legolasthehansy
asked on
AWS EC2 mail server
Experts,
We are trying to bring up a postfix mail server on an AWS EC2 instance. We have gone through SES but we need to manage our mail server rather than AWS managing it for us.
We already have a domain linux.com. The next step would be to bring up a EC2 instance and install Postfix on it. I would assume we need an Elastic IP assigned and then map a DNS mail.linux.com to it so that is is resolvable. I'm next assuming we need to assign an MX record for mail.linux.com. Would this generally work if you send email to someone@linux.com or are there additional steps like assigning SPF records and DMARC.
We are trying to bring up a postfix mail server on an AWS EC2 instance. We have gone through SES but we need to manage our mail server rather than AWS managing it for us.
We already have a domain linux.com. The next step would be to bring up a EC2 instance and install Postfix on it. I would assume we need an Elastic IP assigned and then map a DNS mail.linux.com to it so that is is resolvable. I'm next assuming we need to assign an MX record for mail.linux.com. Would this generally work if you send email to someone@linux.com or are there additional steps like assigning SPF records and DMARC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So this is what I did so far -
Added an Elastic IP to our Postfix instance.
Got AWS support to add a RDNS for our Elastic IP after I added a A record on our Route53. Requested them to lift sending restrictions on the EIP (default is 20 mails/hour)
Setup DKIM and setup SPF records
The good news is e-mails are delivered to Gmail with 'PASS' scores but go to their SPAM folder rather than the mailbox.
I'm wondering what we need to do right to make it NOT GO to the SPAM folder on Gmail.
Added an Elastic IP to our Postfix instance.
Got AWS support to add a RDNS for our Elastic IP after I added a A record on our Route53. Requested them to lift sending restrictions on the EIP (default is 20 mails/hour)
Setup DKIM and setup SPF records
The good news is e-mails are delivered to Gmail with 'PASS' scores but go to their SPAM folder rather than the mailbox.
I'm wondering what we need to do right to make it NOT GO to the SPAM folder on Gmail.
When you look at the headers after the email has arrived, has Google added anything that gives you an indication as to why it was marked the way it was?
ASKER
I haven't seen it yet. Just this,
Why is this message in Spam? It's similar to messages that were detected by our spam filters
The DKIM field is a PASS
The SPF field is a PASS as well
Very strange indeed.
Why is this message in Spam? It's similar to messages that were detected by our spam filters
The DKIM field is a PASS
The SPF field is a PASS as well
Very strange indeed.
How do you not see it if you know that it lands in the spam folder?
ASKER
My apologies. I meant to say I haven't seen errors on the headers yet. Here is the full headers of the mail minus the email addresses and IPs. I appreciate you looking into this. Thank you very much!
Delivered-To: somebody@gmail.com
Received: by 10.79.64.5 with SMTP id n5csp1016248iva;
Mon, 19 Jun 2017 06:16:50 -0700 (PDT)
X-Received: by 10.237.39.68 with SMTP id n62mr27284873qtd.136.1497878210070;
Mon, 19 Jun 2017 06:16:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1497878210; cv=none;
d=google.com; s=arc-20160816;
b=xPuplJ/qVzz75yMtOyqKtOYNTI5EzWE7TTJ139iGq5yR/HXWj+Q0iUmoOUREICrZB3
OGEjuo8q7VSP8Swtv+RIRwVVO/b7Elo6Po88ee1Gu4B1135mNsNPONvIZ4041rOzZR2H
UIXfckWLdOb4DgG2HyannubPjxD2UpdiQ1wrUnBIF4IWoPq988LDmGOhRyVxt5pV35jh
TejxGxI1oSnekHsIlPFAcPBGJczVpCCk4rFL5dSMeQXTy56DcshuoQ3U0oyt/bTY5ztx
+XmgcOTjwEJCSfCE0KEAJelGeUceu1RKuWf4mLCXawv0Xgb1xz3Vkyb5Bufq594O3W/d
CHpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:mime-version:user-agent:message-id
:subject:to:from:date:dkim-signature:arc-authentication-results;
bh=XUPER42WeQ2Trc1B+zPmLLWzeeD29k7HQr0fDBucX+k=;
b=le1mHRy0+jL2yG++rfDSu0/iMLDCb+VhXvY1GxchX9/yYat9BlpBJOhBxuHzvTP5m+
yEdyfsN/nZv6kzRcKPbzoA04e784p71H6qrvgqTUMNFUUgkQY88lnTJg9X1UGI1Xv+ce
Qcl8R46/9qCXS8MpMlln1D9hqGSr96VTqV7nOmP1/fQSY0gpfo+KSQmUtBVg+o88YveO
Rd4sHilH1OqqnyLUhNzT1LjtvTRPFDJ3MtzyokplYIm3ELEVNfdAhn9DQN4v+O86drim
ATShZlh4TrR37qKzxTbEQAbQEI8R4GCwZwK6w4iAkWl2M9+wevKpqx0Cj5Wvt39z2XMP
/fMw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@xxxxx.com header.b=ja3thNip;
spf=pass (google.com: domain of william@xxxxx.com designates 34.22.187.xx as permitted sender) smtp.mailfrom=william@xxxx.com
Return-Path: <william@xxxxx.com>
Received: from mail.xxxxx.com (mail.xxxxx.com. [34.22.187.xx])
by mx.google.com with ESMTP id t87si9108989qkt.217.2017.06.19.06.16.49
for <somebody@gmail.com>;
Mon, 19 Jun 2017 06:16:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of william@xxxxx.com designates 34.22.187.xx as permitted sender) client-ip=34.22.187.xx;
Authentication-Results: mx.google.com;
dkim=pass header.i=@xxxx.com header.b=ja3thNip;
spf=pass (google.com: domain of william@xxxx.com designates 34.226.166.138 as permitted sender) smtp.mailfrom=william@xxxxx.com
Received: from LOM-01 (unknown [51.83.99.xx]) by mail.xxxx.com (Postfix) with SMTP id 9060F608B1 for <somebody@gmail.com>; Mon, 19 Jun 2017 13:16:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xxxx.com; s=mail; t=1497878209; bh=6FJp7zDttk+sil6pBZSFvvDSah9UzP2cajqPdvjOSsM=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type:
Content-Transfer-Encoding; b=ja3thNippkOSSOzjslXobBWkRreytGOvMdkyFbik0rYXccc8Jh9N6SWcsTNYvPyYu
9vHfwImIx2yrZSN2OO4WCIAIzo+bpwkzkIHnBeNs75B+fHlU7dyUJuSR4sP9vW1dL/
RqNW/L0RMYL6vPjJNRJuKSWYiQEk5q+qVt1oCcto=
Date: Mon, 19 Jun 2017 13:16:49 +0000
From: william@xxxxx.com
To: somebody@gmail.com
Subject: New office space
Message-ID: <5947cec1.smZIVTVrRHzNhKhm%william@xxxxx.com>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Test mail. New day.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just adding my 2 cents..
Why oh why??
AWS was heavily abused by spammers, and today the AWS EC2 address space is mostly blocked by all reputation checks.
So it is an interesting intellectual exercise, but it is futile.
It will be much more effective for you to get a 3rd party service.
Why oh why??
AWS was heavily abused by spammers, and today the AWS EC2 address space is mostly blocked by all reputation checks.
So it is an interesting intellectual exercise, but it is futile.
It will be much more effective for you to get a 3rd party service.
I disagree. I am comfortable enough with AWS that I'll be moving my own mail there.
ASKER
Thanks very much for your help. We are trying to get a clean EIP and trying this process again to see if it makes a difference. Will update the thread when I have more information.
I'd agree with shalomc 100%.
Using AWS means you'll get an IP assigned from a pool.
This IP might have been used by a spammer, just prior to returning to the pool, because the IP is blacklisted every where, as a spam IP.
Also, if you use IPs which Amazon assigns randomly, in an on-demand type of setup, you'll likely never have much deliverability.
The first step to having email deliverability is either use a relay system like MailGun or run on a dedicated server, far away from Amazon or any other Amazon like systems, where you can get an IP with a bad reputation.
Then get an IP assigned to you + use it forever + once it builds up enough reputation for some level of deliverability (likely several months), guard access to this machine with your life. Ensure you always install all latest Kernel updates + anytime a zero day shows up in your Kernel (you'll find this data by tracking your Kernel exploit logs, which you must follow every day), then shutdown your machine instantly.
Where shutdown, means power off.
Then when a patch releases for to fix the zero day, reinstall your machine from scratch.
If you do use AWS (shudder), then you must use a fixed IP, never elastic IP + go through all the steps above to warm up your IP.
Using AWS means you'll get an IP assigned from a pool.
This IP might have been used by a spammer, just prior to returning to the pool, because the IP is blacklisted every where, as a spam IP.
Also, if you use IPs which Amazon assigns randomly, in an on-demand type of setup, you'll likely never have much deliverability.
The first step to having email deliverability is either use a relay system like MailGun or run on a dedicated server, far away from Amazon or any other Amazon like systems, where you can get an IP with a bad reputation.
Then get an IP assigned to you + use it forever + once it builds up enough reputation for some level of deliverability (likely several months), guard access to this machine with your life. Ensure you always install all latest Kernel updates + anytime a zero day shows up in your Kernel (you'll find this data by tracking your Kernel exploit logs, which you must follow every day), then shutdown your machine instantly.
Where shutdown, means power off.
Then when a patch releases for to fix the zero day, reinstall your machine from scratch.
If you do use AWS (shudder), then you must use a fixed IP, never elastic IP + go through all the steps above to warm up your IP.
The author received valid answers to the question.
ASKER