Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Huge Flaws
  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
Quite frankly i am a bit shocked at Kerio.

Great user interface, relative easy to use, install upgrade, backup migrate and all that, BUT there are some features that really are needed.

DKIM/DomainKeys. Someone mentioned here that there is 3rd Party software available for it to sign outgoing mail. Signing mail is the mailservers job. Kerio cant do it which leads me to mark it down.

It doesn't let you bind outgoing mail to an ip address. So for example if you have 3 domains on your server in virtual host environment and 3 domains on Kerio. You will most probably get blocked from Yahoo. Kerio will not work natively for multiple domains and get mail to Yahoo (please someone prove me wrong because we are going mad). We have been told this by Yahoo and if they detect multiple domains from the same IP address they will block the IP.

127.0.0.1 > hostname.host.co.uk
127.0.0.2 > server.domain1.co.uk
127.0.0.3 > server.domain2.co.uk

All 3 domains will send from the first IP (main server IP). So your reverse DNS wont match, your HELO wont match the domain. I spoke with a Kerio technician and there are no plans to change this. They don't seem to think its needed, but then why do they allow multiple domains per install. Its useless if you want to deliver to Yahoo!

We will probably migrate to a server that handles core issues better. Yahoo carries a lot of Internet mail and a lot of companies use their mail servers for corporate mail, not just the web interface. We are being blocked by many mail servers.

Massive let down.



  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
So you have 3 kerio servers all behind one public IP? We are a hosting provider with hundreds of users, however our servers all have a unique IP, this is the only way to get reverse DNS to match a unique FQDN. Why would you need 3 servers behind one IP anyway? It would be hard to reliably get email?
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
angrykeriouser wrote on Thu, 30 September 2010 00:23
We have been told this by Yahoo and if they detect multiple domains from the same IP address they will block the IP.


This is patently false. We have an outgoing mail gateway (not Kerio) at a customer site which handles mail for about 15 domains, and while we often must wait for hours before Yahoo decides to accept the mails, we've never been outright blocked with a 5xx error.

angrykeriouser wrote on Thu, 30 September 2010 00:23
All 3 domains will send from the first IP (main server IP). So your reverse DNS wont match, your HELO wont match the domain.


If you have a million mail domains on a single IP address, reverse DNS will still check out fine of you set it up correctly. Yes, HELO should match the DNS hostname A-record for the connecting IP, but the rest of your problems probably stems from a lack of DKIM and/or SPF. This is the only way you can tell Yahoo if a mail is legitimate or not.

Too bad Yahoo haven't published anything which tells exactly what they expect from connecting mail servers. It's a guessing game which none of us really shouldn't have to be involved in. Yahoo mail handling (or rather their "spam fitering" is becoming a joke.

Have you filled out this form by the way?
http://help.yahoo.com/l/us/yahoo/mail/postmaster/defer.html
  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
nicholashoague wrote on Thu, 30 September 2010 01:28
So you have 3 kerio servers all behind one public IP? We are a hosting provider with hundreds of users, however our servers all have a unique IP, this is the only way to get reverse DNS to match a unique FQDN. Why would you need 3 servers behind one IP anyway? It would be hard to reliably get email?



No we have one Kerio server. You can host multiple domains on Kerio. Problem is with Kerio all mail is routed through the main server IP.

With Exim you can bind outgoing mail to an IP that you have a virtual host on. Then you can have reverse dns records that will translate back to your domain. Kerio doesnt work like thats, and send mail through the main ip.



  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Right. We have about 35 domains hosted on one Kerio server. All the domains have their MX pointed to our servers, and our server outbound FQDN and IP all resolve and match reverse DNS. This works fine. The reverse DNS doesn't need to match the originating domain, just the domain of the server itself, since that is where the email is being sent from.
  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
I would probably say that your IP has a good built up reputation, but I don't think that your response to that is that its definitive and applicable to all.

I use two hosting companies and both have give me the same message. That Yahoo is becoming increasingly hard to deliver to and that dedicated IP is one step in the right direction.

Everyone has different views on this. Yes you are right if Yahoo and mail provider just came out and said instead just releasing crappy pieces of info.

This came back from Yahoo:

--------------------------------------------------------
\"SMTP error from remote mail server after initial connection: host in32.mxauth.yahoo.com [202.86.5.24]: 421 4.7.1 [TS03] All messages from xxx.xxx.xxx.xxx will be permanently deferred; Retrying will NOT succeed.\"
--------------------------------------------------------
Response from Yahoo!:
--------------------------------------------------------
\"Thank you for contacting Yahoo! Mail.

We cannot systematically exempt your mailings from our SpamGuard technology since the IP address of the server appears to be a shared domain mail host and have multiple clients sending email. We will maintain the current information in our database as it is configured.\"
--------------------------------------------------------

Telling us that we have a shared IP issue. I'm not saying everyone is having this issue as you obviously aren't (maybe that will change), but it seems that the goal posts are shifting, and maybe those with lower IP reputations by default will be penalized even further due to multiple sending domains on one IP.

This is why its great that Exim allows you to bind outgoing mail of your domains to a dedicated IP and then you can RDNS that ip and mail domain so it all matches. It would appear that this carries more weight.

I have no doubt that a properly configured rDNS on the main hostname is fine and it has been on another server we have with 25 domains on with only 5 dedicated IP's. But Kerio doesn't even have a solution for this if it actually does matter and the mail provider wants to see the sending domain the HELO and rDNS, Exim does. We had to make sure that the sending domain was in the rDNS just to get on AOL's FBL. We had to make sure that the reverse dns matched the sending domain and IP address.

I was told that not having DKIM would at worst put the mail in spam not outright block the mail. Again so many people with something to add, but no hard fact. Is this true do you think?


  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
nicholashoague wrote on Thu, 30 September 2010 02:02
Right. We have about 35 domains hosted on one Kerio server. All the domains have their MX pointed to our servers, and our server outbound FQDN and IP all resolve and match reverse DNS. This works fine. The reverse DNS doesn't need to match the originating domain, just the domain of the server itself, since that is where the email is being sent from.


This is exactly how one of our other servers with 25 so domain on is setup. Its Exim MTA and it hasnt had any issues apart from some mail being junked by yahoo, and we put that down to DomainKeys. Never had issues delivering and blocked mail.

The Kerio box, just wont have it.
  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
Hmm, I kinda understand what your problem is as I had problems sending to Comcast when we turned up a new circuit. It was a new IP and therefore didnt have a good enough reputation. After about 48 hours of traffic it was trusted.

I am really not sure what to say about your issue, as I haven't experienced it myself. Our IPs have been in use now for over 2 years, so it may be that I just have that reputation.

I think with our setup the sending domain is always our own FQDN since it's hosted.

Obviously a dumb question, but your not using a residential circuit? I know alot of residential Qwest and Comcast IP's are automatically blacklisted and blocked.
  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
nicholashoague wrote on Thu, 30 September 2010 02:35
Hmm, I kinda understand what your problem is as I had problems sending to Comcast when we turned up a new circuit. It was a new IP and therefore didnt have a good enough reputation. After about 48 hours of traffic it was trusted.

I am really not sure what to say about your issue, as I haven't experienced it myself. Our IPs have been in use now for over 2 years, so it may be that I just have that reputation.

I think with our setup the sending domain is always our own FQDN since it's hosted.

Obviously a dumb question, but your not using a residential circuit? I know alot of residential Qwest and Comcast IP's are automatically blacklisted and blocked.


No we are in a Datacenter. Not blacklisted, but newly setup server. I have pressured Yahoo to look into this.

Maybe the IP was previously used in multiple sending domain scenarios and it has just a neutral rating/reputation.

  •  
nhoague

Messages: 853
Karma: 18
Send a private message to this user
That just may be. I wish I could offer a better response, but as far as I am concerned Kerio is pretty much bullet proof. Good luck to you!
  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
well as much pressure as possible. I have filled the form in twice now!
  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
nicholashoague wrote on Thu, 30 September 2010 02:40
That just may be. I wish I could offer a better response, but as far as I am concerned Kerio is pretty much bullet proof. Good luck to you!


I agree its good, stable, easy to install setup etc, but it made me think when speaking with tech support today when the guy said "there is no way at the moment to bind outgoing mails to an IP/Sending domain and that they are aware it MAYBE an issue with some mail delivery".

  •  
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
TorW wrote on Thu, 30 September 2010 01:29
angrykeriouser wrote on Thu, 30 September 2010 00:23
We have been told this by Yahoo and if they detect multiple domains from the same IP address they will block the IP.


This is patently false. We have an outgoing mail gateway (not Kerio) at a customer site which handles mail for about 15 domains, and while we often must wait for hours before Yahoo decides to accept the mails, we've never been outright blocked with a 5xx error.

angrykeriouser wrote on Thu, 30 September 2010 00:23
All 3 domains will send from the first IP (main server IP). So your reverse DNS wont match, your HELO wont match the domain.


If you have a million mail domains on a single IP address, reverse DNS will still check out fine of you set it up correctly. Yes, HELO should match the DNS hostname A-record for the connecting IP, but the rest of your problems probably stems from a lack of DKIM and/or SPF. This is the only way you can tell Yahoo if a mail is legitimate or not.

Too bad Yahoo haven't published anything which tells exactly what they expect from connecting mail servers. It's a guessing game which none of us really shouldn't have to be involved in. Yahoo mail handling (or rather their "spam fitering" is becoming a joke.

Have you filled out this form by the way?
http://help.yahoo.com/l/us/yahoo/mail/postmaster/defer.html



Hi sorry, yes filled this bad boy out twice now! Smile
  •  
PC

Messages: 10
Karma: 0
Send a private message to this user
As has been mentioned many times when Kerio's intractability on IP binding comes up, it becomes a deal breaker on purchasing Kerio for anyone who needs it and not simply a "nice to have" so it is not going to score high on any existing user wish list. In our case we purchased Kerio a year before we scaled back our operations and, after endless trouble with rejected mail, had to go out and buy a new firewall appliance just to keep Kerio working.
angrykeriouser

Messages: 25
Karma: 0
Send a private message to this user
PC wrote on Thu, 30 September 2010 03:16
As has been mentioned many times when Kerio's intractability on IP binding comes up, it becomes a deal breaker on purchasing Kerio for anyone who needs it and not simply a "nice to have" so it is not going to score high on any existing user wish list. In our case we purchased Kerio a year before we scaled back our operations and, after endless trouble with rejected mail, had to go out and buy a new firewall appliance just to keep Kerio working.


Well we are using it on a VPS, so don't have the luxury of being able to install our own firewall just get the dam thing to work properly.

Most annoying thing is that its for a client and not our company. They insist on using it and want multiple domains on it. I fear that we are never going to be able to send to yahoo at this rate!

I am glad that someone else has had the dreaded IP issue. Seems like some people aren't yet affected by it yet, maybe never will because of their trust reputation. Its unfortunate that Yahoo don't seem to care too much. But saying that now British Telecom (BT) has members on the board there is now way they give a crap, because they are one of the worst companies in the world to deal with. No wonder Google soared past Yahoo, they just don't seem to get it!
Previous Topic: Export contacts to exchange 2010
Next Topic: E-mapi error
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 14:45:40 CET 2017

Total time taken to generate the page: 0.00559 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.