Re: [exim] Gradually phasing in a new Exim server for outg…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Andy Bennett
Data:  
Para: exim-users
Asunto: Re: [exim] Gradually phasing in a new Exim server for outgoing delivery
Hi,

> I'm looking for advice on ways to gradually phase in a new Exim
> server so that providers that throttle incoming emails from
> unseen IPs don't completely block all emails from our servers.

<snip>

I'm assuming that you already know that the new IP address is not on any
blacklists.

Therefore, it's "simply" a matter of getting a good reputation for that IP
address. (i.e. turning a "neutral" reputation into a "good" one).

Make sure the new machine has good HELO banners and reverse DNS. If you're
using IPv6 then many providers set the bar higher and don't accept things
that have been "common practice" for years but aren't strictly best
practice.


In modern eMail systems, reputation doesn't only come from IP addess. It
can come from an (authenticated) sending domain as well. There are two ways
to authenticate: SPF and DKIM.

If you're signing messages with DKIM then the SDID reputation should
automatically transfer to the new machine provided you sign with the same
identity (of course, you can use another key/selector if you want).

You'll also have to add the new IP address to any SPF records that your
outgoing domains use.

These two things will help you with the "large" providers such as Gmail,
etc.

Smaller providers may still be using IP address reputation but not being on
blacklists will will hopefully give you enough of a "not bad" reputation
that you will be in a good place.



Once all that is taken care of I'd try some deliveries from each of your
sending domains to popular places or places you think you'll have trouble
delivering to.

Inspect the headers of delivered messages to check the recipient is
authenticating the mail properly.

If you have problems, resolve them first. i.e. don't try setting up a
complex arrangement of forwarding between machines until you're reasonably
sure that the new machine has a "good enough" reputation already.

Once simple tests are working, pick off small streams of mail one-by-one
and send them through the new machine. If recipients are using domain-based
reputation then you're more likely to encounter trouble based on the
sending domain than the sending IP address so by picking individual
authenticated mail streams one-by-one it'll be easier to diagnose problems.



If you're not starting with a blacklist-free IP addess or you're not
currently building domain-based reputation with recipients using DKIM
and/or SPF then I'd start with fixing those two things before you start
sending mail through the new machine.






Best wishes,
@ndy

--
andyjpb@???
http://www.ashurst.eu.org/
0x7EBA75FF