autoforward to my own gmail account so I can check messages on the road via iPad and iPhone.

Until recently (assume GMAIL tightening) all worked just fine.

If I send directly to my gmail account, the message gets through. DKIM works fine.

But if someone sends mail to me, I get the message locally. But the autoforward sometimes fails. Sometimes works.

I mailed from my separate yahoo.com account and it autoforwarded ok.

But some other users send to me... and then the autoforward goes to gmail, fails, and then they get a rejection message from my hMailServer saying it failed authentication.

Shouldn't the autoforward be coming from me, my server, and validate against my DKIM? It's like gmail is checking my credentials, but using the original email address and failing it or something.

Is there any setting I can use to force this to work or do I just need to get rid of the autoforward option. Can live with the messages not getting through to gmail, but the error message is confusing senders I'm sure.

I have turned off the ability to send external to external to block spammers who've been using my mailserver... but again some messages do forward, so would not seem to be that setting at all.

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: DKIM fails on (some) autoforwards...

Post by RvdH » 2019-07-08 17:31

Forwarding by a account rule or just in your account?

For the 2nd method you could add below line to hMailServer.INI (/bin)

Code: Select all

[Settings]
RewriteEnvelopeFromWhenForwarding=1
For the 1st you need my experimental build (fix nr. 20) with above INI setting
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-08 17:37

RvdH wrote:
2019-07-08 17:31
Forwarding by a account rule or just in your account?

For the 2nd method you could add below line to hMailServer.INI (/bin)

Code: Select all

[Settings]
RewriteEnvelopeFromWhenForwarding=1
For the 1st you need my experimental build (fix nr. 20) with above INI setting

Setup on server in account settings, the AutoForward tab...

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-08 17:50

OK... that setting worked... but now due to previous abuse on my server by ne'er-do-wells, it was marked as spam. Is there a setting to autoforward only non-spam detected emails to gmail?

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: DKIM fails on (some) autoforwards...

Post by RvdH » 2019-07-08 18:00

Mark it as non-spam in gmail maybe? :)

Make sure SPF and DKIM are setup correctly for that (forwarding)domain, eventually it should come through smoothly...Except DMARC signed/checked mails with reject policy set
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-08 18:27

RvdH wrote:
2019-07-08 18:00
Mark it as non-spam in gmail maybe? :)

Make sure SPF and DKIM are setup correctly for that (forwarding)domain, eventually it should come through smoothly...Except DMARC signed/checked mails with reject policy set
Remote server replied: 550-5.7.1 [IPADDRESS 12] Our system has detected that this message is
550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,
550-5.7.1 this message has been blocked. Please visit
550-5.7.1 https://support.google.com/mail/?p=Unso ... ssageError
550 5.7.1 for more information. s125si11224064oib.205 - gsmtp

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: DKIM fails on (some) autoforwards...

Post by RvdH » 2019-07-08 18:58

You are blocked by your IP, that can't be because of (a few) forwarded e-mails to a gmail account
https://mxtoolbox.com/blacklists.aspx
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1303
Joined: 2017-09-12 17:57

Re: DKIM fails on (some) autoforwards...

Post by palinka » 2019-07-08 21:27

RvdH wrote:
2019-07-08 18:58
You are blocked by your IP, that can't be because of (a few) forwarded e-mails to a gmail account
https://mxtoolbox.com/blacklists.aspx
I don't think so. Gmail has a specific error message for that. Besides, he said non forwarded messages get through. Gmail error codes below.

https://support.google.com/a/answer/3726730

Best to a) implement dmarc and b) register the sending domain with gmail postmaster.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM fails on (some) autoforwards...

Post by mattg » 2019-07-09 01:14

Also this is #19 on RvdH's list of fixes :D in the private build
viewtopic.php?f=10&t=30193&start=180#p213193
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-09 17:39

RvdH wrote:
2019-07-08 18:58
You are blocked by your IP, that can't be because of (a few) forwarded e-mails to a gmail account
https://mxtoolbox.com/blacklists.aspx
Yeah, never said it was a few, lol. Wasn't aware I kept having holes in my security and that my server was being abused.

As it stands now, you have to authenticate to send local to external, local to local. No auth to send external to local. Now allowed to send external to external, which I think the issue was before. I closed that down last week. Then added SPF and DKIM and managed to send my own mail to GMAIL. Will check into DMARC and registering my mail server. Sheesh... the things we have to do!!! :)

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-09 18:18

palinka wrote:
2019-07-08 21:27
RvdH wrote:
2019-07-08 18:58
You are blocked by your IP, that can't be because of (a few) forwarded e-mails to a gmail account
https://mxtoolbox.com/blacklists.aspx
I don't think so. Gmail has a specific error message for that. Besides, he said non forwarded messages get through. Gmail error codes below.

https://support.google.com/a/answer/3726730

Best to a) implement dmarc and b) register the sending domain with gmail postmaster.
Did these two steps... thanks..

Now I checked with MXToolbox and saw I was on backscatterer... Check my logs and found this record (on SMTPC vs SMTPD)

Code: Select all

"SMTPC"	2528	226	"2019-07-03 03:50:16.649"	"37.221.193.144"	"RECEIVED: 220 mailserver-online.de ESMTP ready"
"SMTPC"	2528	226	"2019-07-03 03:50:16.649"	"37.221.193.144"	"SENT: EHLO peidev.com"
"SMTPC"	2688	226	"2019-07-03 03:50:16.782"	"37.221.193.144"	"RECEIVED: 250-mailserver-online.de[nl]250-SIZE 104857600[nl]250 STARTTLS"
"SMTPC"	2688	226	"2019-07-03 03:50:16.782"	"37.221.193.144"	"SENT: STARTTLS"
"SMTPC"	680	226	"2019-07-03 03:50:16.915"	"37.221.193.144"	"RECEIVED: 220 2.0.0 Start TLS"
"SMTPC"	680	226	"2019-07-03 03:50:18.175"	"37.221.193.144"	"SENT: EHLO peidev.com"
"SMTPC"	2688	226	"2019-07-03 03:50:18.307"	"37.221.193.144"	"RECEIVED: 250-mailserver-online.de[nl]250 SIZE 104857600"
"SMTPC"	2688	226	"2019-07-03 03:50:18.307"	"37.221.193.144"	"SENT: MAIL FROM:<>"
"SMTPC"	2528	226	"2019-07-03 03:50:18.440"	"37.221.193.144"	"RECEIVED: 250 2.0.0 OK"
"SMTPC"	2528	226	"2019-07-03 03:50:18.441"	"37.221.193.144"	"SENT: RCPT TO:<CharlesRossrfuzy@losaass.it>"
"SMTPC"	2528	226	"2019-07-03 03:50:19.466"	"37.221.193.144"	"RECEIVED: 250 recipient <CharlesRossrfuzy@losaass.it>, OK"
"SMTPC"	2528	226	"2019-07-03 03:50:19.467"	"37.221.193.144"	"SENT: DATA"
"SMTPC"	2688	226	"2019-07-03 03:50:19.600"	"37.221.193.144"	"RECEIVED: 554 We don't take bounces from systems listed at IPS.BACKSCATTERER.ORG"
"SMTPC"	2688	226	"2019-07-03 03:50:19.601"	"37.221.193.144"	"SENT: QUIT"

This is the event which last added me to their list. ARGH! And I have to wait 28 days to get off them too (unless I pay)...

So, if I had external->external turned off then (which I thought I did, maybe I didn't then) would this prevent this issue?

Backscatterer says about it "So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM."

I turned off null sender, which hMailServer told me was an error, so I put it back on....

It also says about bounces "Email servers should be configured to provide Non-Delivery Reports (bounces) to local users only. Unacceptable email from anywhere else should be rejected." but I don't see an option in hMailServer to require that -- or is it covered in no external to external?

palinka
Senior user
Senior user
Posts: 1303
Joined: 2017-09-12 17:57

Re: DKIM fails on (some) autoforwards...

Post by palinka » 2019-07-09 20:41

"Email servers should be configured to provide Non-Delivery Reports (bounces) to local users only. Unacceptable email from anywhere else should be rejected."
This is vey good advice. Unfortunately i don't know how to implement it. :lol:

I looked in the documentation and didn't find anything specifically to disable NDRs to outside domains. Maybe someone else can chime in on that if it's possible.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM fails on (some) autoforwards...

Post by mattg » 2019-07-10 00:29

Catch them with a general rule, and delete them

FROM contains mailer-daemon


OR

FROM contains [your MX A record FQDN, ie mail.example.com]



ALSO Backscatter is normal email traffic not SPAM, anyone who rejects you ONLY because you are sending backscatter isn't thinking very hard.

Check more places, you are probably on some other blacklists
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: DKIM fails on (some) autoforwards...

Post by SorenR » 2019-07-10 00:44

mattg wrote:
2019-07-10 00:29
Check more places, you are probably on some other blacklists
http://multirbl.valli.org/lookup/
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-10 06:00

mattg wrote:
2019-07-10 00:29
Catch them with a general rule, and delete them

FROM contains mailer-daemon


OR

FROM contains [your MX A record FQDN, ie mail.example.com]



ALSO Backscatter is normal email traffic not SPAM, anyone who rejects you ONLY because you are sending backscatter isn't thinking very hard.

Check more places, you are probably on some other blacklists
So the second option would be if FROM does NOT contain my FQDN, delete?

palinka
Senior user
Senior user
Posts: 1303
Joined: 2017-09-12 17:57

Re: DKIM fails on (some) autoforwards...

Post by palinka » 2019-07-10 13:00

klkitchens wrote:
2019-07-10 06:00
mattg wrote:
2019-07-10 00:29
Catch them with a general rule, and delete them

FROM contains mailer-daemon


OR

FROM contains [your MX A record FQDN, ie mail.example.com]



ALSO Backscatter is normal email traffic not SPAM, anyone who rejects you ONLY because you are sending backscatter isn't thinking very hard.

Check more places, you are probably on some other blacklists
So the second option would be if FROM does NOT contain my FQDN, delete?
I just set mine up this way. Tests well with the built in match/no match checker.

IF (Use AND)
FROM > CONTAINS: mailer-daemon@yourhostname.tld
TO > REGULAR EXPRESSION: ^((?!domain1\.com|domain2\.net|abc\.domain3\.com).)*$

THEN: Delete e-mail

This should delete any mailer-daemon message EXCEPT to your own hmailserver domains (or any other you choose).

palinka
Senior user
Senior user
Posts: 1303
Joined: 2017-09-12 17:57

Re: DKIM fails on (some) autoforwards...

Post by palinka » 2019-07-10 13:24

Just tested it by sending a message from gmail to non existing user@mydomain.tld.

Code: Select all

"SMTPD"	444	537	"2019-07-10 07:11:54.905"	"209.85.160.179"	"RECEIVED: RCPT TO:<dingle@mydomain.tld>"
"DEBUG"	444	"2019-07-10 07:11:54.952"	"AWStats::LogDeliveryFailure"
"SMTPD"	444	537	"2019-07-10 07:11:54.968"	"209.85.160.179"	"SENT: 550 Unknown user"
"SMTPD"	2240	537	"2019-07-10 07:11:54.983"	"209.85.160.179"	"RECEIVED: QUIT"
"DEBUG"	2240	"2019-07-10 07:11:54.983"	"Deleting message file."
"SMTPD"	2240	537	"2019-07-10 07:11:54.983"	"209.85.160.179"	"SENT: 221 goodbye"
Didn't send NDR. Only a rejection message. NDR came from google. Then i tried from my domain to a very long, obviously fake username@gmail.com but i use a relay so the relay sent me back the NDR (not my own hmailserver).

I think really all you need to do is disable external to external and the rule becomes superfluous. But the rule should work. I'm leaving it in place for now. :D

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-10 16:02

palinka wrote:
2019-07-10 13:24
Just tested it by sending a message from gmail to non existing user@mydomain.tld.

Code: Select all

"SMTPD"	444	537	"2019-07-10 07:11:54.905"	"209.85.160.179"	"RECEIVED: RCPT TO:<dingle@mydomain.tld>"
"DEBUG"	444	"2019-07-10 07:11:54.952"	"AWStats::LogDeliveryFailure"
"SMTPD"	444	537	"2019-07-10 07:11:54.968"	"209.85.160.179"	"SENT: 550 Unknown user"
"SMTPD"	2240	537	"2019-07-10 07:11:54.983"	"209.85.160.179"	"RECEIVED: QUIT"
"DEBUG"	2240	"2019-07-10 07:11:54.983"	"Deleting message file."
"SMTPD"	2240	537	"2019-07-10 07:11:54.983"	"209.85.160.179"	"SENT: 221 goodbye"
Didn't send NDR. Only a rejection message. NDR came from google. Then i tried from my domain to a very long, obviously fake username@gmail.com but i use a relay so the relay sent me back the NDR (not my own hmailserver).

I think really all you need to do is disable external to external and the rule becomes superfluous. But the rule should work. I'm leaving it in place for now. :D
Wow... thanks for the rule so clearly defined... clear except "mailer-daemon@yourhostname.tld"

What is ".tld" extension for? Is that a special address the daemon uses?

palinka
Senior user
Senior user
Posts: 1303
Joined: 2017-09-12 17:57

Re: DKIM fails on (some) autoforwards...

Post by palinka » 2019-07-10 16:18

klkitchens wrote:
2019-07-10 16:02
Wow... thanks for the rule so clearly defined... clear except "mailer-daemon@yourhostname.tld"

What is ".tld" extension for? Is that a special address the daemon uses?
TLD = top level domain = .com .net .org .de .etc...

The actual email address should be your hostname. So if your hostname is mailserver-online.de as it is in your log example, then the address should be mailer-daemon@mailserver-online.de

PS: Looking at your username, are you a millworker? I do a lot of interior renovations. Not in Germany. :lol:

klkitchens
New user
New user
Posts: 9
Joined: 2019-07-08 16:59

Re: DKIM fails on (some) autoforwards...

Post by klkitchens » 2019-07-10 16:25

palinka wrote:
2019-07-10 16:18
klkitchens wrote:
2019-07-10 16:02
Wow... thanks for the rule so clearly defined... clear except "mailer-daemon@yourhostname.tld"

What is ".tld" extension for? Is that a special address the daemon uses?
TLD = top level domain = .com .net .org .de .etc...

The actual email address should be your hostname. So if your hostname is mailserver-online.de as it is in your log example, then the address should be mailer-daemon@mailserver-online.de

PS: Looking at your username, are you a millworker? I do a lot of interior renovations. Not in Germany. :lol:
Took a guess after some googling on .tlb ( thought it was some special name the daemon used ) and just took a chance and changed it to my .com... you're right the external to external should get it too, but we'll see.

Now if I can just get SpamAssassin installed (directions and links no longer valid in the tutorial here).

No, not a millworker... "Kevin L. Kitchens" is my name :)

Post Reply