I have Postfix 2.3.8 installed on my email server. I am just using postfix right now. Nothing but the MTA has been minimally configured at this point. I am able to get local email back and fourth no problem (Maildir style) but when I tried to send email from my local user account to my gmail account, I received the following delivery failure...

When I do a dig on my domain name / mx record, it comes back to my ISP provided IP no problem. What can I do to resolve this?



From: Mail Delivery System <MAILER-DAEMON@carlwill.com>
Subject: Undelivered Mail Returned to Sender
To: carlos@carlwill.com
Auto-Submitted: auto-replied

[-- Attachment #1: Notification --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.7K --]

This is the mail system at host swordfish.carlwill.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<carloswill@gmail.com>: host gmail-smtp-in.l.google.com[209.85.133.27] said:
550-5.7.1 [67.8.168.254] The IP you're using to send email is not
authorized 550-5.7.1 to send email directly to our servers. Please use
550 5.7.1 the SMTP relay at your service provider instead.
c27si9474770ana.27 (in reply to end of DATA command)

[-- Attachment #2: Delivery report --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.5K --]

Reporting-MTA: dns; swordfish.carlwill.com
X-Postfix-Queue-ID: 77E6116B022D
X-Postfix-Sender: rfc822; carlos@carlwill.com
Arrival-Date: Sat, 19 Jan 2008 22:16:42 -0500 (EST)

Final-Recipient: rfc822; carloswill@gmail.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [67.8.168.254] The IP you're using to send
email is not authorized 550-5.7.1 to send email directly to our servers.
Please use 550 5.7.1 the SMTP relay at your service provider instead.
c27si9474770ana.27

[-- Attachment #3: Undelivered Message --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 0.4K --]

To: carloswill@gmail.com
Subject: Email Server Is Online!
From: Carlos Williams <carlos@carlwill.com>

Hello!!!

Do you have your mail system reverse dns'ed? A lot of mail systems do a reverse dns check before accepting email. If the host name it finds for the ip address doesn't match what your system claims to be, it will generally bounce you.

Good luck

Hope this helps.

Unless I'm reading this wrong, your IP address 67.8.168.254 is a number assigned to rr.com (Road Runner) domain and according to a nslookup resolves to 254.168.8.67.cfl.res.rr.com. The MX mail records for rr.com are lamx02.mgw.rr.com and vamx02.mgw.rr.com. It looks like Google email server will only receive mail on port 25 from the rr.com smarthost email server.

But I did find this from Google:

Configuring other mail clients
http://mail.google.com/support/bin/a...87&topic=12810

Please note that if your client does not support SMTP authentication, you won't be able to send mail through your client using your Gmail address.

OK - that makes sense. My ISP is rr.com (Road Runner / Brighthouse Networks) and I have a basic broadband dynamic IP with them but it never changes.

I am not sure I understand why you added a link on how to configure a mail client to pop mail from a gmail server.

Thanks for your info!

That dosen't matter. The reciving SMTP server is doing a reverse DNS lookup of your IP.

PTR/Reverse DNS checks
To check the domain names in the rDNS to see if they are likely from dial-up users, dynamically assigned addresses, or home-based broadband customers. Since the vast majority, but by no means all, of e-mail that originates from these computers is spam, many mail servers also refuse e-mail with missing or "generic" rDNS names.

http://en.wikipedia.org/wiki/Anti-sp...rse_DNS_checks

Unless your MTA supports authentication when sending mail, you'll have to use a mail client that supports authentication to send mail directly to the smtp.gmail.com server. No authentication, you'll keep getting the 550-5.7.1 error.

If that dosen't make sense, then maybe someone else will chime in and explain it better than me.

The way a lot of ISPs work is to block outgoing traffic on port 25 from all of their clients, in a (largely unsuccessful) attempt to cut down on spam. It should work in theory, but the devious folks writing trojans/viruses have found ways around it. The problem with an ISP that blocks access to port 25 is that they also set up quasi-open relays. What they do is put up a large mail server that takes any traffic from their clients and relays it. I call it quasi-open because it isn't open to the world at large, but it is to any client of the ISP. The problem is, they consequently relay any and all mail sent by any customer out to the net, and they do it without password authentication. While this means that my boss who lives in Jersey has to use his ISPs outgoing relay to send mail because he can't have SMTP communications with my mail server, it also means anybody on his ISP with a trojan/virus that sends out mail will get it relayed to the public at large.

The message from gmail seems to indicate that they want you to use your ISPs relay, which should be fine, as long as it is quasi-open, and will relay the message without changing the user/domain name on the message.

I also don't see what help the link bsdunix provided is. That is how to configure a client to pop/smtp mail for a gmail account. You aren't trying to send out mail as you@gmail.com, you are trying to use your personal domain, so the client setup doesn't apply, it would have to be a server setup page.

Peace,
JimBass

Oh, I see now you registered carwill.com domain with 1and1.com domain registration using your dymamic assigned IP from Road Runner. I didn't think you could that. No wonder the reverse DNS lookup is resolving to rr.com. Road Runner lets you do that? If they do, more power to you.

Yup - thats exactly what I did. I hope they let me do that. If not I could be in some kind of trouble

I have A records pointed to my own rr.com IP address at home, anyone can do such things with their DNS server and if they have their own domain name.. Setting up a reverse that works for residential service is impossible though.

So I am basically out of luck unless I have a static IP, right?

At first I was thinking revers-dns as well, but I've run mail-servers on plenty of stuff that has a mis-matching PTR or no PTR, so I was thinking possibly SBL, but if there's no SBL, gmail usually just dumps it into the spam folder, but lets it get through.

Bit of a mystery,

Can you provide more mail header from the bounce?

Cheers,

Finegan

This is the entire message:

This is the mail system at host swordfish.carlwill.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<carloswill@gmail.com>: host gmail-smtp-in.l.google.com[209.85.133.27] said:
550-5.7.1 [67.8.168.254] The IP you're using to send email is not
authorized 550-5.7.1 to send email directly to our servers. Please use
550 5.7.1 the SMTP relay at your service provider instead.
c27si9474770ana.27 (in reply to end of DATA command)



Reporting-MTA: dns; swordfish.carlwill.com
X-Postfix-Queue-ID: 77E6116B022D
X-Postfix-Sender: rfc822; carlos@carlwill.com
Arrival-Date: Sat, 19 Jan 2008 22:16:42 -0500 (EST)

Final-Recipient: rfc822; carloswill@gmail.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [67.8.168.254] The IP you're using to send
email is not authorized 550-5.7.1 to send email directly to our servers.
Please use 550 5.7.1 the SMTP relay at your service provider instead.
c27si9474770ana.27



Subject:
Email Server Is Online!
From:
carlos@carlwill.com (Carlos Williams)
Date:
Sat, 19 Jan 2008 22:16:42 -0500 (EST)
To:
carloswill@gmail.com

Carlwill.com is online!

swordfish.carlwill.com doesn't actually have a DNS record, although that isn't the problem at all.

This one seems specific to gmail. It bugs me that the error code is 550-5.7.1 which is generic relaying denied. I don't know if there's a way around it, it doesn't seem to be roadrunner's fault at all. The ways around it would be ugly:

1. set up postfix transport to actually go through rr's mailserver, although that's almost invariably going to require authentication and I've never had to set up postfix to do an authenticated relay.

2. get someone who's on an ip-block that isn't getting the stinky finger from gmail to relay just for your IP. I had to do this once before when my old mailserver was on a block that was on SPEWS.

3. setting up SBL might actually take care of it. Since Gmail's checks are a total mystery it might give the okay once it sees a valid SBL reverse? That's if the SBL check fires off before whatever nameless relay check its running that's causing the 550.

Word,

Finegan

Thanks all! I am going to relay all outbound email through rr.com's email server which I discovered does not require authentication...

I'll note that you shouldn't probably be using dynamic IP with any server if you like it to work tomorrow too, because the fact that your ISP usually assigns you the same IP doesn't mean they do it always. If it happens that they assign it to somebody else, you're out of luck - you will get on the net with another IP too, but any services that would point to the old IP address didn't function all right. In a bad case it could be a security risk.

Another thing is running a server on a normal broadband connection, if it's meant for "clients" only (not "servers"). It depends on the ISP and country, but I'll mention that here if you get caught running a (public, which they can find) server of your own, you can get into trouble - trouble that costs you money, your broadband connection and in a bad case your server equipment. Sounds unfair maybe, but that's the way. They even mention it in the deal, so if you haven't read it thoroughly yet, you should do it. Some ISPs are rather nasty about these things.

I agree that ISPs can generally make your life difficult, even though you wouldn't be doing anything illegal. Mostly they have a reason for every act that says "we're just trying to decrease spam/misuse/security risks/crackers/etc., you must understand it". And in many cases it's mostly their own good they're after, or so it seems because their actions aren't as effective as one could imagine they were in a "really interesting" case. In some cases, though, they're absolutely right and you should know that