[Solved] My VPS is high (on load) again

[Amoss]

I'm starting to wonder whether this problem will ever be addressed. Well, will it? Is it a complex one that requires something special? I'm really asking.

I already posted here what needs to be done https://www.helionet.org/index/topic/35961-my-vps-is-high-on-load-again/page-2?do=findComment&comment=159445

It should be a one minute thing to do, no?

[Krydos]

You do have root access to your VPS so you have permission to do literally anything you want. All you have to do is log in as your regular user, and run the command sudo su then enter your password and your permissions will be escalated to root. The only thing you can't do is install a new OS. I don't mind doing things for you if you don't feel comfortable or can't figure out how though, but you do have access.

 

Sorry, I've been much more busy than I usually am this last week or so. I've been trying to keep up as well as I can. HelioHost is not my job. My real life and my real job take priority. HelioHost is a hobby that I have to use my free time for. Yesterday I spent an hour and twenty minutes on HelioHost, the day before I only had time for thirty minutes, but the day before I spent a whopping nine and a half hours on HelioHost. There were some pretty serious issues broken behind the scenes that only I could fix. I spent a couple hours at work doing HelioHost stuff, and then the rest after I got home. I don't think everyone realizes how much I do behind the scenes to keep everything running smoothly.

 

To update exim run the command "sudo apt update" and when that is done run "sudo apt upgrade". If ubuntu has pushed an update for exim this will install it for you. You can check the exim version by running "exim --version".

[Amoss]

Thank you Krydos.

 

1. I understand correctly that "sudo apt update" and "sudo apt upgrade" WON'T update my OS as well? I really don't want to break things up.

 

2. I still can't email to gmail, How can I do the following? Or maybe you already did it and I need to wait for 2-3 days?

 

Please read here: https://support.goog...d/8130059?hl=en about the mail tester. The guy that replied said it's important.

 

From mail-tester.com:

 

You do not have a DMARC record

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

You do not have a DMARC record, please add a TXT record to your domain _dmarc.stockdiv.com with the following value:

v=DMARC1; p=none

Verification details:

• mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=stockdiv.com header.i=@stockdiv.com header.b=XWeoplET; dkim-atps=neutral
• mail-tester.com; dmarc=none header.from=stockdiv.com
• mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=stockdiv.com header.i=@stockdiv.com header.b=XWeoplET; dkim-atps=neutral
• From Domain: stockdiv.com
• DKIM Domain: stockdiv.com

Edited June 24, 2019 by Amoss

[pete20r2]

1. I understand correctly that "sudo apt update" and "sudo apt upgrade" WON'T update my OS as well? I really don't want to break things up.

• sudo apt-get update # Fetches the list of available updates
• sudo apt-get upgrade # Strictly upgrades the current packages
• sudo apt-get dist-upgrade # Installs updates (new ones)

   

https://askubuntu.com/questions/733434/one-single-command-to-update-everything-in-ubuntu/733439

 

 

2. I still can't email to gmail, How can I do the following? Or maybe you already did it and I need to wait for 2-3 days?

 

You need to take a step back and figure out what you're doing. If you're going through the trouble of setting up DMARC I'd also set up DKIM.

All 3 (SPF,DKIM and DMARC) rely on DNS records, so if you don't have a local DNS then you aren't going to be able to do much.

You can setup a local NS through Vesta:

https://vestacp.com/docs/#how-to-setup-vanity-nameservers

You will then need to go to your domain registrar and point it at your domain name servers where you can then set all your own SPF, DKIM and DMARC records.

 

Or

You can use your registrars name servers if they let you specify your own TXT entries and do it all there.

 

The entry would look something like this, I just generated it using a free DMARC generator:

 

Type: TXT
Host/Name: _DMARC.stockdiv.com
Value: v=DMARC1; p=quarantine; rua=mailto:postmaster@stockdiv.com; ruf=mailto:postmaster@stockdiv.com; sp=quarantine; fo=1; adkim=s; aspf=s

OR

Ask nicely for the required entries to be made on the Helio nameservers (SPF seems to already be done this way)

 

OR

Use cloudflare as a nameserver, if your registrar doesn't allow TXT entries.

Edited June 24, 2019 by pete20r2

[Amoss]

Thanks  pete20r2 for your reply. I appreciate it very much.

 

Based on mail-tester.com, my DKIM and SPF are correct and the only problem is not having a DMARC record. I know Krydos defined both spf and dkim.

 

When I tried to activate the DNS in vestacp, I got a popup saying that DNS SYSTEM is not enabled. I have no idea if/how I can enable it and I don't know whether it was on purpose when the VPS was built. Because everything is working now (Except email to gmail), it looks like Krydos knew what he was doing and why, I ofcourse accept his configuration but probably there's just one last thing to do.

 

In my domain registrar (godaddy) I set the following name servers: ns1.heliohost.org ns2.heliohost.org . There is an option to add records but it is disabled because my nameservers are not pointing to godaddy. The site say so. I can't point them to my domain because my domain is dns-less.

 

Regarding your "Ask nicely for the required entries to be made on the Helio nameservers (SPF seems to already be done this way)" - I do so for over a week now :-)

 

I don't know what cloudflare is and whether it has any advantage in my current situation.

Edited June 24, 2019 by Amoss

[Krydos]

"sudo apt update" basically just synchronizes everything up, and doesn't really do much of anything.

"sudo apt upgrade" installs the latest version of everything that has updates like exim, or your kernel, etc. It's safe to do on your VPS.

 

>>>DO NOT DO A DIST-UPGRADE<<< It will cause vesta to stop working because it doesn't support the latest version of ubuntu, and we'll have to start over from scratch by wiping everything and installing the OS again.

 

The dmarc record has been created for you.

[Amoss]

Thanks for the explanation.

 

Regarding the dmarc, I will wait for 2-3 days and see if it fixes the gmail problem. Thanks.

[Amoss]

Back to the drawing board, everything seems to be ok https://www.mail-tester.com/test-63ldd&reloaded=1 but emails to gmail are still not sent.

 

I read here: https://tehnoblog.org/how-to-fix-bounced-email-from-your-server-by-google-gmail/

Can you please have a look at the logs of the emails (exim?) and see if you find anything suspicious?

If someone knows how can I do it (using ssh?), please let me know. I didn't update exim or touched anything since our last interaction.

 

Also, the guy from the Gmail forum directed me here where there are some warnings with my domain/dns: https://mxtoolbox.com/domain/stockdiv.com/

 

Thanks

Edited June 27, 2019 by Amoss

[Krydos]

I found the issue. If you check the smtp banner of your VPS it should show your domain name, but instead it says vps13:

# telnet 216.218.228.90 25
Trying 216.218.228.90...
Connected to 216.218.228.90.
Escape character is '^]'.
220 vps13 ESMTP Exim 4.91 Ubuntu Fri, 28 Jun 2019 19:28:20 +0000

I edited /etc/exim4/conf.d/main/02_exim4-config_options and uncommented the line

smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full

Now when you check the smtp banner it shows your domain instead of vps13

# telnet 216.218.228.90 25
Trying 216.218.228.90...
Connected to 216.218.228.90.
Escape character is '^]'.
220 stockdiv.com ESMTP Exim 4.91 Ubuntu Fri, 28 Jun 2019 19:34:36 +0000

[Amoss]

Thanks, it looks like the restart reset the vps name along other things. In vesta i was able to rename back the hostname but I understand that exim was also reset.

 

Still not working with Gmail. While mail-tester is ok https://www.mail-tester.com/test-af8vw&reloaded=4 , I checked again (3 times) mxtoolbox and saw this:

 

smtp: Reverse DNS is not a valid Hostname: Your Reverse DNS Record (PTR) is not a valid host name. According to email sending best practices, a PTR Record should be a valid host name. If the PTR Record is not a valid hostname, there is a likelihood that you will experience email delivery issues with anti-spam services.

 

smtp: 5.794 seconds - Warning on Connection time (3 tests show above 5)

 

smtp: 8.214 seconds - Not good! on Transaction Time (3 tests show above 8)

 

dns: Only on the second try, I got this about dns: At least one name server failed to respond in a timely manner. A 3rd check did not show this problem so maybe it was temporarily.

 

-----

Another issue: I redeployed my war and it behaved weird. Only a tomcat restart made it work again, please let me know if you see an error around 6:15pm (gmt+3) in the tomcat/apache logs.

 

Thanks

Edited June 29, 2019 by Amoss

[Krydos]

It looks like mxtoolbox wants your reverse dns to be a subdomain like mail.stockdiv.com or something. Check out https://serverfault.com/a/799810

 

The tomcat log is located at

/opt/tomcat/live/logs/catalina.out

and the apache log is located at

/var/log/apache2/error.log

You can view them with your favourite editor (I use vim) or with a simple command like

# cat /opt/tomcat/live/logs/catalina.out | less

[Amoss]

Thank you for the link, it says "Most systems won't care that it is a domain" and since gmail is still not working, I wonder if it is one of the systems that does not like it. Is it something you can change as the RFC guidelines suggests or if you think otherwise, please share your thoughts.

 

Regarding the logs, thanks a lot! I saw some errors in the tomcat that I'm going to investigate.

Edited June 30, 2019 by Amoss

[Krydos]

Sure, I can change it, but what do you want me to change it to?

[Amoss]

Mmmm... Let's try mail.stockdiv.com? Also read here, also the comments: https://serverfault.com/questions/713426/reverse-dns-is-not-a-valid-hostname
How were your other VPSs configured?

 

I read in other posts that Gmail can be picky about this reverse DNS thing... Do you see any errors in the exim logs when it tries to send an email to Gmail? I tried again this morning but failed.

 

I've also been asked this: do you have a valid rDNS entry for your mailserver/domain?

 

And another test I did: http://multirbl.valli.org/email-test/1aa7b6e88a261b5cdddaef889c941b60393d97ce.html there are some failures there

 

Thanks

Edited July 2, 2019 by Amoss

[Krydos]

And another test I did: http://multirbl.valli.org/email-test/1aa7b6e88a261b5cdddaef889c941b60393d97ce.html there are some failures there

The only failures I'm seeing are DNS errors which probably just means our nameservers took a little too long to respond or something. You can try switching to cloudflare nameservers, or godaddy's nameservers since you registered your domain with them. They might have slightly better performance than ours, but you'll need to create DNS records yourself if you do switch because I won't be able to do things like that for you anymore.

 

Ok your reverse DNS says mail.stockdiv.com now

# dig +noall +answer -x 216.218.228.90
90.228.218.216.in-addr.arpa. 86400 IN   CNAME   90.subnet88.228.218.216.in-addr.arpa.
90.subnet88.228.218.216.in-addr.arpa. 14400 IN PTR mail.stockdiv.com.

And exim says helo with the same

# telnet 216.218.228.90 25
Trying 216.218.228.90...
Connected to 216.218.228.90.
Escape character is '^]'.
220 mail.stockdiv.com ESMTP Exim 4.91 Ubuntu Tue, 02 Jul 2019 22:34:20 +0000

I also tried upgrading you to Exim 4.92 but it still isn't available.