Gmail, why are you doing this to me?

Recently I had to set up another mail server with Postfix, Dovecot and MySQL. Everything seemed to work fine until I started testing. The emails sent out to a Gmail test account bounced back – what was going on with Gmail?

Jul 29 21:02:52 systemd[1]: opendkim.service: Control process exited, code=exited status=64
Jul 29 21:02:52 systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
Jul 29 21:02:52 systemd[1]: opendkim.service: Unit entered failed state.
Jul 29 21:02:52 systemd[1]: opendkim.service: Failed with result 'exit-code'.

#listen on loopback on port 8891
SOCKET="inet:8891@localhost"

First, let’s take a step back and see what I have done so far to configure the mail server. I’ve already set an SPF record (Sender Policy Framework) to match the mail server’s IP as well as set a reverse DNS entry. There’re several ways to set these – if you are unsure how to set your SPF, please read Sender Policy Framework – Introduction. And if you need help with reverse DNS, please check out Reverse DNS.

I recommend trying this useful mail-tester tool to examine your mail server. This tool will classify your mail server by analyzing blacklists, DNS records and the email itself. Right now my score on mail-tester is 9/10 after all these DNS changes. Not too shabby, but Gmail is still rejecting my test emails – all emails I send to other test accounts on different mail services are being delivered.

Going for a better score – installing OpenDKIM

The only reason why my mail server scores only 9 out of 10 points on mail-tester tool is that I’m not using DKIM (DomainKeys Identified Mail). I remember the dkim-filter package was discontinued previously and since this is a Ubuntu 12.04 box I’ll have to install OpenDKIM by running the following command:

$ sudo apt-get install opendkim opendkim-tools

Now I need to prepare the configuration file to use my mail domain (please use your domain instead example.com and adjust the selector if necessary)

$ sudo nano /etc/opendkim.conf
Domain    example.com
KeyFile   /etc/mail/dkim.example.key
Selector  mail

Cool – let’s configure the DKIM daemon to listen on a specific port (I use 8891 in this example) by:

$ sudo nano /etc/default/opendkim
SOCKET="inet:8891@localhost" #listen on loopback on port 8891

That should do it. Wait! Postfix needs to know that we are going to talk to DKIM. We should add the following changes to Postfix’s main configuration:

$ sudo nano /etc/postfix/main.cf
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Generate keys for DKIM

By executing

$ opendkim-genkey -t -s mail -d example.com

we will generate two key files: mail.private which is your private key and mail.txt, the public key, which we will use for setting our DNS record. Let’s copy the private key so that DKIM can use it. We might need to create a folder first. Run

$ sudo mkdir /etc/mail
$ sudo cp mail.private /etc/mail/dkim.example.key

Create DNS record for DKIM

There’s one last step before we can start using DKIM with postfix. We need to create a TXT DNS record holding the public key created in the previous step. Just cat the public key, you should see something like

mail._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=SpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU92x/0bsn4R4p7waTaz1IbOGs/5bm5QIDAQCD" ; ----- DKIM mail for example.com

If you use a DNS service just add another DNS entry. Select TXT as type, add mail._domainkey and enter all the stuff between the quotes into the value field. Depending on your TTL it might take some time until the new DNS entry is propagated and the changes are in effect.

You can check the TXT records of your domain with the dig command by requesting

$ dig example.com TXT

Now restart the services with

$ sudo service opendkim restart
$ sudo service postfix restart

Back at the mail-tester tool and another test email later, we score 10 out of 10 now – yay, DKIM works! (you can monitor your mail log file to check if the filter ran properly).

But sending another test email to the Gmail test account results in a nasty error message: The sender does not meet 550-5.7.1 basic ipv6 sending guidelines of authentication and rdns resolution 550-5.7.1 of sending ip.

What’s Gmail’s problem?

As I take a closer look at the error message it seems that my mail server does not comply with IPv6 sending guidelines. The mail server does not need to send out emails utilizing IPv6 – is there a way of using IPv4 instead?

Forcing IPv4 when sending to Gmail

If we want to force postfix to use IPv4 instead IPv6 when sending to Gmail, we need to add a line in the main configuration file of postfix like so

$ sudo nano /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport

Let’s create this new file and add a new entry in the transport table. Basically, we force mail for gmail.com to use smtp-ipv4 (which we have to define later, see below)

$ sudo nano /etc/postfix/transport
gmail.com smtp-ipv4:

Here comes the key part. We create a new rule for our new entry and define to use IPv4 protocol explicitly when this rule applies:

$ sudo nano /etc/postfix/master.cf
smtp-ipv4 unix .. .. .. .. smtp
 -o inet_protocols=ipv4

We need to run the postmap command after the change and reload postfix

$ sudo postmap /etc/postfix/transport
$ sudo postfix reload

Once again, I send a test email to the Gmail test account but this time the email does not get rejected. The header of the email reads just fine, using IPv4 (the IP address of the server) for transport. Finally, this solved the delivery issues with Gmail.

Useful links:
– MX Toolbox
– Combat Spam with SPF
– Mail-Tester tool