[Discuss] Need help with undelivered mail.

[dsr at randomstring.org (Dan Ritter)]

David Kramer wrote: 
> I am having trouble sending mail to GMail accounts, and I'm getting
> inconsistent explanations. I could use some help figuring out the real
> cause.
> 
> Setup: I have a mail server running on Linode running
> postfix/dovecot/clamav/etc ( I successfully moved mail off my home server
> about a year ago).? I have Verizon FIOS at home.? I use Thunderbird for
> email on my main Linux computer.
> 
> When I send email to a gmail account, I am getting:
> 
> host aspmx.l.google.com[2607:f8b0:400d:c0e::1a] said:
> ??? 550-5.7.1 [2600:3c03::f03c:91ff:fe62:5ea] Our system has detected that
> this
> ??? 550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR
> ??? records 550-5.7.1 and authentication. Please review 550-5.7.1
> https://support.google.com/mail/?p=IPv6AuthError for more information 550
> 
> The link that goes to HAS ABSOLUTELY NOTHING to do with IPv6, it has to do
> with bulk emails.? What I *THINK* it means is I need to set up IPv6 records,
> but I'm not sure which ones.


dig -t mx thekramers.net
...
;; ANSWER SECTION:
thekramers.net.     3600    IN  MX  10 zenyatta.thekramers.net.
thekramers.net.     3600    IN  MX  20 bantha.org.
...
;; ADDITIONAL SECTION:
zenyatta.thekramers.NET. 3600   IN  A   104.237.150.41

dig -t mx bantha.org
...
;; ANSWER SECTION:
bantha.org.     3600    IN  MX  20 mail.azuen.net.
bantha.org.     3600    IN  MX  10 bantha.org.

dig -t a zenyatta.thekramers.net. 
...
;; ANSWER SECTION:
zenyatta.thekramers.net. 3600   IN  A   104.237.150.41

dig -t a mail.azuen.net.
...
;; ANSWER SECTION:
mail.azuen.net.     3600    IN  A   192.34.87.82

dig -t a bantha.org
...
;; ANSWER SECTION:
bantha.org.     1200    IN  A   173.66.162.52

dig -t aaaa thekramers.net, zenyatta.thekramers.net,
mail.azuen.net, dig -t aaaa bantha.org --- none of these have
IPv6 addresses.

So it's perfectly reasonable for Google to believe that mail
from an IPv6 host is not from any of these mailservers.

Anywhere you have IPv6 connectivity on a mailserver, publish
a AAAA record and an MX record for that AAAA record.

thekramers.net should also have an SPF txt record, most likely
something like 
"v=spf1 mx a:thekramers.net a:bantha.org a:mail.azuen.net ~all"

which will clue Google (and others) in to the fact that these
are mailservers which are authorized to send for you, and 
others are more suspicious but not impossible. (-all would make
others impossible).


> 
> According to https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3athekramers.net&run=toolpage
> my IP address is on the SORBS DUHL list and the Spamhaus ZEN list. Digging
> into Sorbs and https://www.spamhaus.org/pbl/query/PBL1637778 I get the
> impression my whole IP range is blocked because outgoing mail should go to
> smtp.verizon.net when I'm at home.? But if that's the case how does sent
> mail get saved to my IMAP server?? Is it sent there too?

Those are advisory lists that say that IPs in those ranges are
probably not mailservers. There's nothing you can do to get off
of them, basically, because VZ supplies the info.

It has nothing to do with whether or not someone will actually
deliver mail to smtp.verizon.net, and I'm sure smtp.verizon.net
rejects mail bound for thekramers.net. That's what MX records
are for.


> So should I be sending mail through smtp.verizon.com or through my Linode
> server?

Through your linode server, and you should add its AAAA record
to something like mail.thekramers.net and also as an MX for you,
and add mail.thekramers.net to the SPF txt record.


> If I'm sending mail through my Linode server, then why would a block on my
> home IP address range matter when my MX records point to my? Linode server?

It doesn't.

> Does this have anything to do with IPv6?

Yes, The Linode server has IPv4 and IPv6 addresses, and has been
using the IPv6 address to contact Google. When Google tries to
estimate the likelihood of it being a spammer, it sees no signs 
that this is a legitimate mailserver for thekramers.net.

-dsr-