How to allow all email unless blocked
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
i keep having issues on my server where postfix is blocking emails to known domains like icloud gmail etc. How can I permit all these without blocking them unless I specifically block something?
Hi - you're confusing this project (postfixadmin, a web ui for managing mailboxes etc) with a help forum for general postfix issues....
Having said that ...
Postfix isn't likely to be blocking emails to domains like icloud/gmail - it's more likely to be the other way around - in that they're blocking you because e..g you don't have reverse dns setup, or they think you don't have enough "reputation" to email at the rate you are.
But I may be wrong - seeing a bounce message / server log would probably help.
I think you're right because I have verified I have reverse DNS setup...
Feb 4 16:37:21 host1 postfix/smtp[3236063]: 2FD33182330: to=della_martin@live.com, relay=live-com.olc.protection.outlook.com[104.47.17.97]:25, delay=0.51, delays=0.17/0/0.26/0.08, dsn=5.7.1, status=bounced (host live-com.olc.protection.outlook.com[104.47.17.97] said: 550 5.7.1 Unfortunately, messages from [x.x.x.x] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [DB8EUR05FT016.eop-eur05.prod.protection.outlook.com] (in reply to MAIL FROM command))Feb 4 16:37:21 host1 postfix/smtp[3236063]: 2FD33182330: to=della_martin@live.com, relay=live-com.olc.protection.outlook.com[104.47.17.97]:25, delay=0.51, delays=0.17/0/0.26/0.08, dsn=5.7.1, status=bounced (host live-com.olc.protection.outlook.com[104.47.17.97] said: 550 5.7.1 Unfortunately, messages from [x.x.x.x] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [DB8EUR05FT016.eop-eur05.prod.protection.outlook.com] (in reply to MAIL FROM command))
Above of course shows I'm on their block list... But an email to icloud!
See attached image of icloud message that shows mail delayed, which ends up blocked....
Here is a log from postfix:
Feb 8 07:26:48 host1 postfix/qmgr[932146]: 7292018235C: from=info@krfoh.org, size=2766, nrcpt=1 (queue active)
Feb 8 07:26:48 host1 postfix/smtp[932238]: 7292018235C: host mx01.mail.icloud.com[17.56.9.17] refused to talk to me: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=155.138.174.82
Feb 8 07:26:50 host1 postfix/smtp[932238]: 7292018235C: host mx02.mail.icloud.com[17.57.156.25] refused to talk to me: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=155.138.174.82
Feb 8 07:26:51 host1 postfix/smtp[932238]: 7292018235C: host mx01.mail.icloud.com[17.42.251.10] refused to talk to me: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=155.138.174.82
Feb 8 07:26:51 host1 postfix/smtpd[932232]: disconnect from c-73-135-75-170.hsd1.de.comcast.net[73.135.75.170] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Feb 8 07:26:51 host1 postfix/smtp[932238]: 7292018235C: host mx02.mail.icloud.com[17.56.9.19] refused to talk to me: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=155.138.174.82
Feb 8 07:26:56 host1 postfix/smtp[932238]: 7292018235C: to=stephanie.wilson0714@icloud.com, relay=mx01.mail.icloud.com[17.57.152.9]:25, delay=8.4, delays=0.19/0.01/8.2/0, dsn=4.7.0, status=deferred (host mx01.mail.icloud.com[17.57.152.9] refused to talk to me: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=155.138.174.82)
"Please contact your Internet service provider since part of their network is on our block list (S3140). "
So your ISP has been blacklisted. I believe this is fairly common for consumer facing broadband addresses. There is no real solution - either change provider (and hope they're not blacklisted) or get a virtual machine somewhere and relay out through that (or the ISPs own outbound SMTP server).
You can face a similar problem with using a virtual machine - some providers have a poor reputation as well (E.g. OVH, Linode was really blacklisted by outlook - e.g. https://www.youtube.com/watch?v=fAXXmqylZ-o ).
My server is actually a VPS from Vultr.com.... So I'm already running a virtual machine on a provider network.... Also, the icloud email isn't showing blocked that I attached, that one I think is more of a server issue. I already know the outlook one is due to reputation score as I'm a networking dude and we see this for the place I work for all the time.
Often you can get your IP (assuming it's static) unblocked. How you do this varies - and it can take some digging to find the right page.
In the case of the one to Microsoft, that's their own internal block list so you need to find somewhere on there where you can effectively say "please, pretty please, I'm not a spammer and I legitimately run my own mail server in spite of this being a residential/dynamic address range". I had a similar problem with AOL some years ago and it took me ages before I accidentally found their page for this.
For the icloud one, that's different. They are using a 3rd party "reputation service" and it's the 3rd party you need to convince. At the moment, it looks like your IP isn't blocked so it was probably a transient thing. Unfortunately these things tend to work on address blocks, so you get tarred with the same brush according to your (internet) neighbours' behaviour - much the same thing as living in a "bad" part of town and people being unwilling to visit you because of the neighbourhood's reputation. I don't see anywhere on the Proofpoint site to ask nicely, so it may be worth keeping an eye out and if you get blocked again, see if there's anything shows up - e.g. of the form "you've been blocked because ..., click here for options".
Unfortunately the large operators know that they can do whatever they like and the little guys like us have no leverage. As far as their users are concerned, it's "our fault" for daring to not use their service and the users will generally believe whatever the service provider tells them even if we can points to something and say "look, it's not even RFC compliant".