[HH#684367] Email related issues

[HelioHost]

Username: giuliodinatale, Server: Morty, Main domain: giuliodinatale.it

I've been trying to make it work for a whole day, sometimes it works with morty.heliohost.org and other times not, I changed the dns configuration by creating an A record that points to mail.giuliodinatale.it with the exposed ip address without cloudflare proxy and installing an ssl certificate directly on plesk and using it as a mail and webmail certificate, but it doesn't work in any way, it works sometimes with the helio servers and then not even the helio ones work anymore what should I do?
Here is the DNS configuration:
;;
;; Domain: giuliodinatale.it.
;; Exported: 2025-05-03 10:13:27
;;
;; This file is intended for use for informational and archival
;; purposes ONLY and MUST be edited before use on a production
;; DNS server. In particular, you must:
;; -- update the SOA record with the correct authoritative name server
;; -- update the SOA record with the contact e-mail address information
;; -- update the NS record(s) with the authoritative name servers for this domain.
;;
;; For further information, please consult the BIND documentation
;; located on the following website:
;;
;; http://www.isc.org/
;;
;; And RFC 1035:
;;
;; http://www.ietf.org/rfc/rfc1035.txt
;;
;; Please note that we do NOT offer technical support for any use
;; of this zone data, the BIND name server, or any other third-party
;; DNS software.
;;
;; Use at your own risk.
;; SOA Record
giuliodinatale.it 3600 IN SOA damiete.ns.cloudflare.com. dns.cloudflare.com. 2049793380 10000 2400 604800 3600

;; NS Records
giuliodinatale.it. 86400 IN NS damiete.ns.cloudflare.com.
giuliodinatale.it. 86400 IN NS joyce.ns.cloudflare.com.

;; A Records
giuliodinatale.it. 1 IN A 65.19.154.94 ; cf_tags=cf-proxied:true
mail.giuliodinatale.it. 1 IN A 65.19.154.94 ; cf_tags=cf-proxied:false
webmail.giuliodinatale.it. 1 IN A 65.19.154.94 ; cf_tags=cf-proxied:true

;; AAAA Records
giuliodinatale.it. 1 IN AAAA 2001:470:1:1ee::3004 ; cf_tags=cf-proxied:true
webmail.giuliodinatale.it. 1 IN AAAA 2001:470:1:1ee::3004 ; cf_tags=cf-proxied:true

;; CNAME Records
ftp.giuliodinatale.it. 1 IN CNAME giuliodinatale.it. ; cf_tags=cf-proxied:true
smarthome.giuliodinatale.it. 1 IN CNAME b86b13d7-7887-44da-a000-e1a340e240e9.cfargotunnel.com. ; cf_tags=cf-proxied:true
www.giuliodinatale.it. 1 IN CNAME giuliodinatale.it. ; cf_tags=cf-proxied:true

;; MX Records
giuliodinatale.it. 1 IN MX 0 mail.giuliodinatale.it.

;; TXT Records
default._domainkey.giuliodinatale.it. 1 IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApve/7F8+sxuSkq08ozYKgaS6Qfe6uERrQh9gXosIiQcE9DAICrFqtuj0fKQionUgb1CBAMssxh9b734wmtJ5nFYPLaD46y/0/s1ZJeiRlYSfR6Zofz1JEapYhtTFg54CQvCSlqzKOIvbNMNP28cBiW+xcutdmYENKkEbb8pgYRAkE+CeETQieeduEUPPPyjWC8p6iSAU" "V/WcXyBvA4qTqeI4g8qJRtfR/DRe+Wrb6ZPvjFk0kHzJNrInMzYbtIfGii8+dEjr20JUz4uyinYM8VKRActo4zFgo3Pab6pUj23v+BORZPCsoJCwY9Xs0vH0ZouqCTUwbOBzUGFJvMgmwQIDAQAB;"
_dmarc.giuliodinatale.it. 1 IN TXT "v=DMARC1; p=reject; rua=mailto:report@giuliodinatale.it"
_domainkey.giuliodinatale.it. 1 IN TXT "o=-"
giuliodinatale.it. 1 IN TXT "v=spf1 ip4:65.19.154.94 include:heliohost.org ~all"
giuliodinatale.it. 3600 IN TXT "google-site-verification=jQgbUpR_4b-6I6YZEPaFHrbjiUOb2czfFZrJBPd5Wyo"



and obviously sorry again for the time

[giuliodinatale]

For example, now it's working for me using Helio servers, but if I could make it work with mail.giuliodinatale.it it would be great, I authorize you in advance to change some settings inside my plesk panel or if you need it and think it's necessary I'll give you access to the plesk panel obviously if you don't have a way to access it

[giuliodinatale]

I noticed that when I send outgoing emails it almost never works, I can't figure out what the problem is, if you notice that the problem is not solvable tell me how and I'll change the name servers

[giuliodinatale]

I saw that I have another problem with my domain provider, which basically bugged the nameserver switch when a week ago I changed the nameservers on infinityfree and then immediately on cloudflare as it was just a test, and now they are working to unblock this situation for me, so if I wanted to switch to the HelioHost nameservers I couldn't do it for at least 2/3 days or at least I think so (I know the situation is more complicated than expected)

[wolstech]

So there's a couple issues here:

• DNS...sounds like you're working on the NS issue.
  • You'll need your registrar to get the IF NS removed before everything will work reliably. I only see CF when I run tests, but if there's two sets of name servers at your registrar, there's a possibility the wrong server answers and things break.
  • For the zone itself:
    • Change your DMARC policy to quarantine, not reject.
    • SPF should be fine but is more inclusive than necessary. The record we'd use on our name servers for a Morty user domain would be  "v=spf1 ip4:65.19.154.94 ip6:2001:470:1:1ee::3004 ~all". 
    • Change the MX to morty.heliohost.org at least until we get it working.
• Most clients won't like using your domain as a mail server even if it is configured correctly simply because do not like being told "connect to mail.giuliodinatale.it" and essentially getting back a response "Hi I'm morty.heliohost.org!".
  • Since the mail server is shared by everyone, it announces itself as the server host name, which will cause TLS validation and client security checks to fail if other domains are used to refer to it.
• CF origin certificates are notorious for causing issues because they aren't trusted by anyone except CF's servers.
  • Remove and replace this with an LE certificate through Plesk, then wait 2 hours and try again.
  • If validation fails, disable the CF proxy to initially issue the certificate, then turn it back on after the process finishes.
  • Renewals usually work fine as long as you don't enable strict mode in CF.
• Make sure CF's SSL setting is "Full", and not "Full (strict)". Strict mode is not supported and will cause issues like certificate issuance/renewal failures.
• Have you tried changing the mailbox passwords for the email accounts after the move? While they should migrate in theory, we've seen passwords not always migrate cleanly.

 

[giuliodinatale]

Okay to recap, now that I'm waiting for my registrar to unblock the name servers from cloudflare, I have to:
disable the cloudflare proxy and disable any of its certificates and switch to Let's encrypt.
change the dns records to "v=spf1 ip4:65.19.154.94 ip6:2001:470:1:1ee::3004 ~all"
change the MX records to morty.heliohost.org
use LE certificate for mail, webmail and hosting
wait two hours
change mail password and try again?
Then when can I change the name servers, which ones should I put? and if I change them will it fix everything and manage everything automatically and can I enter via IMAP or the same situation?

[giuliodinatale]

the fact is that sometimes it doesn't even connect with the heliohost configuration from outlook and thunderbird, but when it feels like blocking and it blocks, and it doesn't send the emails and they come back, I don't understand why

[wolstech]

1 hour ago, giuliodinatale said:

Okay to recap, now that I'm waiting for my registrar to unblock the name servers from cloudflare, I have to:
disable the cloudflare proxy and disable any of its certificates and switch to Let's encrypt.
change the dns records to "v=spf1 ip4:65.19.154.94 ip6:2001:470:1:1ee::3004 ~all"
change the MX records to morty.heliohost.org
use LE certificate for mail, webmail and hosting
wait two hours
change mail password and try again?
Then when can I change the name servers, which ones should I put? and if I change them will it fix everything and manage everything automatically and can I enter via IMAP or the same situation?

Leave the name servers set to CF for now since you already have that set up. Turn off the cloudflare proxy for all records you have set in CF. This effectively just turns CF into a DNS server with no fancy features.

Update the DNS records as above: Change the MX to morty.heliohost.org, and the SPF to the one I provided. Change the p=reject in the DMARC record to p=quarantine instead.

In Plesk, reissue the certificates for your domain using the Lets Encrypt option. Since you have all required DNS records including webmail created, you can select all options except for wildcard certificate (which we don't support). Once it succeeds, wait 2 hours for the certificate to take effect, then clear your cache. 

After that, try connecting to morty.heliohost.org using a mail client (IMAP and SMTP). Use an email address you created on your account as the username, and the matching password. If it gives an authentication error, reset the mailbox's password and try again. If you get an error, please post the settings you used and the error message.

42 minutes ago, giuliodinatale said:

the fact is that sometimes it doesn't even connect with the heliohost configuration from outlook and thunderbird, but when it feels like blocking and it blocks, and it doesn't send the emails and they come back, I don't understand why

When the emails come back, is there an error message? If so, please post it. Returned mail is usually an SPF/DMARC/DKIM issue.

[giuliodinatale]

5 minutes ago, wolstech said:

Leave the name servers set to CF for now since you already have that set up. Turn off the cloudflare proxy for all records you have set in CF. This effectively just turns CF into a DNS server with no fancy features.

Update the DNS records as above: Change the MX to morty.heliohost.org, and the SPF to the one I provided. Change the p=reject in the DMARC record to p=quarantine instead.

In Plesk, reissue the certificates for your domain using the Lets Encrypt option. Since you have all required DNS records including webmail created, you can select all options except for wildcard certificate (which we don't support). Once it succeeds, wait 2 hours for the certificate to take effect, then clear your cache. 

After that, try connecting to morty.heliohost.org using a mail client (IMAP and SMTP). Use an email address you created on your account as the username, and the matching password. If it gives an authentication error, reset the mailbox's password and try again. If you get an error, please post the settings you used and the error message.

When the emails come back, is there an error message? If so, please post it. Returned mail is usually an SPF/DMARC/DKIM issue.

I did everything you told me, now I'll wait these two hours and we'll see...
Instead now I could also access from IMAP using mail.giuliodinatale.it or is it better not to use it because of that issue with the certificate that points to morty.heliohost.org.
Instead one thing that interested me about Cloudflare was the bot control, turnstile (recaptcha alternative), ddos protection and all the security functions, if I change the nameservers on helio do I have any advantage? or does nothing change since it is the same configuration that I made on cloudflare, because if I could I would stay on cloudflare since I also have tunnels for home assistant and various things

[wolstech]

Quote

Instead now I could also access from IMAP using mail.giuliodinatale.it or is it better not to use it because of that issue with the certificate that points to morty.heliohost.org.

It works because you installed a real publicly trusted cert instead of CF's origin cert. Whether it plays nicely for IMAP will depend on the client you use. If it's working, feel free to use it. It definitely doesn't work with all clients though, which is why we recommend using morty.heliohost.org. If you come across a client that won't connect using your domain as the server, this is the first thing to try.

Once the certificate takes effect (about 90 minutes from now), you can try turning the CF proxy back on for the main domain record (giuliodinatale.it) and the www CNAME record, and testing with the security features you mentioned. They should work  

Be sure to leave the proxy off for the mail.giuliodinatale.it and ftp.giuliodinatale.it domains. CF does not support proxying mail and FTP services, so they will break if proxied.

 

By the way, you exceeded your mail sending limit of 50 per day while testing and the server disabled your ability to send email. I went ahead and turned that back on for you. Please be mindful of the 50/day sending limit going forward. If you need more emails due to sending bulk messages, there are some questions you'll need to answer and we can have the limit increased.

[giuliodinatale]

Sorry, it's the translator who sucks, the IMAP thing I told you was not a statement but a question, I was asking you if with this change it would be convenient in the future to use mail.giuliodinatale.it or morty.heliohost.net as an IMAP server,
instead regarding the daily limit can it be removed? for example by making another donation or am I tied "for life" with this limit of 50 per day?

[Krydos]

2 minutes ago, giuliodinatale said:

am I tied "for life" with this limit of 50 per day?

24 minutes ago, wolstech said:

If you need more emails due to sending bulk messages, there are some questions you'll need to answer and we can have the limit increased.

 

[giuliodinatale]

yes of course I understand, I mean can this limit be removed by making a donation or is the limit of 50 emails per day permanent and cannot be changed?

p.s I don't mean now for testing, I mean in general

[Krydos]

No, increasing the limit is free

1. How many emails you plan to send per day?
2. Where you get the email addresses from?
3. How can recipients of your emails unsubscribe?
4. Do you have an unsubscribe@yourdomain.com address set up?
5. Do you have an abuse@yourdomain.com address set up?
6. Does each email have a link to unsubscribe?
7. Do you share or sell email addresses that you get?
8. Post an example of the messages being sent.

[giuliodinatale]

1. I don't know I think max 100 because I want to use it as a personal email to contact people, send emails to friends, government, work, etc. For personal use, I will absolutely not use it to contact people or send news.

2. I think friends, work, government or website verification codes

3. It is not necessary because I will not use my email to make an advertising mailing list

4. No and I don't think it is necessary at least I think so

5. No and I don't think it is necessary at least I think so

6. Same story

7. No absolutely not, I think that maybe at most I will create an email to my girlfriend to use it, then that's it.

8. It depends on the case, because I send private messages