Join Log in
Score:0
zar avatar Server

How to send mail using exim4 via gmail smtp: how to enable SPF or DKIM without a domain?

ge flag
zar

I would like to send mail from my debian box to my personal gmail account.

When I try to send emails, I receive an error from Google. This is what I can read in /var/log/exim4/mainlog:

2023-04-13 21:31:41 1pn2fV-0032Fu-IA <= [email protected] U=roberto P=local S=409
2023-04-13 21:31:41 1pn2fV-0032Fu-IA H=gmail-smtp-in.l.google.com [2a00:1450:4013:c03::1a] Network is unreachable
2023-04-13 21:31:42 1pn2fV-0032Fu-IA ** [email protected] R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [108.177.126.27] X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com": SMTP error from remote mail server after pipelined end of data: 550-5.7.26 This mail is unauthenticated, which poses a security risk to the\n550-5.7.26 sender and Gmail users, and has been blocked. The sender must\n550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,\n550-5.7.26 DKIM checks did not pass and SPF check for [pioneer.zar.it] did not\n550-5.7.26 pass with ip: [79.20.203.164]. The sender should visit\n550-5.7.26  https://support.google.com/mail/answer/81126#authentication for\n550 5.7.26 instructions on setting up authentication. p5-20020aa7d305000000b005066ca2f63fsi2195148edq.197 - gsmtp
2023-04-13 21:31:42 1pn2fW-0032Fy-P6 <= <> R=1pn2fV-0032Fu-IA U=Debian-exim P=local S=2980
2023-04-13 21:31:42 1pn2fV-0032Fu-IA Completed
2023-04-13 21:31:42 1pn2fW-0032Fy-P6 => roberto <[email protected]> R=local_user T=mail_spool
2023-04-13 21:31:42 1pn2fW-0032Fy-P6 Completed

The "pioneer.zar.it" domain is a local unregistered domain. How can I set SPF or DKIM if that domain doesn't exist?

My OS is Debian 11, and my update-exim4.conf.conf is:

dc_eximconfig_configtype='internet'
dc_other_hostnames='pioneer.zar.it'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='smtp.gmail.com::587'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

[edit] Thanks to @user1686, I found a solution: my system is sending mail as a smarthost, so I changed the first line in update-exim4.conf.conf as follows:

dc_eximconfig_configtype='smarthost'

Besides, I don't own the zar.it domain (I used it because I thought that it wasn't registered), so I changed the second line as follows:

dc_other_hostnames=''

And now I am able to send emails.

542
1 + 0
Score:2
user1686 avatar Server
fr flag
user1686

The "pioneer.zar.it" domain is a local unregistered domain. How can I set SPF or DKIM if that domain doesn't exist?

"zar.it" is neither local, nor unregistered. In fact, it has been registered since 2000. Even the specific subdomain, "pioneer.zar.it", exists in public DNS and has one A record.

  • If you are the owner of the zar.it domain, you can add the SPF (TXT) records to it like you would any other record, even if there are no corresponding A/AAAA records.

    There is no additional registration needed for subdomains of a registered domain, such as pioneer.zar.it if you already own zar.it – owning the domain automatically grants ownership of all its subdomains; the entire hierarchy is delegated to your nameservers.

  • If you are saying that you're trying to send mail with someone else's domain in "From:", then the rejection message is entirely expected – it means SPF is correctly doing its job by preventing you from sending spoofed messages. Use a different domain.

    Like in the previous point, ownership of a domain automatically grants ownership of all of its subdomains, so if someone else already owns zar.it, then they own pioneer.zar.it and set its SPF/DMARC policies as well.

In addition to that, as you have configured your server to use Gmail as a "smarthost", sending mail through the "authenticated mail submission" port 465/587 (instead of the usual "servre-to-server mail exchange" port 25), it means Gmail doesn't consider your messages to be mail from an external site – they are treated as messages from your Gmail account back to yourself.

I believe Gmail's policies may disallow such messages regardless of SPF or DKIM – as long as you're sending from a specific Gmail account, you will likely be required to use that account as the "From:" address.

+ 7
zar avatar
ge flag
zar
Oh! I didn't chek, I am not the owner of that domain. I don't own a domain, I only want to send email from my little server to my gmail account. Will it be ok if I configure my server with a non-existent domain?
0
Reply
user1686 avatar
fr flag
user1686
No, it probably won't. Remember that you're using Gmail as a "smarthost", therefore your server is sending mail _from your Gmail account_ back to the same account, so it needs to use your account's address as "From". It is not treated as "mail from an external domain" at all.
1
Reply
zar avatar
ge flag
zar
So how should I configure my system? Maybe a .local domain? And how could I solve the issue related to Gmail? In general, I would like to be able to send messages using Gmail smtp server, to my own address or even to other addresses.
0
Reply
user1686 avatar
fr flag
user1686
You would need to configure Exim to masquerade the entire sending address (not just the domain) with your smarthost account's address – probably [something like this](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-address_rewriting.html). The system's "real" domain name won't matter as much if rewriting is performed, though try to avoid using someone else's domain regardless (use `.home.arpa` if you have nothing else).
1
Reply
zar avatar
ge flag
zar
Thank you. What about a `.local` domain? What are best practices for local domains?
0
Reply
user1686 avatar
fr flag
user1686
`.home.arpa` is the only domain that's explicitly reserved for that purpose (it's like 192.168.x). `.local` is the domain used for mDNS, so although it's also private and people use it, using it for internal DNS may cause unexpected conflicts. A made-up domain that *doesn't* exist in global DNS is questionable. Making up a TLD used to be common but now with the amount of new TLDs it's also slightly risky (e.g. people using `.dev` started having problems when it became a real TLD). Can be done with care though, e.g. I use `.sym` (even though I have a global domain as well).
1
Reply
user1686 avatar
fr flag
user1686
When it comes to mail specifically, you really only have *one* option: If you're setting up a standalone mail site, you **have to** use a real domain name (otherwise many systems will refuse to accept mail from you). Doesn't matter what the rest of the system uses, but the sent mail headers and envelope need to use a "From" that exists in the global DNS and *is under your control*. And when using a smarthost, it's even more specific: Exim with a smarthost is no different from e.g. Thunderbird, you have to send mail from the specific address (user@domain) that the smarthost server allows you.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.