------------ Original Message ------------
> Date: Thursday, December 04, 2014 23:19:52 -0500
> From: Robert Moskowitz <r...@htt-consult.com>
> On 12/04/2014 07:46 PM, Wietse Venema wrote:
>> Robert Moskowitz:
>>> On 12/04/2014 07:02 PM, Wietse Venema wrote:
>>>> Robert Moskowitz:
>>>>> My new server does not seem to be allowing yahoo or ymail to
>>>>> deliver mail.
>>>>>
>>>>> I do not see anything in maillog, not supprisingly. My son
>>>>> reports he
>>>> Postfix logs all connection attempts, so they are not coming
>>>> through some firewall, or they aren't getting your DNS
>>>> information.
>>> It worked before the new server, so not a firewall item, as
>>> nothing changed there. As far as DNS, I changed server name in
>>> MX record. I would hope they are getting z9m9z.htt-consult.com
>>> now rather than klovia.htt-consult.com. But there is also the
>>> spf record I added for gmail:
>>>
>>> htt-consult.com. IN TXT "v=spf1 mx ~all"
>>>
>>> And I do get emails from gmail, and can send them to gmail.
>> Speaking from experience, a bad netmask on a server can have
>> surprising effects. So can a bad netmask on a router. It totally
>> screws up routing, and one has no idea what is going until one
>> runs a sniffer.
>
> You said something here that triggered a thought....
>
> The new server is on a different internal net than the old, thus
> different firewall rules. I checked over all the addressing and
> everything there is right, but...
>
> DCC (udp port 6277) was enabled for the old mailserver, but not
> the new! Could that be the problem? Well I enabled DCC and we
> will see as I just sent a new message from yahoo.
>
> If this does not work, I will move the new server to the old
> address. Really intended to do that after I turned down the old
> server...
>
I'm seeing a couple of things when I look at your DNS records:
dig htt-consult.com mx
;; ANSWER SECTION:
htt-consult.com. 43200 IN MX 30 z9m9z.htt-consult.com.
htt-consult.com. 43200 IN MX 40 rigel.htt-consult.com.
;; ADDITIONAL SECTION:
z9m9z.htt-consult.com. 172799 IN A 208.83.67.147
Your first MX host sometimes resolves to 208.83.67.147, which
doesn't appear to be reachable on port 25. When this resolves to
.180 it is.
Your second MX host rigel.htt-consult.com resolves to 208.83.67.188,
which doesn't appear to be reachable on port 25
Additionally, given the TTL shown on the z9m9z.htt-consult.com.
A-record, did you bring your TTLs down before you made what I assume
was an MX host IPnumber switch? If not, and that 2-day TTL is
indicative of what you generally use, it could be a bit before the
nameservers that various mail servers use will need to requery (and
if they get the .147 address it likely won't do them any good
anyway).
To debug this type of thing you need to look at what the outside
world is seeing. Query the DNS so that you see results as seen from
the outside, and then try to telnet (from the outside) to the
resulting ipnumbers.
- Richard
