Beware how you call your box

pm74 · January 25, 2025, 9:50pm

I received this from Proofpoint.com

Hello,

Thank you for contacting Proofpoint.

For security, tracking, and audit purposes, Proofpoint support cannot work with an outside contact directly.

You can check to the status of an IP at any time by using the IP lookup page located at:

https://ipcheck.proofpoint.com/

The IP you provided is currently listed however we cannot submit it to be delisted since it has a generic PTR (reverse DNS) record.

To be considered for delisting, we require that the PTR for an IP needs to be given a fully qualified domain name which resolves back to it. In other words, the domain listed in the A record and its PTR record must match and have the same hostname. For example, if the domain in the A record is set as xx.com, the PTR should be set to something which denotes it is only used for mail (e.g., email.xx.com, mail.xx.com, smtp.xx.com, etc.) otherwise it will not be considered for delisting.

Regards,

Proofpoint Support

alento · January 26, 2025, 12:19am

This is an easy fix.

Set your reverse DNS with your VPS provider.

So box.domain.top will be fine once rDNS is set.

But still a lot of providers automatically score heavily against the top TLD, so the email domain won’t necessarily be a bad investment.

pm74 · January 26, 2025, 3:38am

I had the reverse DNS setup correctly and it resolved to the box.xxx.com

Their comment says " the PTR should be set to something which denotes it is only used for mail "

I was using box.xxxxx.top the reverse DNS was setup and they still would not un block.
I have swtiched it to mail.xxxx.email
Will see how that goes.

alento · January 26, 2025, 4:23pm

This is not a required standard, it is their own requirement or suggestion. As I mentioned elsewhere, the subdomain box is used for 1000’s of MiaB installations without issue.

pm74 · January 26, 2025, 9:54pm

I agree with you, so far there is 1000’s of MIAB. But doesn’t mean the industry doesn’t change.

I have been using box.xxxxx.top for close to 5 years. But I recently changed the IP and then I got caught up in this situation with ProofPoint. This is their requirement and they manage Iclould.com, att.net, to name a few.

I think the documentation should be updated to mention using “mail.domain.TDL”.

They are getting really picky on these things and then your emails are out of service because you are not compliant.
If my email cannot reach my customers, I’m in trouble.

I will report back I have upgraded the domain to be compliant with proofpoint, will see if it was that.

The IP was 100% clean, the domain was 100 clean I got good scoring history. But after 3 weeks of asking them, I gave up and switch the domain name.

vele · January 26, 2025, 10:57pm

Proofpoint seems to impose nonstandard rules. This is yet another monopoly.
You have had the misfortune of being listed by them and they will never explain the real problem as it is their internal list. Thus, move away from the vultr IPs. They may seem clean on public lists but they have their own stupid logic if any of the your neighbors in the range is spoofing. Can you identify what triggered your listing. Many of us do send to Proofpoint clients, without issues. Are you triggering any of the Spamhaus internal lists? Try changing a region in vultr. Canada or something.

pm74 · January 26, 2025, 11:33pm

I was with BuyVM it was not good, then digital ocean lots of blacklisted IP on the network.
The IP I got with VULTR was very cleaned I searched it a lot. Yes I can be in trouble later, but which ISP is big enough to support enterprise server and allow smtp?

I didn’t have good experience with BuyVM lots of issues over time and now it was time to move to a better platform.

I’m thinking that having multiple server on one MIAB is not great.

miabuser · January 27, 2025, 7:38am

Well, there are many non-standard or unspoken rules that aren’t part of any RFC, that certain email providers may check, like that you should have an A record for the main domain name (second level domain) that at least points to something, usually a website, which I guess is one of the reasons why MaiB provides a simple HTTP server for static websites.

Or for example, Deutsche Telekom, a large German ISP, will block your emails if you don’t publish at least a minimal contact note with your last name and a mailto link to the postmaster mailbox, for which the HTTP server can come in handy.

And of course there’s your case, where Proofpoint apparently wants you to use a descriptive subdomain that clearly states your server’s role as an email server, although I’m still not a 100% convinced that this is the actual problem that led to your IP being blocked. Either way, it certainly doesn’t mean you can’t run other services or host multiple domains on the same server.

Also, such additional and non-standard “rules”, whether they seem reasonable or not, are of course a consequence of the fact that the email system still cannot effectively prevent spam, even though a whole bunch of RFCs have been added to it over the years, making what was originally a very simple, decentralised messaging system very complicated.

This is all very unfortunate, of course, and makes it difficult for individuals or small businesses hosting their own email server to send email reliably, but I don’t see any way for a project like Mail-in-a-Box to track and account for all these non-standard things that email providers or security companies like Proofpoint may implement, which also can vary from provider to provider and change at any time.

However, Mail-in-a-Box does a very good job of implementing all the actual standards relevant to email deliverability that are defined in the various RFCs around the email system

pm74 · January 27, 2025, 2:16pm

Yes MIAB did a really good job.

The reason I don’t like having all on one MIAB (Multiple Domain) is that when you have to do something you could potentially bring down all the domains on your MIAB.

I do use multiple Slave DNS, but still you can have mistake made and then you have an issue with X domains. If you have one domain per MIAB then you can only break one of them.

Specially with such a tedious task as renaming your MIAB domain. Now I ran in all sort of issue relaying on my slave to perform the DNS resolutions, but then I ran into serial mismatch issue because the slave for some reason didn’t like to have the IP changed for their master…

For that reason I think the MIAB doc should recommend using mail.domain.tld
instead of box.domain.tld, it make sense anyway…

alento · January 28, 2025, 5:05am

Here is the thing, no low cost VPS provider can truly be good. They are in business to sell their VPS, not worry about IP reputation.

What you can do is to use a SMTP relay. Then all of the headache of rDNS, IP blacklist , etc. go away assuming that you have the right SMTP relay.

To solve this problem, several years ago I, in conjunction with a smaller email service provider who is absolutely militant about protecting his company’s IP reputation, started a service to address this very problem.

pm74 · January 29, 2025, 10:14pm

Proofpoint has now whitelisted my server.
It’s been a few weeks trying to get them to white list me, and now they did.

I had to have an domain that started with mail.xxxxxx.tld

If you want to avoid any issue with any spam blockers, you better start your server right, because renaming it is a lot of trouble. All the Slave DNS are connected with the hold domain on the same IP and it creates problems…

seindal · January 30, 2025, 11:07am

How did you get hold of them?

I’ve been trying for ages, they never answer. The place has been a black hole for me.

Do you have an email to share?

pm74 · January 30, 2025, 1:24pm

delist-request@proofpoint.com

DominicCronin · February 17, 2025, 9:33am

Yes - their business is in selling “email security” to large corporations for a lot of money. They don’t care about false positives.