Getting Gmail (and others) to Trust Postfix


#1

I’ve had Let’s Encrypt going for a while now and it’s going very well (securing my sites, ownCloud, and mail server). However the mail I send often ends up in spam. While I accept I can’t stop that happening completely (I’m using a .tk domain), gmail gives me the following error:

I thought I must have mis-configured postfix, but when I checked the header from gmail, it suggests it’s because my certificate clashes with my server’s name.

I have a SAN certificate for darksteve.tk, mail.darksteve.tk, and cloud.darksteve.tk, but the message arrives with the source being my server, ravage.darksteve.tk. Do I need to add “ravage” to my certificate? Will that verify my domain in the eyes of google and others? Or am I misunderstanding what’s happening here?

(The “sylvester” in the header is the Win10 desktop machine I sent the mail from, using Thunderbird.)

The domain ravage.darksteve.tk is not currently accessible from the net, that’s just the name I use internally, but I can add the domain to my cert if necessary as well as add it to the freenom DNS.

The encryption seems to be just fine (the header indicates TLS 1.2 is working). This is the TLS section of my postfix config:

# Receiving Mail
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1

tls_random_source = dev:/dev/urandom

# Sending Mail
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/darksteve.tk/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/darksteve.tk/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

I’m getting 100 percent confidence when I use checktls.com. Any thoughts or ideas how to get gmail/yahoo/etc to “verify” or trust me would be muchly appreciated!


#2

hi @DarkSteve

check your IPs are not on spam lists

I thought I must have mis-configured postfix, but when I checked the header from gmail, it suggests it’s because my certificate clashes with my server’s name.

Doesn’t sound right.

https://productforums.google.com/forum/#!topic/gmail/QKoenloYdDY

Andrei


#3

It’s a DNS issue not a TLS one. For gmail to consider an email authenticated it must be DKIM signed or sent from a server that is an SPF pass. As darksteve.tk does not have an SPF record and you have not configured postfix to use a DKIM milter all your mail will be considered forged/spam.


#4

Hello @DarkSteve,

I don’t think it is related to SSL. There are a few things to make Google trust your domain a bit more ;).

1.- Your domain darksteve.tk doesn’t have a MX record and it should. In this case, your mail server helo is ravage.darksteve.tk so your MX record should point to it.

2.- Ideally, your reverse ip DNS should point to ravage.darksteve.tk but it reverses to 110-175-224-69.static.tpgi.com.au (if this is a home internet connection it could be impossible to change this record).

3.- You should implement SPF on your darksteve.tk domain. A simple TXT record with this v=spf1 a mx -all should do the trick.

4.- You should implement DKIM for your domain.

For sure you should implement point 1 and 3 and test what Google think about those changes. DKIM could be a bit more complex but it is worth to check how to implement it on your postfix.

Hope this helps.

Cheers,
sahsanu


#5

Thanks for replying :slight_smile:

I’d actually checked a couple of sites (http://mxtoolbox.com/blacklists.aspx and http://whatismyipaddress.com/blacklist-check) and I’m clean, no blocking. That was actually something I’d already checked before posting, but didn’t mention it because my post was ridiculously big already. Also, the header mentioned that my reputation was “neutral” so I figured that wasn’t the problem.

Sorry, I should have mentioned it in my post. (Unless you have another site to check?)


#6

Ah, I’m gonna need to do a bit more reading. I’d convinced myself I was missing a domain in my SAN. Thanks for the pointer! Sahsanu said something very similar to you, so I’m gonna read lots and make sure I understand what I’m missing before I ask any more stupid questions :blush:


#7

There’s no such thing as a stupid question

I’m gonna quote Wikipedia :wink:

There’s no such thing as a stupid question. It suggests that the quest for knowledge includes failure, and that just because one person may know less than others they should not be afraid to ask rather than pretend they already know. In many cases multiple people may not know but are too afraid to ask the “stupid question”; the one who asks the question may in fact be doing a service to those around them.

Cheers,
sahsanu


#8

Hi @sahsanu

Thanks for the links, I’m gonna do a lot of reading and set up the MX records like I should have.

Your second point is a bit of an issue. You’re right, it’s a home internet connection, and I don’t think I can change the reverse. I verified that I could use a personal server and that port 25 isn’t blocked, but not much more than that (I’m learning as I go).

Thanks, I appreciate the help!


#9

That sounds like a challenge :wink:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.