On Fri, Sep 25, 2009 at 11:35:56AM +0200, [email protected] wrote:
> > On Mon, Jun 29, 2009 at 03:21:16PM +0200, 'the other machine' wrote:
> >> Running OpenBSD 4.5 on a vm I receive the error 'administrative
> >> prohibition' when passing smtp traffic from another machine through
> >> pf.
> >>
> >> This only occurs with one provider but it does not occur with that
> >> same provider if emails are not passed through pf but instead sent
> >> directly.
> >>
> >> So, obviously pf changes something somewhere which keeps the emails
> >> from getting accepted by the server. The rule specified for my
> >> outgoing smtp traffic is as follows:
> >>
> >> pass out on $ext_if proto tcp from any to any port smtp
> >>
> >> Does anyone know what I have to do in order to get my email traffic to
> >> this service provider unhindered?
>
> > A random guess: the receiving machine doesn't like your (lack of)
> > reverse DNS when the request is passed through the firewall.
>
> Hello Joachim,
>
> thank You for Your reply. How do I provide my virtual machine with a
> proper reverse DNS. I've tried everything I could think of but to no
> avail. I'm a newbie btw. So, maybe, I'm missing something here. :-)
Wow, that's an old message. Did you really mean to reply to the list?
(Feel free to take this off-list.)
Anyway, this only applies if the service provider in question sees
different IP addresses when you send the message via a firewall (pf);
otherwise, my earlier reply is just an incorrect random guess, which is
not that surprising given the lack of data. The service provider that
rejects your mail should know why, and I'm just guessing.
I had typed a whole explanation of what reverse DNS is and why filtering
by reverse DNS is useful (it keeps zombified home machines and
improperly configured mailservers from flooding one's mailserver with
spam), but that's not really what you asked for, now is it?
If you have a VM, it's likely that whoever you pay for the VM has also
given you a public IP address to go with it. This organization is almost
assuredly also in charge of the reverse DNS entries; there is, usually,
no way to set it on your end. (You *might* be able get them to delegate
rDNS to you, if you so desire, but this mostly adds complexity - and
they may not allow this, since it's rather useful for spammers and
rather useless for most other people.)
In other words, contact your service provider.
Joachim
P.S. This is how you should configure DNS for a mailserver:
$ dig +short mx joachimschipper.nl
10 mail.joachimschipper.nl.
$ dig +short mail.joachimschipper.nl
65.111.181.22
$ dig +short -x 65.111.181.22
mail.joachimschipper.nl.
That is:
- You should have an MX record pointing to the hostname for your
mailhost
- You should have an A (not CNAME) record for this hostname
- You should have a PTR record for this IP address
It is traditional to name mailhosts mail.<domain>; some spam filters are
more likely to block mail from hosts named differently, so it is a good
idea to abide by this convention.
