Gmail, why are you doing this to me?
Recently I had to set up another mail server with Postfix, Dovecot and MySQL. Everything seemed to work fine until I started testing. The emails sent out to a Gmail test account bounced back – what was going on with Gmail?
After upgrading to Ubuntu 16.04 (and the resulting update of opendkim to version 2.10.3) the opendkim daemon would fail to start. The error message reads like:
Jul 29 21:02:52 systemd[1]: opendkim.service: Control process exited, code=exited status=64 Jul 29 21:02:52 systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter. Jul 29 21:02:52 systemd[1]: opendkim.service: Unit entered failed state. Jul 29 21:02:52 systemd[1]: opendkim.service: Failed with result 'exit-code'.
This error is due to stricter configuration rules of the new opendkim version – it fails because there are no inline comments allowed. The configuration file /etc/default/opendkim
a little further down should look like so
#listen on loopback on port 8891 SOCKET="inet:8891@localhost"
and the daemon will start again.
First, let’s take a step back and see what I have done so far to configure the mail server. I’ve already set an SPF record (Sender Policy Framework) to match the mail server’s IP as well as set a reverse DNS entry. There’re several ways to set these – if you are unsure how to set your SPF, please read Sender Policy Framework – Introduction. And if you need help with reverse DNS, please check out Reverse DNS.
I recommend trying this useful mail-tester tool to examine your mail server. This tool will classify your mail server by analyzing blacklists, DNS records and the email itself. Right now my score on mail-tester is 9/10 after all these DNS changes. Not too shabby, but Gmail is still rejecting my test emails – all emails I send to other test accounts on different mail services are being delivered.
Going for a better score – installing OpenDKIM
The only reason why my mail server scores only 9 out of 10 points on mail-tester tool is that I’m not using DKIM (DomainKeys Identified Mail). I remember the dkim-filter package was discontinued previously and since this is a Ubuntu 12.04 box I’ll have to install OpenDKIM by running the following command:
$ sudo apt-get install opendkim opendkim-tools
Now I need to prepare the configuration file to use my mail domain (please use your domain instead example.com and adjust the selector if necessary)
$ sudo nano /etc/opendkim.conf Domain example.com KeyFile /etc/mail/dkim.example.key Selector mail
Cool – let’s configure the DKIM daemon to listen on a specific port (I use 8891 in this example) by:
$ sudo nano /etc/default/opendkim SOCKET="inet:8891@localhost" #listen on loopback on port 8891
That should do it. Wait! Postfix needs to know that we are going to talk to DKIM. We should add the following changes to Postfix’s main configuration:
$ sudo nano /etc/postfix/main.cf # DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
Generate keys for DKIM
By executing
$ opendkim-genkey -t -s mail -d example.com
we will generate two key files: mail.private which is your private key and mail.txt, the public key, which we will use for setting our DNS record. Let’s copy the private key so that DKIM can use it. We might need to create a folder first. Run
$ sudo mkdir /etc/mail $ sudo cp mail.private /etc/mail/dkim.example.key
Create DNS record for DKIM
There’s one last step before we can start using DKIM with postfix. We need to create a TXT DNS record holding the public key created in the previous step. Just cat the public key, you should see something like
mail._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=SpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU92x/0bsn4R4p7waTaz1IbOGs/5bm5QIDAQCD" ; ----- DKIM mail for example.com
If you use a DNS service just add another DNS entry. Select TXT as type, add mail._domainkey and enter all the stuff between the quotes into the value field. Depending on your TTL it might take some time until the new DNS entry is propagated and the changes are in effect.
You can check the TXT records of your domain with the dig command by requesting
$ dig example.com TXT
Now restart the services with
$ sudo service opendkim restart $ sudo service postfix restart
Back at the mail-tester tool and another test email later, we score 10 out of 10 now – yay, DKIM works! (you can monitor your mail log file to check if the filter ran properly).
But sending another test email to the Gmail test account results in a nasty error message: The sender does not meet 550-5.7.1 basic ipv6 sending guidelines of authentication and rdns resolution 550-5.7.1 of sending ip.
What’s Gmail’s problem?
As I take a closer look at the error message it seems that my mail server does not comply with IPv6 sending guidelines. The mail server does not need to send out emails utilizing IPv6 – is there a way of using IPv4 instead?
Forcing IPv4 when sending to Gmail
If we want to force postfix to use IPv4 instead IPv6 when sending to Gmail, we need to add a line in the main configuration file of postfix like so
$ sudo nano /etc/postfix/main.cf transport_maps = hash:/etc/postfix/transport
Let’s create this new file and add a new entry in the transport table. Basically, we force mail for gmail.com to use smtp-ipv4 (which we have to define later, see below)
$ sudo nano /etc/postfix/transport gmail.com smtp-ipv4:
Here comes the key part. We create a new rule for our new entry and define to use IPv4 protocol explicitly when this rule applies:
$ sudo nano /etc/postfix/master.cf smtp-ipv4 unix .. .. .. .. smtp -o inet_protocols=ipv4
We need to run the postmap command after the change and reload postfix
$ sudo postmap /etc/postfix/transport $ sudo postfix reload
Once again, I send a test email to the Gmail test account but this time the email does not get rejected. The header of the email reads just fine, using IPv4 (the IP address of the server) for transport. Finally, this solved the delivery issues with Gmail.
Useful links:
– MX Toolbox
– Combat Spam with SPF
– Mail-Tester tool
published by Christian Skala,
About the Author: Christian Skala is an IT executive and hands-on creative technologist based in New York City familiar with branding, graphic design, web design, web development, project management, maintaining servers, and optimizing high-traffic web sites.