After migration from Contabo to OVHCloud VPS receiving email fails

My YunoHost server

Hardware: VPS bought online - OVHCloud Baremetal
YunoHost version: 11.2.9.1
I have access to my server : Through SSH & through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain:
I used the instructions communicated by OVH support team, however did not resolve the issue. Also revert it back to default settings using yunohost tools regen-conf -n and then -f

Description of my issue

We used yunohost set up on Contabo VPS server and DNS gandi for >1 year without any issues. We needed to migrate to OVH due to some business requirements, and we followed the full backup and restore process from Contabo to OVHCloud.
We restored all the settings, apps and subdomains, everything worked fine except for receiving email is failing.

Some technical hiccups were reverse DNS and MX records, and moving from Gandi Live to OVH register.

We have been troubleshooting this issue together with OVH support, but no resolution yet. As a short-term solution to be able to receive emails is, we enable OVH MX redirect to our private email accounts for the communication to continue.

$ yunohost diagnosis show
reports:
  0:
    description: Base system
    id: basesystem
    items:
      0:
        details: Server model is To Be Filled By O.E.M. E3C246D4U2-2T
        status: INFO
        summary: Server hardware architecture is bare-metal amd64
      1:
        status: INFO
        summary: Server is running Linux kernel 5.10.0-26-amd64
      2:
        status: INFO
        summary: Server is running Debian 11.8
      3:
        details:
          - yunohost version: 11.2.9.1 (stable)
          - yunohost-admin version: 11.2.4 (stable)
          - moulinette version: 11.2 (stable)
          - ssowat version: 11.2 (stable)
        status: INFO
        summary: Server is running YunoHost 11.2.9.1 (stable)
  1:
    description: Internet connectivity
    id: ip
    items:
      0:
        details: The file /etc/resolv.conf should be a symlink to /etc/resolvconf/run/resolv.conf itself pointing to 127.0.0.1 (dnsmasq). If you want to manually configure DNS resolvers, please edit /etc/resolv.dnsmasq.conf.
        status: WARNING
        summary: DNS resolution seems to be working, but it looks like you're using a custom /etc/resolv.conf.
      1:
        details:
          - Global IP: 51.195.x.x
          - Local IP: 51.195.x.x
        status: SUCCESS
        summary: The server is connected to the Internet through IPv4!
      2:
        details:
          - Global IP: 2001:41d0:x:x::
          - Local IP: 2001:41d0:x:x::
        status: SUCCESS
        summary: The server is connected to the Internet through IPv6!
  2:
    description: DNS records
    id: dnsrecords
    items:
      0:
        status: SUCCESS
        summary: DNS records are correctly configured for domain domain.tlb (category basic)
      1:
        details:
          - Please check the documentation at https://yunohost.org/dns_config if you need help configuring DNS records.
          - The following DNS record does not seem to follow the recommended configuration:
Type: MX
Name: @
Current value: ['1 mx0.mail.ovh.net.', '5 mx1.mail.ovh.net.', '10 domain.tlb.', '50 mx2.mail.ovh.net.']
Expected value: 10 domain.tlb.
        status: ERROR
        summary: Some DNS records are missing or incorrect for domain domain.tlb (category mail)
      2:
        status: SUCCESS
        summary: DNS records are correctly configured for domain domain.tlb (category extra)
      3:
        details: unicis.tech expires in 58 days.
        status: SUCCESS
        summary: Your domains are registered and not going to expire anytime soon.
  3:
    description: Ports exposure
    id: ports
    items:
      0:
        details: Exposing this port is needed for admin features (service ssh)
        status: SUCCESS
        summary: Port 22 is reachable from the outside.
      1:
        details: Exposing this port is needed for email features (service postfix)
        status: SUCCESS
        summary: Port 25 is reachable from the outside.
      2:
        details: Exposing this port is needed for web features (service nginx)
        status: SUCCESS
        summary: Port 80 is reachable from the outside.
      3:
        details: Exposing this port is needed for web features (service nginx)
        status: SUCCESS
        summary: Port 443 is reachable from the outside.
      4:
        details: Exposing this port is needed for email features (service postfix)
        status: SUCCESS
        summary: Port 587 is reachable from the outside.
      5:
        details: Exposing this port is needed for email features (service dovecot)
        status: SUCCESS
        summary: Port 993 is reachable from the outside.
      6:
        details: Exposing this port is needed for [?] features (service jitsi-videobridge)
        status: SUCCESS
        summary: Port 4443 is reachable from the outside.
  4:
    description: Web
    id: web
    items:
      0:
        status: SUCCESS
        summary: Domain unicis.tech is reachable through HTTP from outside the local network.
      1:
        status: SUCCESS
        summary: Domain chat.unicis.tech is reachable through HTTP from outside the local network.
      2:
        status: SUCCESS
        summary: Domain code.unicis.tech is reachable through HTTP from outside the local network.
      3:
        status: SUCCESS
        summary: Domain dashboard.unicis.tech is reachable through HTTP from outside the local network.
      4:
        status: SUCCESS
        summary: Domain db.unicis.tech is reachable through HTTP from outside the local network.
      5:
        status: SUCCESS
        summary: Domain docs.unicis.tech is reachable through HTTP from outside the local network.
      6:
        status: SUCCESS
        summary: Domain feedback.unicis.tech is reachable through HTTP from outside the local network.
      7:
        status: SUCCESS
        summary: Domain jitsi.unicis.tech is reachable through HTTP from outside the local network.
      8:
        status: SUCCESS
        summary: Domain link.unicis.tech is reachable through HTTP from outside the local network.
      9:
        status: SUCCESS
        summary: Domain list.unicis.tech is reachable through HTTP from outside the local network.
      10:
        status: SUCCESS
        summary: Domain meet.unicis.tech is reachable through HTTP from outside the local network.
      11:
        status: SUCCESS
        summary: Domain office.unicis.tech is reachable through HTTP from outside the local network.
      12:
        status: SUCCESS
        summary: Domain onlyoffice.unicis.tech is reachable through HTTP from outside the local network.
      13:
        status: SUCCESS
        summary: Domain sign.unicis.tech is reachable through HTTP from outside the local network.
      14:
        status: SUCCESS
        summary: Domain sso.unicis.tech is reachable through HTTP from outside the local network.
      15:
        status: SUCCESS
        summary: Domain stats.unicis.tech is reachable through HTTP from outside the local network.
      16:
        status: SUCCESS
        summary: Domain status.unicis.tech is reachable through HTTP from outside the local network.
      17:
        status: SUCCESS
        summary: Domain support.unicis.tech is reachable through HTTP from outside the local network.
      18:
        status: SUCCESS
        summary: Domain vault.unicis.tech is reachable through HTTP from outside the local network.
  5:
    description: Email
    id: mail
    items:
      0:
        status: SUCCESS
        summary: The SMTP mail server is able to send emails (outgoing port 25 is not blocked).
      1:
        status: SUCCESS
        summary: The SMTP mail server is reachable from the outside and therefore is able to receive emails!
      2:
        status: SUCCESS
        summary: The IPs and domains used by this server do not appear to be blacklisted
      3:
        status: SUCCESS
        summary: 0 pending emails in the mail queues
  6:
    description: Services status check
    id: services
    items:
      0:
        status: SUCCESS
        summary: Service code-server is running!
      1:
        status: SUCCESS
        summary: Service coolwsd is running!
      2:
        status: SUCCESS
        summary: Service dnsmasq is running!
      3:
        status: SUCCESS
        summary: Service dovecot is running!
      4:
        status: SUCCESS
        summary: Service fail2ban is running!
      5:
        status: SUCCESS
        summary: Service fider is running!
      6:
        status: SUCCESS
        summary: Service jitsi-jicofo is running!
      7:
        status: SUCCESS
        summary: Service jitsi-videobridge is running!
      8:
        status: SUCCESS
        summary: Service listmonk is running!
      9:
        status: SUCCESS
        summary: Service lstu is running!
      10:
        status: SUCCESS
        summary: Service mattermost is running!
      11:
        status: SUCCESS
        summary: Service metabase is running!
      12:
        status: SUCCESS
        summary: Service mysql is running!
      13:
        status: SUCCESS
        summary: Service nginx is running!
      14:
        status: SUCCESS
        summary: Service nocodb is running!
      15:
        status: SUCCESS
        summary: Service php7.4-fpm is running!
      16:
        status: SUCCESS
        summary: Service php8.2-fpm is running!
      17:
        status: SUCCESS
        summary: Service postfix is running!
      18:
        status: SUCCESS
        summary: Service postgresql is running!
      19:
        status: SUCCESS
        summary: Service prosody is running!
      20:
        status: SUCCESS
        summary: Service redis-server is running!
      21:
        status: SUCCESS
        summary: Service rspamd is running!
      22:
        status: SUCCESS
        summary: Service slapd is running!
      23:
        status: SUCCESS
        summary: Service ssh is running!
      24:
        status: SUCCESS
        summary: Service uptime-kuma is running!
      25:
        status: SUCCESS
        summary: Service vaultwarden is running!
      26:
        status: SUCCESS
        summary: Service yunohost-api is running!
      27:
        status: SUCCESS
        summary: Service yunohost-firewall is running!
      28:
        status: SUCCESS
        summary: Service yunomdns is running!
  7:
    description: System resources
    id: systemresources
    items:
      0:
        status: SUCCESS
        summary: The system still has 56 GiB (89%) RAM available out of 62 GiB.
      1:
        details: Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.
        status: INFO
        summary: The system has no swap at all. You should consider adding at least 512 MiB of swap to avoid situations where the system runs out of memory.
      2:
        status: SUCCESS
        summary: Storage / (on device /dev/nvme0n1p1) still has 739 GiB (88%) space left (out of 844 GiB)!
      3:
        status: SUCCESS
        summary: Storage /boot/efi (on device /dev/nvme0n1p15) still has 113 MiB (91.4%) space left (out of 124 MiB)!
  8:
    description: System configurations
    id: regenconf
    items:
      status: SUCCESS
      summary: All configuration files are in line with the recommended configuration!
  9:
    description: Applications
    id: apps
    items:

Any help or suggestion will be highly appreciated. We really love yunohost and would love to continue using it as our internal resource driver.

Welcome!

I think we are missing the reason why OVH sent you in that direction, but I’m guessing it is due to the open resolver implemented by OVH?

cf. Trouble with spamhaus marking any mail as spam - #2 by Maniack_Crudelis

I do not like the solution of commenting out the lines in the postfix configuration. On my own server I made sure that the cloudconfig set by OVH to automatically set the network config and stuff does not alter the /etc/resolv.conf file.

This file should only refer to nameserver 127.0.0.1, pointing to your own local DNSmasq resolver.

Try that, and revert the MX list to the one suggested by YunoHost

1. Check the contents of /etc/resolv.conf with cat /etc/resolv.conf
2. If it does not start nor contain nameserver 127.0.0.1, but the open OVH resolver, ask OVH support how to prevent that.

If it does start by nameserver 127.0.0.1, let’s investigate further.

Hi,
Correct there were different IP addresses in the /etc/resolv.conf I have remove them and left only nameserver 127.0.0.1. Also had an issue with symbolic link and I created a new one to ls -l /etc/resolv.conf /etc/resolvconf/run/resolv.conf.
Now there are no issues on diagnostics. MX records adjusted as recommended in yunohost.
In a meantime, requested from OVH support to delete redirect MX OVH plan for this domain.
For now we still do not received an email.
I will keep you posted with an update. I guess it will take time for the records to be live.

The redirect happens here, you may do it yourself.

Correct, the MX DNS records is fixed it is only the yunohost recommended:

MX	10 unicis.tech.

However, when I do “Test by sending an email”, I get the following errors:

• The HELO/EHLO string “domain.tlb” doesn’t match to one of the names in the rDNS from connecting IP
• rDNS for IP 2001:41d0:x:x:: No record found! Failed

I have pushed the rDNS only yesterday around 14.00, usually it takes 24 hours to take an effect.

Ok, now that rDNS is taken into effect I have received a new error after I tried to send myself an email:

unicis.tech gave this error:
Remote server returned message detected as spam → 554 5.7.1 Service unavailable; > Client host [2a01:111:f400:fe0c::809] blocked using cbl.abuseat.org; Error: open resolver; https://check.spamhaus.org/returnc/pub/51.38.107.79/

When I try the Blocklist Tester it failed with Rejected status

C: <Establish TCP connection>
S: 220 domain.tlb Service ready
C: EHLO unlisted.blt.spamhaus.net
S: 250-domain.tlb
S: 250-PIPELINING
S: 250-SIZE 35914708
S: 250-ETRN
S: 250-STARTTLS
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250-DSN
S: 250 CHUNKING
C: MAIL FROM:<auth@unlisted.blt.spamhaus.net>
S: 250 2.1.0 Ok
C: RCPT TO:<test@domain.tlb>
S: 554 5.7.1 Service unavailable; Client host [199.168.89.101] blocked using cbl.abuseat.org; Error: open resolver; https://check.spamhaus.org/returnc/pub/51.38.107.72/
C: QUIT
S: 221 2.0.0 Bye
C: <Close TCP connection>

I’m waiting now from OVH support team to cancel my MX Plan, to verify it the problem is not from this.
If this does not solve the problem, I will do last solution to transfer the domain from Gandi to OVH register. I read a reddit port that this solved a problem.

Here is the outcome that someone claims it worked for him - Reddit.

That error is due to the /etc/resolv.conf file. Are you sure it only contains nameserver 127.0.0.1? Oh, maybe we need to restart dnsmasq too, and let’s add postfix too: sudo systemctl restart dnsmasq postfix

I have noticed a few times, soon as I restart postfix it adds the rest IPs

nameserver 213.186.33.99
nameserver 2001:41d0:3:163::1
nameserver 127.0.0.1

Here is an example:

$ cat /etc/resolv.conf
nameserver 127.0.0.1

root@x:/# systemctl restart dnsmasq postfix

root@unicis:/# cat /etc/resolv.conf
nameserver 213.186.33.99
nameserver 2001:41d0:3:163::1
nameserver 127.0.0.1

It turns out to be an OVH IPs.

I have brought an ovh vps with domain name. I had disabled ip6. It gave me a headache because of blacklisting. I’ve checked the mail using mailtester and filled a form in spamhaus. I’ve also had to delete /etc/resolv.conf two or three times to make a link. May be ovh is forcing it. It was about 5 months ago, so I’m not really sure what I did, but now everything is good and I have disabled ip6 in yunohost

Yup, that’s the cloudinit package deployed by OVH that’s interfering. I had tested multiple ways to block it (maybe this works for you?), but I ended up completely disabling it. You have a dedicated server, so I am afraid you would lose your network connection.

Instead, can you revert the file back to only nameserver 127.0.0.1 and then directly after let’s make it read-only: sudo chattr -i /etc/resolv.conf

Then restart the services again.

Since you are in contact with OVH support, can you ask them how to keep cloudinit enabled but prevent it from altering /etc/resolv.conf?

I get the

sudo chattr -i /etc/resolv.conf
chattr: Operation not supported while reading flags on /etc/resolv.conf

Hi community,

Somehow really strange, but it started to work out after I disabled the IPv6 as @jarod5001 mentioned above.

Good for you. And I just remembered that I deleted the secondary dns in vps management.

IMG_20240118_2207581080×1228 134 KB

And again, is not working. I’m really going crazy with this saga.

It is not working again.
Looking in, it was altered again from cloudinit. I’m now in talked with OVH support team to disable the alter.

Did you delete the secondary dns?

I don’t have the option for secondary DNS as it is bare metal solution. I just transfer the domain name register to OVH and will wait to see if this will help.

See this article