Re: [exim] Exim4 configuration problems

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Face
CC: exim-users
Subject: Re: [exim] Exim4 configuration problems
On 2010-07-04 at 07:48 +0300, Face wrote:
>     SMTP error from remote mail server after end of data:
>     host gmail-smtp-in.l.google.com [209.85.227.27]:
>     550-5.7.1 [My Static IP Address ] The IP you're using to send mail
> is not authorized to
>     550-5.7.1 send email directly to our servers. Please use the SMTP
> relay at your
>     550-5.7.1 service provider instead. Learn more at
>     550 5.7.1 http://mail.google.com/support/bin/answer.py?answer=10336
> l6si7123769wba.75

>
> i can receive mail from remote domain but cannot send.


It looks as though you've censored the domain information from
"update-exim4.conf.conf", which means that we can't look at what's going
on with your DNS.

Unless this is for "goq8.net", which appears to be registered to you?
I'll assume that it is, for now.

What is in /etc/mailname? It looks as though that provides the
domain-name which you'll use, by default, for outbound mail.

There are no SPF or DKIM records published for goq8.net; this means that
some big receivers will be using a set of pseudo-SPF default rules to
try to apply to you. So, is the mail coming _from_ [91.140.191.229],
the 1 address of the 1 MX host published for goq8.net? It's also the IP
address of "goq8.net", so if that really is the IP used for outbound
mail, then you should be coming from that. It also appears to be the
one IP address used for "both" of your auth nameservers, which is a
horribly fragile setup; there is free secondarying available on the
Internet; if you choose secondarying from *outside* Kuwait, then the
mail-servers outside Kuwait will have a more reliable and less
bandwidth-constrained path to your DNS, so you'll see fewer timeouts for
DNS and fewer spurious failures. See http://www.frankb.us/dns/ for a
list of some free secondary providers.

Set up DKIM; failing that, set up SPF. Your rejection comes after DATA,
so DKIM would have helped a little here.

Add yourself as an exemption in the Spamhaus PBL:
http://www.spamhaus.org/pbl/
I'm not talking about Gmail here, but many recipients use this to
restrict who can send them mail. My own server blocks on
zen.spamhaus.org, which includes the PBL. The PBL is the Policy Block
List, which includes end-hosts that should not be sending mail. Unlike
some other such lists, the PBL has the truly excellent feature that
administrators of mail-systems can punch holes in larger blocks for
their own mail-servers, so that they're not hostage to their ISPs. This
makes the PBL worth using.

http://www.spamhaus.org/query/bl?ip=91.140.191.229

So, you're on the PBL as part of 91.140.128.0/18. Punch a hole for your
one IP.

You're also in dnsbl-2.uceprotect.net because:
TXT "Net 91.140.128.0/18 is UCEPROTECT-Level2 listed because 675 abusers are hosted by GULFNET-KUWAIT Gulfnet Kuwait/AS3225 there. See: http://www.uceprotect.net/rblcheck.php?ipr=91.140.191.229"
TXT "Net 91.140.188.0/22 is UCEPROTECT-Level2 listed because 48 abusers are hosted by GULFNET-KUWAIT Gulfnet Kuwait/AS3225 there. See: http://www.uceprotect.net/rblcheck.php?ipr=91.140.191.229"
which says a little about why your network neighbourhood might have a
poor reputation. Don't worry about this RBL: they don't make an
exemption for individual hosts, so they're not letting you break free of
your neighbourhood. This is the sort of RBL which, if used, leads to
ghettoisation; it will also therefore have a high false positive rate
and few will reject outright based on it.

Similarly for dnsbl-3.uceprotect.net.

You're listed in apews.org, which I believe is more used than
uceprotect.net, but again not many will block outright on it, for the
same reasons:
http://www.apews.org/?page=test&C=913&E=280343&ip=91.140.191.229
91.140.184.0/21
"AS3225 KW, ISP permits abuse and/or ignores criminal activity"


Summary:
* Set up DKIM. If you can't for some reason, then set up SPF
* Get yourself removed from the Spamhaus PBL
* Don't redact data which is needed by other people to help you, if
I've talked about the wrong domain, here

-Phil