Blocked by Proofpoint?

I use Mail in a Box with a completely standard implementation.

There are no signs that I am or can be used by spammers. Anyone else get this? Last time it was another Spam Check/Shakedown operation but they had blocked a range of Linode IPs.

Transcript follows:

This is the mail system at host box.mail-ross-optimal.com.

#

THIS IS A WARNING ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE.

#

Your message could not be delivered for more than 3 hour(s).
It will be retried until it is 2 day(s) old.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[REDACTED]@me.com>: host mx02.mail.icloud.com[17.57.154.7] refused to
talk to me: 550 5.7.0 Blocked - see
https://support.proofpoint.com/dnsbl-lookup.cgi?ip=45.79.69.21

Reporting-MTA: dns; box.mail-ross-optimal.com
X-Postfix-Queue-ID: 273263E863
X-Postfix-Sender: rfc822; [REDACTED]@lefts.org
Arrival-Date: Wed, 8 Apr 2020 23:01:31 -0700 (PDT)

Final-Recipient: rfc822; [REDACTED]@me.com
Original-Recipient: rfc822;[REDACTED]@me.com
Action: delayed
Status: 4.7.0
Remote-MTA: dns; mx02.mail.icloud.com
Diagnostic-Code: smtp; 550 5.7.0 Blocked - see
https://support.proofpoint.com/dnsbl-lookup.cgi?ip=45.79.69.21
Will-Retry-Until: Fri, 10 Apr 2020 23:01:31 -0700 (PDT)

Return-Path: <[REDACTED]@lefts.org>
Received: from authenticated-user (box.mail-ross-optimal.com [45.79.69.21])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
(No client certificate requested)
by box.mail-ross-optimal.com (Postfix) with ESMTPSA id 273263E863;
Wed, 8 Apr 2020 23:01:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lefts.org; s=mail;
t=1586412091; bh=rvXeUffz4do/sVZqU/xk7FlvlSSn21e3zXxPL3j0FsI=;
h=From:Subject:To:Date:From;
b=tltj7sTeX+WbCCb74Ze+25+r7QOIH/Q79GwKm5maYoL/+G0ICmB+oae62hSO2+03S
cr6wGuy6AI0pOLIxLzVE7HC1CokxufE8sHAwrMdMF5GAk8eYC9V/O+SDtKW1rEL/vx
W3zehZYz0uL+DyPU+/HdjXU5kPUxkGoJ4D1g5Auder5YeevAiWZLA4IX7l2KQ/Kifa
II7vQjw60xouiqI9oZCHzhgHSyAgLUgbG2iQ9uLYIvY+wBnQDs4MUM60XH/hI04Jzr
OGbuMrwhdWzxTHR9TIsLksNRL9qwcVKpU/Lo+7hnezfJasX9zER4ehxyu9aql4qFPI
9f568givw4apw==
From: [REDACTED] <[REDACTED][email protected]>
Subject: Hey man.
To: [REDACTED] <[REDACTED]@me.com>
Message-ID: 9d0d6825-c76b-d89e-721b-9d9d8151498c@lefts.org
Date: Wed, 8 Apr 2020 23:01:27 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------CFB4F811BCBA89CFA9B6441C"
Content-Language: en-US

11 Replies

Did you look at the URL that was part of the headers. Proofpoint says your IP is not blocked.

That being said, I didn't see any references to an SPF or a DMARC record in the message headers. iCloud will definitely block messages from transfer agents without SPF & DMARC records. iCloud uses these to authenticate your transfer agent.

Without SPF & DMARC, your transfer agent is not "standard".

See:

https://support.apple.com/en-us/HT204137

-- sw

Hi @dilapidus! Just to add on to what @stevewi said, generally these blocks are automatic and will be removed after both SPF and rDNS records are added.

We have a guide on rDNS here:

Configure Your Linode for rDNS

An intro to SPF records here:

DNS Records: An Introduction: SPF

And an intro to DKIM records here:

DNS Records: An Introduction: DKIM

If you're using Postfix, we have a guide on setting up both SPF and DKIM records with it here:

Configure SPF and DKIM With Postfix on Debian 9

Hi all .. I appreciate the comments. I had gone immediately to the url provided and complained. This has happened before. Apparently they got the message because the original recipient now reports receipt (some 8 hours after I sent)

I do think that SPF, rDNS and DKIM are setup properly. Did you see something that concerned you or was that just general thoughts?

Again, thanks!

R

My transfer agent adds the following as a result of SPF and DMARC checks:

Received-Spf: Softfail (mailfrom) identity=mailfrom; client-ip=<redacted>; helo=<redacted>; envelope-from=<redacted>; receiver=<UNKNOWN>
Authentication-Results: <redacted>; dmarc=fail (p=none dis=none) header.from=<redacted>

rDNS results in no headers…rDNS is a check to make sure the IP address a DNS name resolves to and the rDNS are the same. Your DKIM headers look ok (IMHO…not knowing much about your system or postfix(1) configuration).

You might check out your domain here:

https://easydmarc.com/tools/domain-scanner

https://mxtoolbox.com offers a number of email diagnostic tools as well.

-- sw

@mjones rDNS was new to me, so this might partially solve this issue of Proofpoint. But I have a small mailserver, serving multiple domains (on one IP address). How do I solve this? Can add multiple domains to this rDNS record?

Thanks

You need to have an rDNS for each mail domain. These are easy to set up in the Cloud Manager. As with most things DNS, your changes will take awhile to propagate around the world.

-- sw

You need to have an rDNS for each mail domain

The reverse DNS record is needed for the Linode IP address, not the mail domain.

When a mail server (your Linode) connects to another (iCloud) it announces who it is - typically the system's hostname.

This tells iCloud "I am this.server.com".

iCloud then looks up the A record for this.server.com to find its IP address, and the reverse DNS record for the IP address the connection has come from, and checks that they match.

If they don't match, it is suspicious - i.e. your Linode telling iCloud "I am gmail.com", when in fact you aren't because the IP address resolves back (via reverse DNS) to li1234-56.members.linode.com, not gmail.com - and gmail.com's IP address is not your Linode's IP address.

Note that if you have IPv6 enabled, you will need a reverse and forward DNS record for both your IPv4 and IPv6 addresses.

I typically have:

  • my.linode.mydomain.com A -> my Linode's IPv4 address
  • my.linode.mydomain.com AAAA -> my Linode's IPv6 address
  • my Linode's IPv4 address PTR (rDNS) -> my.linode.mydomain.com
  • my Linode's IPv6 address PTR (rDNS) -> my.linode.mydomain.com

And then set my Linode's hostname to my.linode.mydomain.com (hostnamectl set-hostname my.linode.mydomain.com).

Note that some MTAs, like Postfix, allow you to explicitly set the hostname that it reports in the EHLO/HELO command:

smtp_helo_name (default: $myhostname)
The hostname to send in the SMTP HELO or EHLO command.

The default value is the machine hostname. Specify a hostname or [ip.add.re.ss].

This information can be specified in the main.cf file for all SMTP clients, or it can be specified in the master.cf file for a specific client, for example:

/etc/postfix/master.cf:
mysmtp … smtp -o smtp_helo_name=foo.bar.com
This feature is available in Postfix 2.0 and later.

@andysh --

You write:

You need to have an rDNS for each mail domain
 
The reverse DNS record is needed for the Linode IP address, not the mail domain.

Geez… what a senior moment! Thanks for the setting the poster straight, Andy!

-- sw

@andysh Thanks for this extensive reply. But that would mean that one can only have one mail domain served by one ip address without being "suspicious", as you call it. Correct? I have multiple domains on one Linode served by one Postfix MTA.

My Postfix mailserver has an explicitly set host name (as you mentioned). This all worked perfectly fine and still does for most of the time. Now I have issues with iCloud.com and me.com addresses because proofpoint is blocking them and not responding to any questions.

But that would mean that one can only have one mail domain served by one ip address without being "suspicious", as you call it. Correct? I have multiple domains on one Linode served by one Postfix MTA.

Not at all - the rDNS is based on the hostname of the machine (that is announced in the HELO/EHLO command when it connects), not the mail domains it sends (which is specified in the MAIL FROM command.)

The server "my.linode.mydomain.com" can send mail for myotherdomain.com, anotherdomain.com, anotherofmydomains.com … as many as it wants.

The key thing is that "my.linode.mydomain.com" has a forward DNS (A record) that resolves to the outbound IPv4/6 addresses - and the reverse DNS for those IP addresses resolves back to (PTR/rDNS record) "my.linode.mydomain.com".

The mail domains are totally unrelated - although they should specify the IPs in their SPF record to designate that those IPs are allowed to send mail - but that's separate to the rDNS record.

Thanks! I think I understand and set it up according to your explanation. I never understood the need for adding the host name to the domain name. So I set the rDNS record to example.com instead of mail.example.com. I only had one host so why adding it. Now all is synchronised.

Wonderful. Let's see if this is helping me with the Proofpoint / iCloud.com/me.com issues I have. That was the purpose.

Thanks.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct