Hi Ted, Thanks for the advice. I'm doing pretty much all of that except reserving an alternate IP as a backup relay/smarthost. That's a good idea.
I use one IP for almost all web traffic (going through a reverse proxy to a VM farm), one for DNS/Kerberos, one for a legacy install of my MUA, and one as both my MX and MTA. All my internal services relay to the MTA which is listed in SPF and handles DKIM signing; on the inbound side it handles SA and relay to appropriate internal host based on domain. Having everything relay through one system gives me the opportunity to monitor for unusual mail volume across all services/clients. Having an "emergency MTA" in my SPF records that I can relay to (or just bring up as another address on the existing server) would definitely help as long as the netblock isn't listed... getting a spare address on a different network would be useful, but I'm not sure how hard that will be to pry from Internap. The form does seem to have worked, and I'm not currently on the BRBL, although this morning I got bounces from a Barracuda customer for a very benign message with "rejected due to spam content," so who knows. I wish there was better visibility into the process. Best, --Jered ----- On Jun 23, 2015, at 12:00 AM, Ted Mittelstaedt t...@ipinc.net wrote: > Hi Jered, > > I'm not a Barracuda customer myself I can only report my own interaction > with them. I run several public mailservers. > > 1) I don't run public mailing lists and if I ever was going to do that I > would run them on a separate server with a separate IP address > > 2) I don't run my webserver on the same server as my mailservers. > > 3) I have gotten BLed by Barracuda a couple of times. It usually takes > about 3-4 days to get delisted so while I'm waiting I route outgoing > mail through an alternate server. I get BLed when a customer falls for > a phish mail and gives out their password. > > My recommendation is you have at least 4 public IP address with servers, > one for your webserver, one for your mailserver and one for an alternate > mailserver and one for a mailing list server. > > As for the "class C block" I think that is likely that you are trying to > do everything with a single static IP. If you had a subnet of public > IPs then the ISP that issued it to you would SWIP them to you and > you would have no problems proving to Barracuda that your not part of > the rabble. > > I realize you said your in a data center. Contact the data center > provider and tell them you want a block they will SWIP to you. I > realize this may cost you some more money. But email is not one of > those things you can do well on the cheap. > > Ted > > > On 6/20/2015 8:38 AM, Jered Floyd wrote: >> >> Hello SA-users, >> >> I have a question on the other side of things: outgoing mail. I know >> this is off-topic but this seems to the only venue where there might be >> knowledge of the problem, and the offender is a spamassassin "customer". >> >> (I operate an MTA host on which I run SpamAssassin -- it works >> flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with >> spamassassin 3.3.1-1.1) This system is in an Internap data center, and >> provides mail services for about a half-dozen organizations that I >> support. SPF and DKIM are correctly configured for hosted domains, as is >> user authentication for submitted mail.) >> >> I appear to be getting a shakedown scam from Barracuda Networks. They >> seem to be getting out of the "anti-spam" and into the "protection >> racket" business. >> >> A small number of recipients have been getting bounce-unsubscribed a >> community mailing list that I administer. The most recent bounces say >> that this "blocked using Barracuda Reputation; >> http://www.barracudanetworks.com/reputation/"; Visiting that page >> provides no information on the specific reason my MTA has been blocked >> so I can't determine if there is a configuration issue, but there is a >> link for one-time removal. >> >> Below that the page says "One way to get your email through spam filters >> even if you are listed on the BRBL is to register your domain and IPs at >> EmailReg.org." OK, sounds good, I can prove that my IP address is >> allowed to send for my domains -- I thought that was what SPF and DKIM >> are for (which are configured) but whatever. >> >> However, I click through to emailreg.org <http://emailreg.org> and AFTER >> signing up for an account and configuring it they then reveal that there >> is a $20 "administrative fee" per domain. >> >> This sounds like a scam to me. They're blacklisting mail servers, not >> telling why, and then offering to take you off the list (without even >> correcting any problems) for "just" a $20 fee. I don't see how any >> legitimate RBL can operate with that model. >> >> Has anyone else here run into this? Is there a way out other than >> bribing Barracuda to not block my mail? >> >> Thanks, >> --Jered
