Introduction

This is a temporary web page outlining a particular email problem with the domain ewasolions.org.

I have set up this page to document the ongoing search for the cause and to allow helpful or interested parties to add comments (registration required).

The general situation is that we will get an entirely new server with a different mail server (postscript instead of qmail) around April, so we would now be content with stopgap measures.

Symptoms

• Some emails from some other mail servers do not arrive, but are returned to the sender.
• In recent cases the returned error mail indicated that our mail server could not be reached at all. There were no indications that emails have been rejected, except perhaps that the return mails were early, indicating that the sending server did not keep retrying for 1 to 4 days, as is customary.

Affected sender domains

• hotmail.com
• hotgecko.com
• gamewatchers.com
• africaonline.co.ke.
• (Possibly a few more)

I have checked their DNS setup, and it is mostly OK.

hotgecko.com has a more severe DNS error, see the DNS check report at http://www.intodns.com/hotgecko.com. The first error, missing name servers, indicates that somebody has made a mistake in setting up the domain. But that alone cannot explain all of our problems.

africaonline.co.ke is beyond hope. Check http://atrey.karlin.mff.cuni.cz/~mj/sleuth/?domain=africaonline.co.ke for a more thorough DNS report. Anything can go wrong with them, and I recommend not to use them. I would also expect any decent server to reject their mails, so that can't be helped. But that still doesn't explain all problems, so we have to keep searching.

Measures taken

1. Used http://www.traceroute.org/ to check accessibility from some places in Africa, India, Thailand, Australia. All checked out well, with response times around 200 to 400 ms.
2. Reduced the number of DNS blacklists from 9 to 2 on the hunch that they might make the mail server respond too slowly for some impatient sending servers. No proof for that though, but will leave it for a week to check whether this improves the situation.
3. Checked the servers response and found that its reply is not RFC-conformant when the calling station is blacklisted. This does not concern us much, but it could mean that blacklisted senders recieve wrong error messages like timeout instead of a blacklisting warning. I have seen blacklisting responses though, so at least some servers can handle this.
4. Changed secondary DNS servers once again from twisted4life.com (1 name server) and everydns.net (4 name servers) to rollernet.us (2 name servers). The new servers are faster and more flexible in that they support not only the simple UDP (User Datagram Protocol), but also TCP (Transmission Control Protocol). Note that we barely need them, as our own server also doubles as a DNS server.

Technical information

Our mail server is qmail, running under Plesk, with a few add-on modules:

• One module checks the sender's IP address against some DNS blacklists. Mails that are returned by this module usually carry a clear explanation, even containing the name of the offended blacklist. I have not seen any of these in the return mails that have been forwarded to me, so I surmise for now that this is not the cause.
• The mail server also checks Domainkeys and rejects mails that are improperly signed. Again the return mail bears a clear indication of that, but I have not seen this either.
• The mail server can do SPF checking as well, but this has been disabled for a while because of an unrelated technical problem.