On 2014-08-08 at 18:10 +0300, Odhiambo Washington wrote:
> I run a server (cloud-based) with Exim+Mailman. The problem I am facing is
> as described in the $subject. Why this is happening beats me.
Cloud or Colo (or small-scale VPS)? Colo and manually-assigned VPS
machines tend to have long term stable IP addresses, but "cloud" setups,
with the automation that implies, means that any one customer can be
using multiple externally-facing source IP addresses and cycling through
them by tearing down and bringing up instances as fast as they can get
away with.
My own mail-server rejects messages coming from known cloud ranges
unless its DKIM signed. I want something I can use as a stable
reputation identifier, and if the IP address is not going to be stable
then I need to be able to track reputation for the domain, instead. My
server, my rules.
You should *definitely* read Bradley Taylor's paper on how Google were
tracking reputation back in 2006:
http://research.google.com/pubs/author70.html
> The domain name is my.co.ke and I use mailman-prod.my.co.ke as the FQDN.
There may be problems caused by the nameservers; on my own colocation
box in NL, attempts to resolve mailman-prod.my.co.ke were timing out as
none of the nameservers could be reached. I see that both NS servers
have an IP in the same /24 netblock (but I don't know if anycast is in
use). I can now resolve it, so there may just be routing glitches (or
both NS went unavailable at the same time?)
If you don't have public facing authoritative DNS which is reliably
reachable from the systems accepting email from you, then you look like
a spammer, sending from a fake domain.
So I'd tackle three things:
(1) Get an NS secondary setup with someone in a completely different
network, preferably even a different continent, so that network
links into constrained areas aren't a bottleneck. I stick to just
two continents for my own zones (three countries), but those are EU
and NA, with the EU ones being near LINX and AMS-IX, so there's
good connectivity. These things matter.
(2) See about getting onto some whitelists, as a known sender of opt-in
email; <http://www.dnswl.org/> is easier to get onto than
Spamhaus's list, while still being good at tackling abusive
registration attempts.
(3) DKIM signing for your domain
-Phil