Yandex “Mail for the domain” as a mail gateway for your servers

  • Tutorial

Each time you raise a new server in the clouds, you get a random IP address. Not everyone understands that the IP address may get to you with a "history". Often you have to spend time removing IP from public blacklists. In my case, the last time it was a very leisurely correspondence with, which did not lead to anything. After that, creating a new server, I thought: how can I do this so as not to rake up problems with such IP addresses?


Despite the fact that I can have servers both permanent and "play around", I don’t serve mail for all of them, but I really want to receive service letters from my scripts and system services.

The obvious solution is to make your own “decent” mail gateway and configure all other servers to forward mail through this gateway. The disadvantages of this solution are obvious:

  • A separate server costs money, even if it's a cheap VPS
  • IP address must be constantly monitored in blacklists
  • Setting up a mail gateway takes time, which depends on your skills.

Because of the above reasons, I went to look for another solution, and, which is characteristic, I found.


I discovered the possibility of freeing up using the "Mail for Domain" service from Yandex. At that time, I had 3 servers raised and in DNS there were the following A-records:

HostA typeValue

I registered a technical domain "mail for your domain" and create an account: I tried to send letters from one of my servers using this SMTP account and received the following error:

553 5.7.1 Sender address rejected: not owned by auth user.
envelope from address not accepted by the server

Yandex does not allow substituting any data in envelope-from. But what if you want to understand from which server this or that letter came, without additional tricks?

To comply with Yandex’s rules, you need to follow these steps on the side of their service:

  1. Register the main domain and its subdomains in The easiest way to go through domain verification is to add a CNAME record:

    HostA typeValue

  2. We also create an MX record for each domain:

    HostA typeA priorityValue

  3. In the settings of the main domain, specify subdomains as aliases of this domain.

  4. Create an email account root@example.comif it has not been created yet

  5. Be sure to log in to your account via the web interface and activate it, otherwise you will get an error:
    535 5.7.8 Error: authentication failed: Please accept EULA first.

Further work is required on our side - we configure the server:

  1. Install msmtp- a miniature SMTP client that provides its implementationsendmail
  2. We configure it:

    syslog LOG_MAIL
    tls_certcheck off
    tls on
    auto_from on
    # server hostname
    account default
    port 25
    auth on
    password 123qwe

  3. We send a test letter with debugging:
    echo -e "test message" | /usr/bin/msmtp --debug -t -i

    and see the result:

    loaded system configuration file /etc/msmtprc
    ignoring user configuration file /root/.msmtprc: No such file or directory
    falling back to default account
    using account default from /etc/msmtprc
    host =
    port = 25
    proxy host = (not set)
    proxy port = 0
    timeout = off
    protocol = smtp
    domain = localhost
    auth = choose
    user =
    password = *
    ntlmdomain = (not set)
    tls = on
    tls_starttls = on
    tls_trust_file = (not set)
    tls_crl_file = (not set)
    tls_fingerprint = (not set)
    tls_key_file = (not set)
    tls_cert_file = (not set)
    tls_certcheck = off
    tls_min_dh_prime_bits = (not set)
    tls_priorities = (not set)
    auto_from = on
    maildomain =
    from =
    add_missing_from_header = on
    add_missing_date_header = on
    remove_bcc_headers = on
    dsn_notify = (not set)
    dsn_return = (not set)
    logfile = (not set)
    syslog = LOG_MAIL
    aliases = (not set)
    reading recipients from the command line and the mail
    <-- 220 ESMTP (Want to use Yandex.Mail for your domain? Visit
    --> EHLO localhost
    <-- 250-8BITMIME
    <-- 250-PIPELINING
    <-- 250-SIZE 42991616
    <-- 250-STARTTLS
    <-- 250-DSN
    --> STARTTLS
    <-- 220 Go ahead
    TLS certificate information:
        Common Name:
        Organization: Yandex LLC
        Organizational unit: ITO
        Locality: Moscow
        State or Province: Russian Federation
        Country: RU
        Common Name: Yandex CA
        Organization: Yandex LLC
        Organizational unit: Yandex Certification Authority
        Country: RU
        Activation time: Mon 12 Oct 2015 03:41:24 PM MSK
        Expiration time: Wed 11 Oct 2017 03:41:24 PM MSK
        SHA1: B7:0E:62:55:E1:3A:C0:F3:08:12:35:B2:9D:4B:25:D0:B8:C1:C6:39
        MD5:  BC:15:CE:B6:D4:FF:0D:95:4F:E5:1A:A7:3A:DF:DA:65
    --> EHLO localhost
    <-- 250-8BITMIME
    <-- 250-PIPELINING
    <-- 250-SIZE 42991616
    <-- 250-DSN
    --> AUTH PLAIN AhJvb3ARY29uzMlntS5ydQBXYw5VcMMlazk=
    <-- 235 2.7.0 Authentication successful.
    --> MAIL FROM:
    --> RCPT TO:
    --> DATA
    <-- 250 2.1.0  ok
    <-- 250 2.1.5  recipient ok
    <-- 354 Enter mail, end with "." on a line by itself
    --> From:
    --> Date: Mon, 06 Jun 2016 16:17:00 +0300
    --> test message
    --> .
    <-- 250 2.0.0 Ok: queued on as 1465219021-86hlZkGCpZ-H0J8ORE2
    --> QUIT
    <-- 221 2.0.0 Closing connection.

    Great, success! The letter is gone, however, we will find it in spam, because for some reason it is empty. Let's check in a more familiar and "human" way:

    echo "test message" | mailx -s 'test subject'

    Here, now in a box a normal letter. Wow!

    DKIM & SPF

    And also it is possible to register DKIM and SPF records for each domain . If you, like me, use your DNS hosting, then just copy the corresponding values ​​from the “DNS editor” in the Yandex interface. Attention: for each domain and alias its own key!

    HostA typeValue
    mail._domainkey.example.comTxtv = DKIM1; k = rsa; t = s; p = MIGf ...
    mail._domainkey.server1.example.comTxtv = DKIM1; k = rsa; t = s; p = MIGf ...
    mail._domainkey.server2.example.comTxtv = DKIM1; k = rsa; t = s; p = MIGf ...
    mail._domainkey.server3.example.comTxtv = DKIM1; k = rsa; t = s; p = MIGf ...

    We send a letter from the server and look at the headers:

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mail; t=1467009762;
    Authentication-Results:; dkim=pass


    If sending mail for the domain will occur only through the Yandex server and from pre-known IP addresses, then you can safely register SPF records in accordance with the documentation step2

    HostA typeValue
    example.comTxtv = spf1 redirect =
    server1.example.comTxtv = spf1 redirect =
    server2.example.comTxtv = spf1 redirect =
    server3.example.comTxtv = spf1 redirect =


    Most likely, you are great, and your application does not work from root. Attempting to send an email from an ordinary user will again lead to a familiar error in the msmtp log:

    Jun  6 14:21:24 server1 msmtp: tls=on auth=on smtpstatus=553 smtpmsg='553 5.7.1 Sender address rejected: not owned by auth user.' errormsg='envelope from address not accepted by the server' exitcode=EX_DATAERR

    You can solve this problem in different ways. For example, you can explicitly specify the user by disabling the option auto_from offin msmtp. But I have already decided that this does not suit me.

    The correct solution is to add the user as an alias for our primary address:

    Local relay

    Если вам требуется локальный SMTP-релей, то данная конфигурация вам тоже подходит. Нужно просто заменить msmtp на postfix или exim, настроенные на использование серверов Яндекса в качестве smart host'a (гуглить можно, например, по ключевым словам exim smarthost).


    Теперь любой сервер, который я поднимаю для своих задачек, сразу же получает настроенный канал отправки почты. В DNS и я заранее прописал несколько поддоменов про запас. Так как сервера я разворачиваю через SaltStack, то конфигурацию msmtp мои сервера получают автоматически.

    Что я получил в итоге:

    1. Самое главное — нет заморочек с черными списками и IP-адресами серверов, так как письма уходят через сервера Яндекса
    2. DKIM/SPF "из коробки" — письма не попадают в спам
    3. msmtp is a simple SMTP client that doesn’t even need to be hung in the server’s memory - it starts as needed
    4. msmtp - the simplest configuration, unlike the "adult" postfix, exim
    5. You don’t have to worry about PTR records for your IP addresses from the point of view of the mail system.

    I hope this instruction is useful to someone. I will be glad to know from the comments who and how to solve this problem.

Also popular now: