Bulk mailing through Exim or how not to get into spam
Life was beautiful and everything was good in this world, until the mail from my site began to be actively sent to spam by almost all major mail servers. Especially zealous in this Gmail. Often I was mistaken for a spammer in Yandex, less often in mail.ru and rambler.
Based on the combination of the factors presented, it became clear that something had to be done with the settings of your Exim mail server. To see how it was done, I invite you to Habrakat.
Having rummaged a little on the Internet on this topic, I found several interesting articles on Habré ( Postal Kitchen # 1: DNS , What is SPF , How not to become a spammer with my cozy mailing list ), but, unfortunately, they cover only a part of the mail server settings. I will try to fill this gap.
So there is a debian lenny server and the default Exim 4.72 installed on it. It makes no sense to describe the installation of Exim (although there is nothing complicated here - sudo apt-get install exim4). Just to remind you that the initial configuration of Exim can be performed with the following command:
')
Everything! The site is ready to send mail. But there are 3 "but." Mailers love SPF, PTR and DKIM very much and do not like their absence. The following describes how to set it up in just a few minutes.
First set up the PTR. PTR is the so-called “reverse write”. In it in the reverse order is recorded the IP address of the host, from which in our case mail is sent. By this entry, mailers recognize the host name by its IP. A bit of theory here .
Suppose that the IP of your mail server is 78.56.158.23. We open our NS server (or, more often, the settings of the server or hoster provider) and add the following DNS record (IP is “deployed”):
Checking for changes - http://centralops.net/co/DomainDossier.aspx
It remains to add here that such an entry at my hoster FastVPS is set via the web reboot panel.
In the SPF record, we indicate which servers are allowed to send mail from your domain. In the simplest case, this entry looks like this:
or / and (if NS allows you to create SPF records)
Those. have the right to send mail server with DNS record in the section "a" and mail server in the section "mx".
For more information on SPF, see what is SPF .
To make your own version of the SPF record this service will help - openspf.org
Again, check the result through the service centralops.net .
To create a successful mailing list, it remains to create letter signatures.
Install dkim-filter:
Then we generate a pair of keys for signing letters (public and private key):
-r means that the key will be used only for mail.
-s sets the name of dkim-selector (you can specify any name, for example the name of your domain)
We look what happened when generating the public key:
And we see:
The key itself is cut off, because it is quite long.
Copy the contents of this file and paste into the DNS records of our server. Everything, with the public key we are finished.
We still have the private key mail.private, which we need to bind to Exim.
Rename mail.private and copy it to the Exim directory:
or it is better to make the host of the Exim user file with the command chown and make the rights to access it, for example, 600 or even stricter than 400:
And now it remains to configure Exim itself:
Find the remote_smtp section and add it in front of it:
And we rule the section a bit:
where dkim_selector is the first word before ._domainkey in the public key
After restarting exim:
Now check the signatures. To do this, you can simply send an email to any Gmail address. Then you need to look at the details of the letter and in the "Signed" field should be your domain. Or you can see the letter code and the DKIM-Signature field should be present in the message header. If it is, then my congratulations! Signatures work!
These three simple steps are enough for your mail to no longer end up in spam (unless of course you are a spammer). I, for example, before these alterations, mail from the site almost always sent Gmail to spam. Now it is necessary to write something inconceivable in the letter, so that it is marked as spam. Fortunately, all my mailings now reach their recipients.
Finally, one can say that another way of effective mail delivery is greylisting. In this case, the mail server that receives your mail on the first message responds with a temporary error, puts your server in the gray list , and only when a repetition of this message from your server comes, is it skipped. As a rule, spamming programs do not send repetitions.
In Exim, the auto-repeat system is enabled by default for all hosts. You can improve the default rule by finding the RETRY CONFIGURATION section in the configuration file and editing it according to this instruction .
As part of this topic, the use of the described technologies for receiving letters to your mail server was not considered. This is a topic for another article.
References:
Bulk Mailing Guidelines
Post Kitchen # 1: DNS
HOWTO: Exim & DKIM
Based on the combination of the factors presented, it became clear that something had to be done with the settings of your Exim mail server. To see how it was done, I invite you to Habrakat.
Having rummaged a little on the Internet on this topic, I found several interesting articles on Habré ( Postal Kitchen # 1: DNS , What is SPF , How not to become a spammer with my cozy mailing list ), but, unfortunately, they cover only a part of the mail server settings. I will try to fill this gap.
So there is a debian lenny server and the default Exim 4.72 installed on it. It makes no sense to describe the installation of Exim (although there is nothing complicated here - sudo apt-get install exim4). Just to remind you that the initial configuration of Exim can be performed with the following command:
')
dpkg-reconfigure exim4-configEverything! The site is ready to send mail. But there are 3 "but." Mailers love SPF, PTR and DKIM very much and do not like their absence. The following describes how to set it up in just a few minutes.
PTR
First set up the PTR. PTR is the so-called “reverse write”. In it in the reverse order is recorded the IP address of the host, from which in our case mail is sent. By this entry, mailers recognize the host name by its IP. A bit of theory here .
Suppose that the IP of your mail server is 78.56.158.23. We open our NS server (or, more often, the settings of the server or hoster provider) and add the following DNS record (IP is “deployed”):
23.158.56.78.in-addr.arpa IN PTR mail.mydomain.ru.Checking for changes - http://centralops.net/co/DomainDossier.aspx
It remains to add here that such an entry at my hoster FastVPS is set via the web reboot panel.
SPF
In the SPF record, we indicate which servers are allowed to send mail from your domain. In the simplest case, this entry looks like this:
mydomain.ru. IN TXT "v=spf1 a mx ~all"or / and (if NS allows you to create SPF records)
mydomain.ru. IN SPF "v=spf1 a mx ~all"Those. have the right to send mail server with DNS record in the section "a" and mail server in the section "mx".
For more information on SPF, see what is SPF .
To make your own version of the SPF record this service will help - openspf.org
Again, check the result through the service centralops.net .
DKIM
To create a successful mailing list, it remains to create letter signatures.
Install dkim-filter:
apt-get install dkim-filterThen we generate a pair of keys for signing letters (public and private key):
dkim-genkey -d mydomain.ru -s mail -r-r means that the key will be used only for mail.
-s sets the name of dkim-selector (you can specify any name, for example the name of your domain)
We look what happened when generating the public key:
tail mail.txtAnd we see:
mail._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCS..." ; ----- DKIM mail for mydomain.ruThe key itself is cut off, because it is quite long.
Copy the contents of this file and paste into the DNS records of our server. Everything, with the public key we are finished.
We still have the private key mail.private, which we need to bind to Exim.
Rename mail.private and copy it to the Exim directory:
mv mail.private mydomain.ru.key
cp mydomain.ru.key /etc/exim4
chmod 755 /etc/exim4/mydomain.ru.keyor it is better to make the host of the Exim user file with the command chown and make the rights to access it, for example, 600 or even stricter than 400:
chown exim:exim /etc/exim4/mydomain.ru.key
chmod 600 /etc/exim4/mydomain.ru.keyAnd now it remains to configure Exim itself:
nano /etc/exim4/exim4.conf.templateFind the remote_smtp section and add it in front of it:
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/${lc:${domain:$h_from:}}.key
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}And we rule the section a bit:
remote_smtp:
driver = smtp
dkim_domain = DKIM_DOMAIN
dkim_selector = mail
dkim_private_key = DKIM_PRIVATE_KEYwhere dkim_selector is the first word before ._domainkey in the public key
After restarting exim:
/etc/init.d/exim4 restartNow check the signatures. To do this, you can simply send an email to any Gmail address. Then you need to look at the details of the letter and in the "Signed" field should be your domain. Or you can see the letter code and the DKIM-Signature field should be present in the message header. If it is, then my congratulations! Signatures work!
Results
These three simple steps are enough for your mail to no longer end up in spam (unless of course you are a spammer). I, for example, before these alterations, mail from the site almost always sent Gmail to spam. Now it is necessary to write something inconceivable in the letter, so that it is marked as spam. Fortunately, all my mailings now reach their recipients.
Finally, one can say that another way of effective mail delivery is greylisting. In this case, the mail server that receives your mail on the first message responds with a temporary error, puts your server in the gray list , and only when a repetition of this message from your server comes, is it skipped. As a rule, spamming programs do not send repetitions.
In Exim, the auto-repeat system is enabled by default for all hosts. You can improve the default rule by finding the RETRY CONFIGURATION section in the configuration file and editing it according to this instruction .
As part of this topic, the use of the described technologies for receiving letters to your mail server was not considered. This is a topic for another article.
References:
Bulk Mailing Guidelines
Post Kitchen # 1: DNS
HOWTO: Exim & DKIM
Source: https://habr.com/ru/post/114852/
All Articles