iRedMail server configured using ISP's DNS servers. Running several years without issue. Moving from current ISP to Starlink. It appears Starlink uses Cloudflare's public DNS. Currently have both ISPs running in parallel until cutover complete. Again, mail server runs fine on legacy ISP.
When I cut over to Starlink (including appropriate public DNS changes), receive error 12.255.255.254 from Spamhaus which indicates they will not allow queries from public DNS servers. Fair enough. Set up local Unbound resolver to get around issue. Unbound working and used for all network clients. When Unbound server IP used for DNS in mail server with gateway of legacy ISP, incoming mail flows.
When using Starlink gateway, mail stops flowing. Don't see any errors in the Postfix log. Mail just stops flowing. Even though Spamhaus seemed happy to use Unbound server when using legacy gateway, tested Spamhaus responses just in case. Results were interesting:
% dig +short @[address of Unbound server] 2.0.0.127.zen.spamhaus.org
127.0.0.2
127.0.0.10
127.0.0.4
%
That is correct. However, the following returns nothing back:
% dig +short @[address of Unbound server] 1.0.0.127.zen.spamhaus.org
%
From the Spamhaus documentation, it should be returning:
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)
The Spamhaus documentation also says "Queries for "not_listed" objects must always return NXDOMAIN for mail filtering to work properly." and "It is critical to check for correct results for both 'listed' and 'not listed' queries."
Interestingly, when I use legacy ISP DNS and gateway, I also get:
% dig +short @[legacy ISP DNS IP] 1.0.0.127.zen.spamhaus.org
%
By the way, outgoing mail works in all ISP configurations. Only Incoming mail has issue. Also running a web server behind Starlink which is working fine. Starlink public IP has been the same for two months so far.
What exactly is going on here? Could it be the Unbound server configuration? I know Starlink is CGNAT but that shouldn't be causing this issue. Any troubleshooting tips? Really stumped. Would appreciate any assistance.
UPDATE:
I found in my rejected messages many entries that look like this after I cut everything over to Starlink:
451 4.3.5 <mta-d-130-24.infusionmail.com>: Helo command rejected: Server configuration error; [email protected] to=<mike@[My public mail server name]> proto=ESMTP helo=<mta-d-130-24.infusionmail.com> (total: 1)
1 infusionmail.com ([email protected])
UPDATE 2:
Set up BIND9 server as suggested below. Again, mail flows while using BIND9 DNS and legacy ISP gateway but not when using Starlink gateway.
Used the following tool to test https://mxtoolbox.com/diagnostic.aspx
Passes all tests when email server run behind legacy DSL. When run behind Starlink, get:
3/19/2022 5:33:54 PM Connection attempt #1 - Unable to connect after 15 seconds. [15.05 sec]
LookupServer 15051ms
It is like the email server is not responding on port 25 from behind Starlink. I tried removing all spam rules in Postfix. Still doesn't respond.
Almost feels like a firewall issue but I have ports 25, 587 and 993 port forwarded from the Starlink router just like I do for the legacy DSL router.
From outside my network, I have determined the following ports are not being blocked:
25:
% telnet [My public mail server name] 25
220 [My public mail server name] ESMTP Postfix
587:
% telnet [My public mail server name] 587
220 [My public mail server name] ESMTP Postfix
993:
% openssl s_client -connect [My public mail server name]:993 -crlf -quiet
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
This should prove Starlink isn't blocking any of my ports.
I think the most important bit so far is the HELO command is being rejected. Not sure why it would be rejected when server running behind Starlink and not legacy ISP. Hmmm...
Could this be a reverse DNS issue? Starlink has a PTR record on the IP address they are giving me:
% host [Starlink public IP]
[Starlink public IP].in-addr.arpa domain name pointer customer.sttlwax1.pop.starlinkisp.net.
% dig +short customer.sttlwax1.pop.starlinkisp.net
%
% dig +short mail.[my domain].com
[Starlink public IP]
Then I checked my legacy DSL:
% host [Legacy DSL public IP]
[Legacy DSL public IP].in-addr.arpa domain name pointer client-[Legacy DSL public IP].hostwindsdns.com.
% dig +short client-[Legacy DSL public IP].hostwindsdns.com
%
% dig +short mail.[my domain].com
[Legacy DSL public IP]
They seems to behave similarly and have the same issue.