How to test if a mail server is correctly configured?

Forum Moderators: phranque

Message Too Old, No Replies

How to test if a mail server is correctly configured?

JorgeV

9:58 am on Jul 4, 2020 (gmt 0)

Hello,

I run dedicated servers, and once in a while, I am worried that my mail server is incorrectly configured and that some emails might not come in.

I was wondering if there are tools out there, which can be used to test if the mail server is correctly configured to "receive" emails ? When I write to myself from another mail provider, it works, but this is not enough to make me relieve :)

I came up to this : [tools.dnsstuff.com...]

Everything is green, does it mean my server / dns are configured correctly to receive all emails?

With the above tool, I get 3 RBL reports, from
EMAILBASURA
IIP BLACKLIST
SPAMCANNIBAL

However, when I check for more details, it looks like these services are no longer existing. So is it safe to ignore these "listing" ?

Thank you,

martinibuster

8:44 am on Jul 6, 2020 (gmt 0)

MXToolbox has a lot of tools for testing mail servers.

engine

9:08 am on Jul 6, 2020 (gmt 0)

I'll second mxtoolbox. I've used it for many years.

dstiles

9:43 am on Jul 6, 2020 (gmt 0)

Make sure dmarc/dkim/spf are all valid. There are several tools online for this, such as dmarcian and opendkim.

JorgeV

4:50 pm on Jul 6, 2020 (gmt 0)

Hello,

Thank you for your answers.

So far, I avoided going through the DKIM, because it looked complex (to me). My SPF lists an exact IP address as the unique origin of the mails, isn't it enough to have a strong authentication?

Also, in the firewall of my mail server, I opened ports 25 and 587. I was wondering if it's safe to only open the port 25? I use the port 587 to send mail from my computer, through my remote mail server, and my IP is whitelisted in the firewall (all ports opened). So, is there a point to leave the 587 port opened to everybody? Does the port 587 is also involved when receiving mails?

Thank you.

dstiles

9:23 am on Jul 7, 2020 (gmt 0)

The reason to use DMARC is to protect others from forged From addresses. If set up correctly, services that receive forged emails will reject them rather than pass them on to someone who may not have the knowledge to avoid acting on the contents. Or in some cases have the email automatically perform some unwanted and probably virus-type action (most people, unfortunately, read their mail in html format instead of Plain Text, which is far safer. DKIM and SPF are part of this safety.

You should not open ALL ports in the firewall. The smtp TCP ports 25 (public), 587 (secure from you/your clients) and possibly 465 (there are debates about the use of this port). If you have people connecting to their mailboxes you also need either or both of TCP 993 (imap secure) and 995 (pop3 secure). Presumably you also want the DNS port (53 TPC and UDP).

On my public mail server I also have 443 (https) as I have webmail access to the mail boxes. That also simplifies using LetsEncrypt as a certificate provider, although it's possible to do that without https.

Lastly, perhaps a vnc port if you run the server remotely.

JorgeV

11:25 am on Jul 9, 2020 (gmt 0)

Hello,

Just to say, that finally, I set up DKIM, this was not as complex as I thought :)

In case it can help others, I started by reading this tutorial : [digitalocean.com...]

After figuring things out, I adapted it to my own use.