FR: Proper Dedicated IP support in the mail system

[interfasys]

Here are the current problems a user is facing when hosting his domain with a dedicated IP:
- Exim always uses the server's name and IP, instead of the user's hostname and IP for both sending and receiving emails
- Exim always uses its default SSL cert even if the user has his own SSL cert and his own IP

All these can be easily fixed, but I think the standard exim.conf should support all these features since the CP supports the use of dedicated IP addresses and SSL certs.

 

[tillo]

Personally I prefer using the same IP address for the SMTP service of any user in my system, no matter what IP are they using for their other services.
The main reason is that messages from an IP address with a FQDN hostname (reverse = resolution of reverse) have much less chance of being flagged as spam on many large ISPs.

Additionally, more "clean" messages an IP address sends and less chance it has to be blacklisted as a spammer etc.

The only advantage (aside from branding) of using multiple addresses is that if one gets blacklisted, the other continue to work... but that never happened to me. Maybe because I care a lot about [both inbound and outbound] security threats, maybe I'm just lucky.

Of course I may create a reverse record, with a separate Exim config (for the HELO/EHLO reply and outgoing delivery address), for each reserved IP address... but I find that messy.

Of course others may differ and would like to be able to choose... but this is most certainly not a "problem" and I hope it will never be "fixed (without choice)".

 

[interfasys]

I didn't think the reverse DNS would be a problem since I would expect domains using a dedicated IP to have that entry.

I've looked at what Google gets and it's clean and passes the SPF test. Add DKIM support and I don't see a problem there.

Edit:
This is a good tool to test your domain name: http://www.mxtoolbox.com/

 

[nobaloney]

I agree with Martino, and for a similar reason; the more IP#s I have to watch over for possible spammers, the harder it gets. I've thought of using one smarthost for all our outgoing email; it makes threat management a lot easier.

As for the spf entry (it's a txt entry), simply move the template to the custom directory and change it to use any IP# you want.

Jeff

 

[interfasys]

When a customer wants a dedicated IP from me, I want to give him the full experience and that includes sending emails from it.
Imo, it makes it easier to track spammers. You can run anonymous stats on each IP and if that IP gets banned, the other customers aren't at risk.

Edit: The SPF record almost works as it contains A records. The only problem is the missing IPv6 for the server

 

[nobaloney]

I don't think you need a condition; I think you only need a placeholder for the customer IP#. I could be wrong. But I don't like your first sentence:

The SPF entry needs to contain the dedicated IP if the user has one, otherwise it has to be the server's default IP.

I'm afraid it may be taken out of context by some; I'd prefer The SPF entry needs to match the IP# from which the server sends the email.

Jeff

 

[MxToolBox]

I didn't think the reverse DNS would be a problem since I would expect domains using a dedicated IP to have that entry.

I've looked at what Google gets and it's clean and passes the SPF test. Add DKIM support and I don't see a problem there.

Edit:
This is a good tool to test your domain name: http://www.mxtoolbox.com/

Thanks so much for recommending our tools! We are working hard on our Supertool so that is includes all DNS lookups and tips you could ever need! If you have any other tools additions, please let us know!

Thanks,
@mxtoolbox

 

[sdrawkcab]

Here are the current problems a user is facing when hosting his domain with a dedicated IP:
- SPF settings are not set correctly when the user has a dedicated IP
- Exim always uses the server's name and IP, instead of the user's hostname and IP for both sending and receiving emails
- Exim always uses its default SSL cert instead of using the user's cert

All these can be easily fixed, but I think the standard exim.conf should support all these features since the CP supports the use of dedicated IP addresses.

@interfasys, do you have any good starting points, links, guides, posts, etc, to how to customize exim so that it will use a user's dedicated IP, domain name, etc, as available?

 

[floyd]

Most answers are already in the forum.

http://www.directadmin.com/forum/showthread.php?t=16479&page=3

Post #58

 

[sdrawkcab]

Thanks

Thanks for the pointer floyd.

 

[Wunk]

I agree with Martino, and for a similar reason; the more IP#s I have to watch over for possible spammers, the harder it gets. I've thought of using one smarthost for all our outgoing email; it makes threat management a lot easier.

Jeff

Take note though that IF a spamrun gets through for any reason (php remote file include hack, compromised ftp account, compromised pop3/smtp password), you will have ALL your mail blocked at various blacklists..

When it happens now, we 'only' have one server with customers to worry about.

 

[floyd]

I agree with Martino, and for a similar reason; the more IP#s I have to watch over for possible spammers, the harder it gets. I've thought of using one smarthost for all our outgoing email; it makes threat management a lot easier.

I intend to implement separate email ip"s for the different customers. I don't have to watch over their ip. They will let me know if there is a problem and when they do they cannot complain too much because the reason the ip was blacklisted is because of something they did themselves.

I can still grep the log for ip's that are blocked and find them before the customer notices. Its just as easy to do it for 100 ip's as it is for 1.

 

[nobaloney]

Lots of discussions in the last few days. Just as I'm about to bring out new SpamBlocker Technology exim.conf file.

Problems, though. See other threads. See link in previous post on this thread, above.

I can't do this on my own. I need the files to exist, and I need them to be maintained by DirectAdmin, and I need someone to tell me how to handle the default, if the sender address doesn't match anything in the list.

Use that thread to respond, since I won't look at this thread when developing SpamBlocker; it doesn't have the word SpamBlocker in the thread title.

Jeff

 

[nobaloney]

I need someone to tell me how to handle the default, if the sender address doesn't match anything in the list.

Nevermind; i've figured this part out. However, the rest still stands:

Use that above-posted thread to respond, since I won't look at this thread when developing SpamBlocker; it doesn't have the word SpamBlocker in the thread title.

Jeff