I’m pretty sure that many of us are tired of the word ‘Spam’. How about your mails being rejected from your domain when sending to Top level E-mail providers like GMail, Yahoo and MSN Hotmail ? It may be a familiar weird issue to many of you. This post is about how to tackle those situations. But if you are an End-user, please contact your System Admin. But if you are the one by that name, read on !

Case

The E-mails being rejected to the Top level providers since your server IP is blacklisted. You can check whether your server IP is blacklisted at : http://www.mxtoolbox.com/blacklists.aspx (Read xxx.xxx.xxx.xx as your server IP)

When the IP is entered and you click ‘Blacklist Check’, the resultant screen should be expected as (Assuming your server IP is on a blacklist)

There you go, your server IP is blacklisted, only thing that varies is the number of blacklists. So, what is the solution ? Most will be preferring to provide a dedicated IP to the domain which is having the issue. But when a whole Server IP is blacklisted, this will not work. But as usual, there is nothing new under the Sun !!

Solution

Switch the Mail server IP of the Server.

Work

Find a free IP, make sure its allocated to  the server, or else add it to the server. That is upto you. After this, there are a few steps, which is just a Walk in the Park

1) Access the WHM of the Server, as root. Go to Exim Configuration Editor. Find out the Category Domains and IPs, and enable this option :

Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)

Save the Changes.

2) Login to server through SSH, Switch to root

root@server[~]# vi /etc/mailips

Add this line
* : xxx.xxx.xxx.xx (Your Mail server IP)

So the following should be seen when reading the content in /etc/mailips

root@server[~]# cat /etc/mailips
*: xxx.xxx.xxx.xx

3) Add a Reverse DNS entry for the IP, you may need to contact DC for this. When you are finished this do the steps :

root@server[~]# vi /etc/mail_reverse_dns

Add this line
xxx.xxx.xxx.xx: hostname

4) Change File attributes of /etc/mailips

root@server[~]# chattr +i /etc/mailips
root@server[~]# lsattr /etc/mailips
----i-------- /etc/mailips

5) Final Steps : Build Exim Config file to reflect changes, Restart Exim Service

root@server[~]# /scripts/buildeximconf
root@server[~]# service exim restart

Case is Resolved ! Now you must be able to send E-mails everywhere. Try it.

“This request cannot be completed because the link you followed or the form you submitted was only valid for minutes. Please try again now.”

Solution

Edit C:\inetpub\vhosts\webmail\horde\lib\horde.php (Drive Letter will depend on where you installed Webmail/Plesk and configured IIS to load virtual hosts from)

And search for section ” SESSION['horde_form_secrets' " in the Horde.php  and instead of

if ($_SESSION['horde_form_secrets'][$token] +  $GLOBALS['conf']['urls']['token_lifetime'] * 60 < time()) {
return PEAR::raiseError(sprintf(_(“This request cannot be completed because the link you followed or the form you submitted was only valid for %s minutes”),  $GLOBALS['conf']['urls']['token_lifetime']));
}

it should be

if (($_SESSION['horde_form_secrets'][$token] + $GLOBALS['conf']['urls']['token_lifetime']) * 60 < time()) {
return PEAR::raiseError(sprintf(_(“This request cannot be completed because the link you followed or the form you submitted was only valid for %s minutes”), $GLOBALS['conf']['urls']['token_lifetime']));
}

Note the extra braces in red + bold

The next step is to set up the URL you want to use to access Webmail. In most cases, this is either webmail.example.com or simply mail.example.com. To make this change, click on the ‘Service Settings‘ tab in the top menu of the dashboard. Then, click ‘Email‘. From there, specify that you want to use a custom URL, and enter the appropriate subdomain for your domain.

Submit that form, and Google will then provide you with information about adding a CNAME entry for your new subdomain. You should make corresponding entries in the DNS zone to implement this. For example if the URL with which you wish to access your mail is webmail.example.com then you must give a CNAME record ‘ ghs.google.com. ‘ in the DNS zone for webmail. This is shown below :

Step VI : MX Record Changes

Once you have finished creating all of the users, you can return to the dashboard and click ‘Activate email‘  and follow the MX change instructions provided by Google. If you are lucky enough to use one of the hosts included in the dropdown menu there, you should be able to get clear, specific instructions explaining how to make the changes in your domains control panel.

Google will have you add seven new MX records to your DNS zone file. Those entries will probably look like:

MX Server address                                  Priority

ASPMX.L.GOOGLE.COM.                 10
ALT1.ASPMX.L.GOOGLE.COM.       20
ALT2.ASPMX.L.GOOGLE.COM.       20
ASPMX2.GOOGLEMAIL.COM.         30
ASPMX3.GOOGLEMAIL.COM.         30
ASPMX4.GOOGLEMAIL.COM.         30
ASPMX5.GOOGLEMAIL.COM.         30

It’s important that you copy and paste those addresses exactly as they appear in the Google instructions. They all include dots at the end of the addresses, and that dots need to be included. I am attaching a screenshot below which will hopefully give you an idea on how it should be entered.

Your new entries will need to look similar to:

your-domain.com    14400    IN    MX    10    ASPMX.L.GOOGLE.COM.

Where your-domain.com is your domain name, the second spot is the TTL or Time To Live (which can be left blank if required), the word ‘IN‘ is in the third spot, the fourth spot is filled with ‘MX‘ , the fifth spot is the ‘Priority‘ and the last spot includes the address provided by Google.

Also, in most of the cases you can only add four or five entries to the zone file at a time, so you’ll have to add this first, save the file, and then add the rest.
Once you’ve made those changes, click the  ‘I’ve made these changes‘ button in the Google Apps window.
Finally you can return to dashboard and click on the ‘Activate email‘ tab which you will find right below the ‘Email‘ option. See below :

The last and most difficult Step : Waiting.

At this point, you’re pretty much done. You now simply have to wait because It can take anywhere from one hour to 48 hours before the changes are complete.

Once the changes have completed, though, you can set up your e-mail client (Outlook, Thunderbird etc.) to check your e-mail. The Gmail IMAP settings are fairly simple. They are as follows:

IMAP (incoming) mail:
Server: imap.gmail.com
Port: 993
Encryption: SSL

SMTP (outgoing) mail:
Server: smtp.gmail.com
Port: 465 or 587
Encryption: TLS

***********************************************************************************************************

The praises can be sung without a pause but its better I stop the boasts here and get down to the original topic.  I’m going to explain, step-by-step, on how to accomplish this task. It’s actually very simple, but it might take quite some time depending on how good a techy you are. To begin with, head on over to Google and sign up for an account. I am siting the link below where you can do this :

http://www.google.com/apps/intl/en/business/index.html

In the above page click on the ‘ Apps Editions ‘ tab and you will be able to view different schemes they offer, from which you will be able to select the one which suits you the most. For most of us, the standard edition offered by Google is more than enough. However, they do offer a “Premier edition” if your needs exceed the services of the free accounts. In addition to the Standard edition and Premier edition there are  Educational schemes, Govermental schemes etc etc. Once you choose the package required you will be directed to a page with a blue colored ‘ Get started ‘ tab on the right most top corner of the page. This is your key, click on it and you are on your way to setting Google apps for your domain. I am going to list  everything step by step from here on in a detailed manner.

Step I : Tell them your registered Domain name.

In the very first step you need to provide your domain name as prompted. Obviously enough you should possess a registered domain or you can buy a new domain name through Google which automatically sets everything up for you. You also need to verify that you own the domain or if you are a member of the domain.

Step II : Tell them who you are.

Fill in all of your contact information. At least make sure that you fill in all the boxes which have an aestrics symbol (*) to the right of the label with proper and valid information. If you don’t provide the required information, you will receive an error when you submit the form.
An important thing that you should be absolutely sure of before filling up the form is that you are able to edit your server’s DNS zone files. If you cannot edit your DNS zone files, do not proceed. You will have to enter MX records pointing to the Google mail servers in your DNS configuration. Signing up for the Google Apps account is useless if you’re not going to be able to modify your server appropriately to have the e-mail go where it’s intended.

The screenshot above was limited by my monitor boundaries, but you will be able to see the ‘ Continue ‘ tab at the bottom of your screen. Click this and you are on step III.

Step III : Create your first administrator account.

Create your first e-mail account. This e-mail account will be used as the administrative account for the Google Apps services.

Below this you will be able to see the terms and conditions, which mostly contains the usual stuff but still worth a read, where you should click on the ‘ I accept. Continue with setup ‘ tab to proceed to the next step.

Step IV : Verify Domain Ownership.

The next step in the process is to prove to Google that you own and have administrative rights to the domain you chose.

Here you will have an option to do it later, but sooner the better. Once you choose the option to continue you will be prompted for the password you chose in the previous step.
You have three options to prove that you own the domain. The first option is to modify your DNS entries to add a unique CNAME record. Next option is to add a meta tag to your site’s home page.  The last option is to simply create and upload an HTML file to your Web server. Okay now there is no reason for you to panic from hearing all the complex terms, all you need to do is click on these options and viola, all the information you need on ‘How to’ gets detailed (or rather spoon fed) right on the screen.

As you can see the screenshot above you will have a drop down menu for a list of domain registrars among which you can choose yours and do as instructed. Otherwise you can simply choose the ‘ Others ‘ option from the drop down menu and follow the simple set of instructions which gets listed.
This will look somewhat like the following :

<<

A TXT record is an entry within the Domain Name System (DNS) that provides supplemental information about your domain. You can create a TXT record that proves to Google that you own the domain.

1. Add the TXT record below to the DNS configuration for your-domain.com.
google-site-verification=Zy5aERjpb4-T1S0Ig36pGuHDOE5MycRBGsVmCtVeTLY
2. Click verify below.
When Google finds this DNS TXT record, we’ll make you a verified owner of the domain. (Note: DNS changes may take some time. If we don’t find the record immediately, we’ll check for it periodically.)
Leave the TXT record in place even after verification succeeds.

>>

For adding the TXT record in the DNS zone log into your domain control panel and choose the edit DNS zone option. The name of the option might vary between control panels, but they provide the same functionalities. I am pasting yet another screenshot which might help you through this simple process.

NOTE : For the rest of the article I will be siting examples and providing screenshots only from, and in reference to, the cPanel. But it will not be difficult to figure out how it is done in other control panels once you get an idea on what we are doing here.

You can see that I simply pasted the text mentioned in the instructions. After doing this you can click on ‘Verify‘ which will, quite obviously, verify if the entry is made and thereby confirming your authority over the domain.

Emails plays a major role in today’s business, one must be keen to preserve the authenticity of mails they sent to the users and fail to do so may result in getting your mail server IP blacklisted and mails ends-up in users junk folder and they die!

This post is not a perfect guide to prevent you from getting blacklisted by the spamcops, but a few tips that could save your “Time” and “Reputation”.

1) All email is filtered against published blacklists of spam servers. Check whether your mailserver IP is already blacklisted : http://www.mxtoolbox.com/. If listed, take necessary actions to remove it. You can temporarily switch the mail server IP to get the mails moving until your regular IP is released.

2) All mails will be filtered based on certain rules. It looks for senders email address, mail subject line and words on the message content. Avoid using blank subject line and using common spammers words like “offer, discount, sale, free etc… There are a lot more..

3) Maintain a regular time intervals while sending mails to a particular sender. This could be setup on exim configuration file. (Needs admin privileges)

4) Enable SPF:
Sender Policy Framework (SPF), is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS for that domain. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

If SPF record is enabled for a domain, spammers and phishers are less likely to forge e-mails pretending to be from that domain. Spam filters now check for SPF records and hence eliminate the chance of forged mails, spams. Hence an SPF protected domain is less attractive to spammers and phishers and is less likely to be blacklisted by spam filters and ligitimate mails will go through.

SPF keeps the detail of the machine which is only authorized to send mails for that particular domain. This is done by adding additional a TXT record to their existing DNS records. Mail receivers that checks for SPF records check the domain DNS and finds whether the server is allowed to send mails for that domain.

The key issue in SPF is the specification for the new DNS information that domains set and receivers use. Eg is :

example.com. IN SPF “v=spf1 a mx -all”

“v=” defines the version of SPF used. “v=” defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The “a” and “mx” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.

On a cPanel server, one can easily enable SPF records.

Login to cPanel account for that particular domain ==> Email Authentication ==> Scroll down to SPF section ==> and Click on Enable.

Enable SPF :

SPF record on Domain DNS.

5) Enable SenderID:

SenderID is also an anti-spoofing method to save emails from Junk. SenderID is heavily based on SPF with a few additions. Like in SPF, DNS entries are used on the domain DNS to ensure the authenticity of emal. But they differ on what rules they apply to what fields contained in the message header.

How SenderID works:

• Sender sends an e-mail to Receiver.
• Receiver’s inbound e-mail server receives e-mail and calls its Sender ID Framework.
• The Sender ID Framework looks up the SPF record of the domain that Sender is using for sending the mail.
• The receiving Mail Transfer Agent (MTA) determines if the outbound Mail Server IP address matches IP addresses that are authorized to send mail for the user

DNS entry for SenderID enabled domain looks like,

You can Generate SenderID from here : http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

6) Enable Domain Keys:

DomainKeys is the branded name created by Yahoo. It has been introduced by Yahoo to fight against spams. DomainKeys is a PGP-like (Pretty Good Privacy) protocol for validating and authenticating an email. This system includes the creation of a public and private key. You keep your private key private and give your public key to your trusties. We encrypt data with our private key and users can decrypt messages with our public key.  This prevents others from seeing our data. Domain Keys takes this idea one step further. Instead of encrypting the email, it encrypts the email headers and creates a hash value from that encryption. The hash value is send/placed in the email header. When a site receives an email, it locates the public key which is located in the DNS server for the user listed in the From: line of the email and encrypts the email once again to compare the hash value.  If the hash values match after the second encryption test, the email passes validation.

DomainKeys is an system that allows for incoming mail to be checked against the server it was sent from to verify that the mail has not been modified and thereby ensures that messages are actually coming from the listed sender and allows abusive messages to be tracked with more ease.

Yahoo check for domankeys  on a domain if they are requested to whitelist the IP. Below are the steps to enable DomanKeys on a cPanel server.

DNS entries for DomainKeys and SPF

Once DomainKeys are enabled you can check whether it is setup correctly by sending a test mail addresses set up to  dk@dk.crynwr.com

7) Enable DKIM :

DKIM is the result of combining Yahoo’s DomainKeys technology with Identified Internet Mail which was developed at Cisco which is another methodology of PGP-like technique.
DomainKeys and DKIM sounds similar but there are different. DKIM was created to provide a more robust solution that would survive more types of modification to which messages are frequently subjected. DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

DKIM is not available as a ready-made option in cPanel server till now. If you are running an VPS and know basic administration, you can get it enabled. Login to the server via SSH and check if if exim is compiled with DKIM support enabled.

root@server # /usr/sbin/exim -dd 2>&1 | grep Experimental_DKIM

Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS
Experimental_DomainKeys Experimental_DKIM

Generate the SSL keys

cd /usr/local/cpanel/etc/exim

openssl genrsa -out dkim.key 1024

openssl rsa -in dkim.key -out dkim.public -pubout -outform PEM

You will find two keys, dkim.key & dkim.public

Open dkim.public and copy the contents excluding the –Begin– and –End– section. This is your DKIM key.  Now open exim configuration file and append the below entries under the section ‘remote_smtp’

Sample file:
vi /etc/exim.conf

remote_smtp
driver = smtp
dkim_domain=your_domain_name.com
dkim_selector=mail
dkim_private_key=/usr/local/cpanel/etc/exim/dkim.key #path to the dkim.key key.
interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}
{$primary_hostname}}

Now on WHM, open DNS editor for the particular domain and add the TXT entry with DKIM key like below.

mail._domainkey.example.com. IN TXT "v=DKIM1;g=*;k=rsa; p=GIGmGA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDv4PSEG9PcxlI2tRojAUQ9hpRQ0Zj/XG4SK08/DrhG/CaspJAKZm9rZDAw18TrmuXeRgsGWAdS2vJ4Oa/kXqX0NG2eBJcGasu4GeNXANGXvC1uGz+8GC6rEPlE/Ucau4tGAHOZL0HJ9IDd/PIxoTkeTG3GjGeqvKBLbdvVIDXbcQIDAQAB"

Here p=the_key_you_have_copied_from_dkim.public

Restart exim and named services.

/scripts/restartsrv exim

/scripts/restartsrv named

To check whether DKIM is setup properly, send a mail to dkimtest@atmail.org , if setup properly, you will get a reply like below ,else a failure message.
———————
Subject:    AutoReply from dkimtest@atmail.org
From:    spftest@example.com
Date:    Fri, Jul 9, 2010 10:27 pm
To:    spftest@example.com
*** DKIM TEST SUCCESSFUL ***
———————-

8 ) Join JMRP :

JMRP/Junk Mail Report Program is a free service to provide reports on junk e-mail issues reported by Windows Live Hotmail users. You can use this free service to which is developed commercial mailers and e-mail administrators to identify/fix issues in sending mails to hotmails ID’s. JMRP returns the full message with headers of any e-mail marked as “junk” or “phishing” by a recipient.  Provides senders an opportunity to clean their e-mail lists and improve the quality of their content and helps identify potential problems with your marketing practices and content and also improves sender reputation by removing unwanted subscribers from lists.

You can join LMRP from here : http://bit.ly/JMRP

N:B :- Mail server mentioned here is cPanel Exim, you may replace this with any other mail server.

SERVICE CURRENTLY NOT AVAILABLE!

Error No. [0x01F4]

That is what you will see on logging to the Roundcube. How to fix it ?

on cPanel, just update roundcube

/usr/local/cpanel/bin/update-roundcube --force

On Lxadmin, just re-install

rm /var/cache/lxadmin/lxwebmail*
lphp.exe ../bin/misc/installRoundCube.php
/script/upcp

Fatal error: Cannot use string offset as an array in /usr/local/cpanel/base/horde/lib/Horde/Block/Layout/Manager.php on line 389

Not sure what caused the issue and it is not happening with IE, and only in FF. However a simple layout reset fixed the issue. Good Luck. Still, we need to find the real cause.

No one was able to login to Plesk’s default webmail, horde. Enabled error reporting in php.ini and got the error message as below in the “/etc/httpd/logs/error_log” and/or “/var/log/psa-horde/psa-horde.log”

PHP Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/usr/local/psa/admin/sessions) in Unknown on line 0, referer: http://webmail.supportsages.com/test.php?mode=unregister

Here the solution was to edit the php.ini to use /tmp as the session.save_path or even “/var/lib/php/session”

Other solution, for similar issue (not this exact error though) is to set,

session.auto_start = 0 in php.ini
Making sure that localhost entry is in /etc/hosts and resolves. For that do a telnet localhost 143 and if you get “Connected to” message, its not that issue check /etc/hosts file. It must have permissions -rw-r–r– (644) on a ls -l
Whatever be the session.save_path setting in the php.ini, it should have the permission of 1777
Run IMP test to check the problem at: http://webmail.DOMAIN.COM/horde/imp/test.php and make sure that you get the green words for all the tests.
This problem may occur if the domain’s web content is hosted on another server and the MX DNS record doesn’t exist or points not to the Plesk server. IMP tries to check mail on whatever server the domain name resolves to. In order to prevent this from happening the domain name or MX record (if it exists) must be resolved locally to the server.

References : http://kb.parallels.com/article_41_260_en.html