Hi all,
I guess this is standard scenario for many people using Virtualmin: we have a Virtualmin machine, a couple of domains hosted on that machine with their own emails. By default Virtualmin does a good job of wiring most things so it basically works, but, nowadays it seems to be really hard to make this shared environment secure and make sure the emails that we send are reaching INBOXes not Junk folders.
Is there a guide, good tutorial that tackles everything that is involved to basically make sure as a sysadmin that emails really work?
Background:
I’ve used Virtualmin for more than 10 years and sent emails through this setup ever since. I currently have an old Debian 8 setup (upgraded OS in the meantime), but I imported into that an older Virtualmin configuration file (as I didn’t want to redo everything, too much work). I host maybe tens of domains for some friends/clients. They usually have WordPress sites. Most domains use email. Had many incidents during the years with hacked websites (unfortunately my friends/clients don’t really know or understand the importance of maintaining a website), but also hacked email passwords so my server sent SPAM and I had to clean/fix/unlist from blacklists lots of times. I also have a second IP and at some point, for really important domains I tried to do do some Postfix sender transport mapping to use this one and avoid really important domains (like personal ones) being affected by negligence of other domain owners. However, this is really really painful and I still don’t have a really robust system. Most of the time people complain that emails sent from my server reaches Junk folders. And no, I wasn’t on blacklists or having obvious configuration issues. I know SPF, DKIM, DMARC, how this works and I configured this in Virtualmin. I lost clients because of these recurring issues. Recently I’ve sent again a personal email to someone from a bank and it told me it found my email in Spam… I’m really tired and frustrated, checking with mail-test the only important think that it complains is about rDNS but that’s setup for my second IP, unfortunately though, being a single Postfix instance using same HELO for both IPs with both having the same rDNS, the name can only be resolved back to one of the IPs so maybe this is again a flag for some providers? Etc. etc. etc.
I also setup at some point for a project of mine, a SendGrid account so that I make sure that the emails sent by my project really get to people’s Inboxes. Guess what. They go to promotions. And no, they are not promotions, are emails like account management. Facepalm.
I really need to do a reliable setup with nowadays standards. Where can I really find useful information? For me, by looking around the internet it feels like there are only small parts of the solution here and there. And it really feels that Virtualmin’s default setup is just to wire things up to make email delivery going but it’s by far of no use if you want a reliable shared hosting environment. Or, should I try reinstalling and reconfiguring lates Virtualmin from scratch? Is it better in providing a good default than my really old Virtualmin installation that has its roots like 10y ago? But that would be a ton of work.
I’m thinking of all kinds of ideas also:
- Revise the standards: SPF, DKIM, DMARC - is there a way to simply regenerate all configuration here?
- Cut internet access to websites, so that hacked websites can’t send spam anymore by standard php mail() - how could this be setup? On the other hand, this is not good at all for WordPress auto-update functions
- Have best scanning in place not only for incoming email but also outgoing and some good throttling so that I avoid that hacked email accounts are used for sending spam
- Considering also to use some external providers that I can hook globally somehow into the entire system (not per domain)
Do you guys have any ideas? What is your experience with this? How do you make sure that most emails really get where they should? This entire email delivery thing is such a bad frustrating chaos and it seems to me sometimes that the big guys almost purposely leave you out of their Inboxes with different excuses.