Score:0

Can't Receive Email - Postfix iRedMail Server Using Spamhaus & Unbound / BIND9 DNS Servers

in flag

iRedMail server configured using ISP's DNS servers. Running several years without issue. Moving from current ISP to Starlink. It appears Starlink uses Cloudflare's public DNS. Currently have both ISPs running in parallel until cutover complete. Again, mail server runs fine on legacy ISP.

When I cut over to Starlink (including appropriate public DNS changes), receive error 12.255.255.254 from Spamhaus which indicates they will not allow queries from public DNS servers. Fair enough. Set up local Unbound resolver to get around issue. Unbound working and used for all network clients. When Unbound server IP used for DNS in mail server with gateway of legacy ISP, incoming mail flows.

When using Starlink gateway, mail stops flowing. Don't see any errors in the Postfix log. Mail just stops flowing. Even though Spamhaus seemed happy to use Unbound server when using legacy gateway, tested Spamhaus responses just in case. Results were interesting:

% dig +short @[address of Unbound server] 2.0.0.127.zen.spamhaus.org
127.0.0.2
127.0.0.10
127.0.0.4
%

That is correct. However, the following returns nothing back:

% dig +short @[address of Unbound server] 1.0.0.127.zen.spamhaus.org
% 

From the Spamhaus documentation, it should be returning:

Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)

The Spamhaus documentation also says "Queries for "not_listed" objects must always return NXDOMAIN for mail filtering to work properly." and "It is critical to check for correct results for both 'listed' and 'not listed' queries."

Interestingly, when I use legacy ISP DNS and gateway, I also get:

% dig +short @[legacy ISP DNS IP] 1.0.0.127.zen.spamhaus.org
%

By the way, outgoing mail works in all ISP configurations. Only Incoming mail has issue. Also running a web server behind Starlink which is working fine. Starlink public IP has been the same for two months so far.

What exactly is going on here? Could it be the Unbound server configuration? I know Starlink is CGNAT but that shouldn't be causing this issue. Any troubleshooting tips? Really stumped. Would appreciate any assistance.

UPDATE:

I found in my rejected messages many entries that look like this after I cut everything over to Starlink:

451 4.3.5 <mta-d-130-24.infusionmail.com>: Helo command rejected: Server configuration error; [email protected] to=<mike@[My public mail server name]> proto=ESMTP helo=<mta-d-130-24.infusionmail.com> (total: 1) 1 infusionmail.com ([email protected])

UPDATE 2:

Set up BIND9 server as suggested below. Again, mail flows while using BIND9 DNS and legacy ISP gateway but not when using Starlink gateway.

Used the following tool to test https://mxtoolbox.com/diagnostic.aspx

Passes all tests when email server run behind legacy DSL. When run behind Starlink, get:

3/19/2022 5:33:54 PM Connection attempt #1 - Unable to connect after 15 seconds. [15.05 sec]

LookupServer 15051ms

It is like the email server is not responding on port 25 from behind Starlink. I tried removing all spam rules in Postfix. Still doesn't respond.

Almost feels like a firewall issue but I have ports 25, 587 and 993 port forwarded from the Starlink router just like I do for the legacy DSL router.

From outside my network, I have determined the following ports are not being blocked:

25:

% telnet [My public mail server name] 25
220 [My public mail server name] ESMTP Postfix

587:

% telnet [My public mail server name] 587
220 [My public mail server name] ESMTP Postfix

993:

% openssl s_client -connect [My public mail server name]:993 -crlf -quiet
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.

This should prove Starlink isn't blocking any of my ports.

I think the most important bit so far is the HELO command is being rejected. Not sure why it would be rejected when server running behind Starlink and not legacy ISP. Hmmm...

Could this be a reverse DNS issue? Starlink has a PTR record on the IP address they are giving me:

% host [Starlink public IP]
[Starlink public IP].in-addr.arpa domain name pointer customer.sttlwax1.pop.starlinkisp.net.

% dig +short customer.sttlwax1.pop.starlinkisp.net
% 

% dig +short mail.[my domain].com 
[Starlink public IP]

Then I checked my legacy DSL:

% host [Legacy DSL public IP]
[Legacy DSL public IP].in-addr.arpa domain name pointer client-[Legacy DSL public IP].hostwindsdns.com.

% dig +short client-[Legacy DSL public IP].hostwindsdns.com
% 

% dig +short mail.[my domain].com 
[Legacy DSL public IP]

They seems to behave similarly and have the same issue.

Orphans avatar
cn flag
Does starlink even allow for public IPs? Did not know
in flag
Yes, the Starlink IPs are public but they do not do routing correctly. See accepted answer.
djdomi avatar
za flag
i am unfamiliar with unbound due for myself bind9 was easier and more documented on the web. i had an similar experience with this issue and bind9 worked out of the box
in flag
Thank you for taking the time to respond. I will set up a BIND9 server and see if I can get that to work.
in flag
I set up a BIND9 server. Works great when everything behind legacy DSL, doesn't work when behind Starlink. :(
djdomi avatar
za flag
however, since you asked about your home equipment, this question is and will be off topic. you may have to ask starlink support if its supported to run server svices on consumer grade systems/connections
in flag
Who said this is home equipment? This is for a business. A business couldn't possibly use Starlink? I have already contacted Starlink, thanks. I am waiting for their response as I continue to search for a solution.
Score:0
in flag

Starlink said they were blocking port 25 and the CGNAT may have been causing routing issues. I solved the problem by creating a VPS and then creating a tunnel into my mail server behind Starlink. All traffic is then forwarded from the VPS through the tunnel to the mail server. All outgoing traffic from the mail server goes out through the tunnel. Works like a charm.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.