My mind feels like it has a rabid squirrel in it

I have been trying to get my DNS records right and mail server (postfix) configured correctly so receiving remote mail servers (yahoo, hotmail, msn) are happy and don’t block me and I just can’t get it right.

I know previously I had asked questions about running separate postfix instances for domains with dedicated IPs but I am no longer trying to do that and my setup is default virtualmin pro setup.

The issues I am running into when doing tests at DNS Colos are:

Legend.
vps.example.net = server
74.63.2.190 = IP of the server
example.org = regular virtual host domain
example.com = Dedicated IP virtual host domain
74.63.2.190 = IP of dedicated IP virtual host domain

If it is a regular domain without a dedicated IP.

FAIL
Mailserver connection test
HELO, MAIL FROM, RCPT TO, QUIT

Connect to mailserver mail.example.org FAILED (could be greylisting)
550 5.1.1 : Recipient address rejected: User unknown in virtual alias table

Here is what a regular virtual host domain DNS record looks like:
$ttl 38400
@ IN SOA ns1.example.net. hostmaster.example.net. (
2008062811
2H
1H
1W
20M )
@ IN NS ns1.example.net.
@ IN NS ns2.example.net.
example.org. IN A 74.63.2.190
www.example.org. IN A 74.63.2.190
ftp.example.org. IN A 74.63.2.190
localhost.example.org. IN A 127.0.0.1
mail.example.org. IN A 74.63.2.190
example.org. IN MX 5 mail.example.org.
example.org. IN TXT "v=spf1 a mx a:example.org. ip4:74.63.2.190 -all"

If it is a domain with a dedicated IP it gets the fail above PLUS the fail below:

FAIL
Mailserver greeting
The server should have an A record which points to the mailserver for the hostname
which is presented in the greeting

mail.example.com
220 vps.example.net ESMTP Postfix

Here is what a dedicated IP virtual host domain DNS record looks like:

$ttl 20M
@ IN SOA ns1.example.net. hostmaster.example.net. (
2008070315
2H
1H
1W
20M )
@ IN NS ns1.example.net.
@ IN NS ns2.example.net.
example.com. IN A 74.63.2.247
www.example.com. IN A 74.63.2.247
ftp.example.com. IN A 74.63.2.247
localhost.example.com. IN A 127.0.0.1
mail.example.com. IN A 74.63.2.247
example.com. IN MX 5 mail.example.com.
example.com. IN TXT "v=spf1 a mx a:example.com ip4:74.63.2.247 ip4:74.63.2.190 -all"

Here is my postconf output:
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, vps.example.net
newaliases_path = /usr/bin/newaliases.postfix
qmgr_message_active_limit = 4000
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Why am I getting the fails when checking my record?

What is the right way to configure the DNS record for a virtual host that has a dedicated IP as mail will not be coming from that IP but from the servers IP right? please help as my mind is almost gone!

your dns setup looks okay to me and i can telnet your postfix, however:
Connect to mailserver mail.example.org FAILED (could be greylisting)
550 5.1.1 : Recipient address rejected: User unknown in virtual alias table

I think it means there is no entry in the /etc/postfix/virtual for that domain/user.
So I would first try to solve that and then look at the next issue if it persists

as for:
example.com. IN TXT "v=spf1 a mx a:example.com ip4:74.63.2.247 ip4:74.63.2.190 -all

I am not sure if having 2 IP’s in there is correct?

and:
mail.example.com. IN A 74.63.2.247
should this not be 74.63.2.190 as postfix is running on the latter IP…?

Everything looks fine from here, though without the actual zone name, I’m not able to do much testing.

Note that pretty much all of the DNS testing sites have some slightly odd requirements for "success" in some of their tests.

Hehehe…I just tested virtualmin.com, and they give us a FAILED mark on that test, as well. I think they’re just making a mistake in their parsing. I know our HELO is sane. They probably only tested on Sendmail or qmail systems, and never tried it on a Postfix system. I dunno. I wouldn’t worry about this particular test–when I connect to your system via telnet on 25 it looks fine.

Thanks guys!

After looking in my logs I see that the first test failed because they are checking for an info@example.tld mail address. Who knows why but I added an alias for one on the domain I was testing and the error went away.

The other mail server greeting I can’t get to go away.

So just to be sure.
Is the mail. A record for a virtual host domain with a dedicated IP supposed to point to the dedicated IP or to the IP of the server?

mail.example.com. IN A 74.63.2.247 <–IP of VHost
or
mail.example.com. IN A 74.63.2.190 <–IP of server

Is the mx record for the virtual host domain supposed to point to it’s own mail third level or is it supposed to point to the server?

example.org. IN MX 5 mail.example.org.
or
example.org. IN MX 5 vps.example.net.

If the A record is pointing to the server IP then won’t that make an error regarding receiving mail servers that check RDNS as I have RDNS set by my host for my dedicated IP virtual host’s IP to point to mail.example.com but the reverse is 74.63.2.247 (dedicated IP) not 74.63.2.190 (server IP) where the mail was actually sent from. Does that make sense?

Do your results come out OK from intoDNS and pingability

Doesn’t matter.

Doesn’t matter.

Again, doesn’t matter.

What matters:

The IP (which will generally be the “primary” IP on your system) on which your outgoing mail is sent must have a PTR (reverse) record. I doesn’t matter what it is…as long as the name it returns is also resolvable.

The hostname that Postfix thinks of itself as must match the IP it is sending out with (again the primary IP…and it’s hard to avoid getting this right, unless you set my_origin or some other silly misconfiguration, because Postfix ordinarily picks it all up from the system and the hostname of the system). This will generally not be the “mail.example.com” address. And that’s OK. It’ll probably be vps.example.net. Again, that’s great. As long as it resolves.

To put this into concrete perspective:

Virtualmin.com sends out mail with a HELO of virtualmin.com

The address Postfix connects from (70.86.4.226) reverse resolves to e2.4.5646.static.theplanet.com, which resolves back to 70.86.4.226

Notice that when I send out mail from doxfer.com (also hosted on this system and going through the same Postfix) it still has HELO virtualmin.com, and the 70.86.4.226 address. The receiving server doesn’t care about that at all…it just needs to see that they all resolve to something. (I’m ignoring SPF, etc. for the sake of simplicity in this discussion, of course.)

Warning The RDNS entry 247.2.63.74.in-addr.arpa (example.com./74.63.2.247) points to mail.example.com… However mail.example.com. does not have an IP Address (A) record that matches this IP. Rather it has an IP Address of 74.63.2.190

That was when I had:
mail.example.com. IN A 74.63.2.190 <–IP of server

When I changed it to:
mail.example.com. IN A 74.63.2.247 <–IP of VHost

The error went away

Thanks for the info Joe.

Yeah my server IP has always had RDNS.

The thing that made me start to question my setup in the first place is I am getting greylisting errors from yahoo. I was worried that it was something wrong with my setup due to the error at dnscolo but now I think the checker there is messed up!

I just wanted to make sure I had all my ducks in a row before submitting all my info in yahoo’s submission application to help prevent greylisting or mail going to bulk.

So let me see if I get it yet
Receiving mail servers really never care what the dedicated IP of a virtual host is, don’t care about RDNS for that virtual host’s dedicated IP and they really don’t care about anything in DNS for that domain (not counting SPF of course). All they care about is the IP of the servers mail server and that the RDNS for the server matches the IP for the mail server.

Did I get it right?

if you are worried about yahoo’s greylisting then don’t worry too much.

for instance:
I send out a newsletter to 4600 subscribers of which appr. 1000 are yahoo accounts.
each of them end up in the postfix queue with some sort of "not allowed", "greylist", "refused" etc etc.

I also had some email conversation with yahoo cause I was worried too in the beginning, and in the end (after 2 or 3 days), they all go through. It apparently is a policy to not just accept and pass all the emails.

I do have a bounce@mydomain.com in place so all the emails that can not be delivered due to blocked, unused, mailbox full and non-existing accounts are returned to that email address and I can apply my bounce rules to have those emails blacklisted in my app. (phplist).

As a result they do not receive the newsletter anymore and that is a policy yahoo and others like to see.

Thanks Ronald!

It’s good to know I am not the only one seeing greylisting.