account control center

Frequently Asked Questions

General Questions

  1. Can I use Roller Network mail with our current web hosting?
  2. What is "CIDR Notation" and how do I convert to it from subnet masks?
  3. Can you clear your DNS cache?
  4. When do you do updates?
  5. I just set everything up and it doesn't work. What's wrong?
  6. Can you configure my system for me?
  7. Will you provide a new service or new feature?
  8. Can I change my account name?

Mail Services

  1. I still see messages being redirected to the secondary MX even if the primary MX is online. Is this normal?
  2. Preventing Address Forgery with SPF
  3. Preventing Address Forgery with the Blacklist and Whitelist
  4. Why can't I delete a domain that has status "Free Use Limit Exceeded"?
  5. What does "Administratively prohibited domain name" mean when I try to add a domain?
  6. Why don't your mail servers accept "domain literal" format?
  7. Why do some of my messages shown in the incoming mail logs seem to disappear?
  8. Why is a valid user table required?
  9. My MX records are cached with old IP address, how can I fix this?
  10. Why can't I remove 'abuse' or 'postmaster' from my valid user table?
  11. DNSreport.com returns a mail server error.
  12. How can I use a tool like "fetchmail" to send ETRN?
  13. Do I need to send an ETRN to all your mail servers?
  14. When I send an ETRN, I always get "queuing started" even if the queue is empty. Why?
  15. Do I have to use "fetchmail" to send ETRN commands?
  16. Do ETRN commands need to be authenticated?
  17. How can I use ETRN if my ISP blocks port 25?
  18. What IP addresses should I whitelist or add to my trusted servers list?
  19. How often do you attempt delivery on deferred mail?
  20. Won't Greylisting delay my email from valid sources?
  21. Does the Roller Network enforce any filtering for all accounts?
  22. Why can't I send email? I added my domain to the mail service.
  23. Why does your server say "501 Bad address syntax" when I send it a MAIL FROM command?
  24. Why is your server acting as an open relay for my domain?
  25. One of your servers is on a DNS blacklist!
  26. If my server rejects a message does that still count for usage?
  27. How do I configure Microsoft Exchange to work with Roller Network mail?
  28. Why does sending mail through the Outbound Mail service seem slow?
  29. Can you offer Challenge/Response (C&R) service?
  30. What should I have in SPF for Outbound Mail?
  31. Why can't forwarded email be reported as spam?
  32. Non-English characters aren't showing up in SquirrelMail.

DNS Services

  1. My master name server is cached with an old IP address, how can I fix this?
  2. What does "Administratively prohibited domain name" mean when I try to add a domain?

Billing and Services

  1. Why can't I auto-pay with PayPal?
  2. Why am I getting a renewal invoice two weeks after I first upgraded?

General Questions

Can I use Roller Network mail with our current web hosting?

Yes, you can! All that is required to switch to using Roller Network mail services is to change the MX (mail exchanger) records for your domain name. This will send email for your domain to us while leaving the DNS records for your website (the A records) unchanged.

What is "CIDR Notation" and how do I convert to it from subnet masks?

There's also a handy subnet calculator at: subnet-calculator.com

Can you clear your DNS cache?

No; our DNS caches hold far too much information to make clearing them a viable option. The mail servers and DNS servers themselves do not cache; we have separate systems dedicated to external DNS lookups and caching. If you are having issues with cached DNS entries please read:

When do you do updates?

All changes made through the account control center are live, with the exception of adding or removing a Scondary DNS zone which only updates on certain intervals.

I just set everything up and it doesn't work. What's wrong?

If you're just changing your MX or NS records to start using our services be aware that changes made to existing configurations don't happen instantly; it takes time for changes to move across the DNS servers of the world and for caches to expire. Give DNS changes at least 24 hours to take effect. You can always connect with telnet to port 25 and initate a manual SMTP session for testing purposes.

Can you configure my system for me?

We unfortunately do not offer consulting type services.

Will you provide a new service or new feature?

Suggestions for improvement are always welcome. You can reach us at any of the addresses listed on the contact page.

Can I change my account name?

No, account names for the account control center can't be changed.


Mail Services

I still see messages being redirected to the secondary MX even if the primary MX is online. Is this normal?

This is normal. Secondary MX doesn't have any status and it's always active. The decision about which MX to send to is made by the original sender's mail server. There are a few reasons why you might see mail go from source->secondary->primary rather than source->primary when the primary is operational:

Preventing Address Forgery with SPF

SPF is commonly mistaken as an anti-spam tool, but it's actually a mechanism for preventing forgery. SPF allows a domain owner to declare legitimate mail sources for a domain and a policy for those that aren't. There is nothing in the SMTP protocol that prevents a sender from using an arbitrary email address as their sending address. SPF attempts to correct this deficiency.

To configure SPF you must be familiar with DNS and know where email from your domain originates from. Using this information, you can create an SPF record that is published as a TXT record in DNS for the domain. There is a handy tool on the openspf.org website to help you create an SPF record for your domain. If possible, you should also publish it as an SPF DNS record. (Ask your DNS provider if they support "SPF type 99" records. Roller Network Primary DNS supports the new SPF record.) Make sure that the SPF filter is enabled so our servers can reject forged mail, too.

When creating an SPF record only the "-all" type will result in forged mail being rejected. The other types such as the "~all" the setup tool on openspf.org will create still allows forged mail through. (Although you can change the SoftFail action to reject in our SPF filter, too.) If you are certain the SPF record describes all sources of mail for your domain, change this to "-all". If you're using our outbound mail service add "include:a._spf.rollernet.us" to your SPF record.

Preventing Address Forgery with the Blacklist and Whitelist

If SPF isn't feasible for some reason, you can still prevent forged mail from transitioning our mail services using a similar technique by combining blacklist and whitelist entries. You will still need to make a list of legitimate mail sources for your domain, but it won't be published in DNS like SPF.

The concept is simple: add a "Sender Domain Name" blacklist entry for the domain name you want to protect and then add whitelist entries of your authorized mail sources to bypass the blacklist filter. (Whitelist entries should be "Host", "Network" or "Host Name" types to be effective.) Any server that attempts to use the blacklisted domain as the sender address but isn't on the whitelist will be rejected.

Roller Network servers automatically whitelist themselves to prevent internal rejection loops.

Why can't I delete a domain that has status "Free Use Limit Exceeded"?

Domains on free accounts that have exceeded their daily usage limit are locked and cannot be deleted from an account in addition to rejecting any incoming messages. If you try to delete a domain with status "Free Use Limit Exceeded", you will see the following error message: "Unable to delete domain currently exceeding resource limits - this domain is locked. Contact technical support for assistance or upgrade your account."

The reason for this is simple - if you're exceeding the usage limits, the domain could be deleted and added back to reset it. Since this is not allowed, we lock the domain to your account. If you need to delete this domain, please wait until the usage is reset (every day at midnight Pacific time).

What does "Administratively prohibited domain name" mean when I try to add a domain?

Some domain names are simply not allowed; these are typically large providers that should never be in our domain tables. Examples are: gmail.com, aol.com, hotmail.com, yahoo.com, and soforth. There's no reason for these to be in our system so we don't allow it.

Why don't your mail servers accept "domain literal" format?

Messages addresses in domain literal format will never end up at a destination other than local to our mail servers, and since we process messages for thousands of domains, there's no point in accepting literal format. Although some testing tools may report this as an error, it is harmless.

Why do some of my messages shown in the incoming mail logs seem to disappear?

"Disappearing" messages (those with an entry in the incoming logs but no corresponding entry in the outgoing logs) are a side effect of how our logging works. Entries in the incoming logs are created by the filtering system on each RCPT TO command in the SMTP session. Entries in the outgoing logs are parsed from Postfix's mail logs. If a mail server drops the connection after the RCPT TO phase but before the DATA or end of DATA phase, there will not be a corresponding outgoing entry. However, these errors are not provided to the account control center.

This is commonly caused by the source dropping the connection or sending a zero-byte message, and can safely be ignored. If you'd like to know the actual error messages for a specific entry, contact us and give us your account name, the domain name, and instance ID you'd like to know about. We'll provide as much information as we have from the raw mail logs about your particular message.

Why is a valid user table required?

Configuring the valid user table for a domain is required because it will prevent backscatter and misdirected bounces. It also has the benefit of stopping dictionary attacks at our border, rather than propagating them to your mail server. This allows our servers to reject invalid addresses, rather than accepting and bouncing after the fact, which can be considered a form of spamming. We also have a backscatter prevention policy that will disable your domain if you fail to create a valid user table.

For more information on the reasons behind requiring the use of this feature, you can read this thread in the forums: http://forums.rollernet.us/viewtopic.php?p=510#510

There's no way around this requirement. If you need to integrate updating the valid user table with an internal system on your end, consider using the URL verification call in Auto-Learn mode or use our API.

My MX records are cached with old IP address, how can I fix this?

When a domain is in Secondary MX mode, our system will use the MX records provided by DNS for your domain name to find the primary mail server. These lookups (including the associated A records) are cached by our DNS caches. In the event that an old MX or associated A record is cached, you can easily fix this by changing the domain to SMTP Redirection mode.

Change the domain in question to SMTP Redirection mode, and use the new IP address of your mail server as the destination server. This can also be useful to continue delivery to your site while other servers around the world continue to use old information until those DNS entries expire as well. Since the DNS information for our servers does not change, mail will continue to be delivered to you through us directly to the IP address you specify. (Do NOT delete the domain; this will cause the queue to bounce. Click on the domain name in the "Domain" column and change the service mode from there.)

This will not affect the mail queue or any other settings; it simply changes the delivery transport method. Any mail that is currently in the "active" queue will not see the mode change until the next delivery attempt, so it may take a few queue releases to get everything out. Once all of the cached DNS entries have expired, you can change the mode back to Secondary MX or a hostname as the destination server in SMTP Redirection mode.

Why can't I remove 'abuse' or 'postmaster' from my valid user table?

Those addresses are required by the RFCs to be usable. Although it is possible the message may still be discarded by the recipient, we still require them. An "abuse" address is required by RFC2142, while "postmaster" is required by RFC2821 section 4.5.1.

DNSreport.com returns a mail server error

Tthe mail error "The mailserver terminated the connection before the transaction was complete (state 8). This is not RFC compliant, and therefore either due to an error, or it may be the result of a non-RFC-compliant mailserver or non-RFC-compliant anti-spam program."

When our servers recieve too many errors they will terminate the connection. The mail test tool for dnsreport.com tends to fail less than gracefully in this case. Domains in "Defer All" mode or Greylisting will cause this because they will respond with 4xx error messages after the RCPT TO phase, which dnsreport.com interprets (incorrectly) as an error. There's nothing we can really do to fix this except recommend that you ignore this particular error when using dnsreport.com's mail test tool.

Also, if a testing tool generates too many errors our servers will forcibly terminate the connection so we don't waste resources processing errors when we could be processing someone's mail. This may be seen as an error by testing tools.

How can I use a tool like "fetchmail" to send ETRN?

Since our servers accept ETRN commands, you can have fetchmail send them in a cron job or interface-up script. Something like this will work:

fetchmail -p ETRN --fetchdomains example.net mail.rollernet.us
fetchmail -p ETRN --fetchdomains example.net mail2.rollernet.us

If your ISP blocks port 25, our servers will also accept ETRN on port 2525.

fetchmail -p ETRN -P 2525 --fetchdomains example.net mail.rollernet.us
fetchmail -p ETRN -P 2525 --fetchdomains example.net mail2.rollernet.us

Do I need to send an ETRN to all your mail servers?

Yes. All of our mail servers operate independently from each other for redundancy purposes, so you will need to send each of them an ETRN command.

When I send an ETRN, I always get "queuing started" even if the queue is empty. Why?

Postfix does not report that information. It keeps track of queue numbers in the fast flush feature (which is enabled), but only uses that info to expedite delivery. It will always report "250 Queuing started" if the domain is valid, or "459 <blah.com>: service unavailable" if the domain is invalid. Check your queue status online for detailed information on your queues.

Do I have to use "fetchmail" to send ETRN commands?

No, any mail that is delayed is periodically retried or any tool that has an ETRN function will work. We're merely using "fetchmail" for illustrative purposes. If we still can't contact your mail server after three weeks is removed from the queue. If your mail server is online and we receive a message it is redirected to you immediately. You can always check your queue status online or use the API to send a queue release.

Do ETRN commands need to be authenticated?

No, an ETRN command can't be authenticated. Since the system will only release the queue to the primary MX or final destination server for SMTP redirection, there is no need for authentication. To ensure messages will be released to a specific IP address, we recommend using SMTP Redirection mode with your mail server's IP address and a random port other than 25.

How can I use ETRN if my ISP blocks port 25?

The Roller Network will allow you to connect to us on port 2525 to issue an ETRN command in the event that port 25 is blocked. Anyone who needs to use ETRN with port 25 blocks can use port 2525 instead.

What IP addresses should I whitelist or add to my trusted servers list?

Anyone who uses our mail services should add our mail servers to your whitelist or trusted servers list. See the resource access page for a current list of IP addresses. If you are publishing an SPF record for your domain, we recommend adding "include:a._spf.rollernet.us" to your SPF record. Failure to whitelist our servers from additional filtering may violate our backscatter prevention policy.

How often do you attempt delivery on deferred mail?

The Roller Network uses a sliding scale to prevent large blocks of concurrent retries. If a message destined for your mail server ends up deferred in the queue it will be delayed for 15 minutes (minimal_backoff_time). After 15 minutes has elapsed a delivery attempt will be made. Should your mail server still be unreachable the time will be doubled and the process repeated. The maximum retry interval is one week (maximal_backoff_time). If your mail server is frequently offline for long periods of time you will need to send ETRN (either manually or with a third-party tool such as Fetchmail) to ensure a timely delivery of queued messages. Once a queued message is over three weeks old it will be deleted from the queue as undeliverable after a final delivery attempt (maximal_queue_lifetime). The Mail Mirror feature is recommended for out-of-queue protection. Domains in "Accept and Hold" mode will follow the same rules, although no attempts to contact your mail server will be made. If you're familiar with Postfix we use the following settings:

maximal_backoff_time=1w
minimal_backoff_time=15m
maximal_queue_lifetime=3w

Won't Greylisting delay my email from valid sources?

Yes, it will; but only the first time a certain sender/server/recipient triplet is seen. If you regulary get mail from the same person then future messages will be passed through the Greylist filter immediately. The delay blocks most spam sources since the vast majority of them will never retry a message like real mail servers will. If you can accept the delay that Greylisting will incur, it is well worth the reduction in spam. We recommend adding trusted sources to your whitelist to avoid delays.

Does the Roller Network enforce any filtering for all accounts?

No, there aren't any enforced or required filters. There are a minimal set of baseline requirements for all domain names. This baseline is described on the Mail Services help page.

Why can't I send email? I added my domain to the mail service.

You need to use our Outbound Mail Account feature. The MX servers that handle incoming mail and filtering are incapable of accepting and originating email.

Why does your server say "501 Bad address syntax" when I send it a MAIL FROM command?

The Roller Network requires proper RFC821 envelopes. This means you need to enclose the address portion of MAIL FROM and RCPT TO commands with < > For example, the format "MAIL FROM:admin@rollernet.us" is invalid and will be rejected. The correct form is "MAIL FROM:<admin@rollernet.us>".

Why is your server acting as an open relay for my domain?

If the Roller Network accepts a message for a domain, then someone configured that domain in our account manager.

A common tactic spammers will use in an attempt bypass filter is connecting to all of the MX records listed for a domain. Since most services similar to the Roller Network do not offer the level of filtering that we do, this method effectively bypasses any filtering that happens at connection time on your server. We recommend configuring your Roller Network filtering options to match the filtering on your primary mail server.

If you have a Roller Network account, and you have set up domains for mail services, our servers will accept any mail that is destined for that domain. They will either relay it immediately, or hold it in the queue to be delivered later.

One of your servers is on a DNS blacklist!

This happens occasionally with the incoming mail servers because some of our customers choose to run additional filtering on connections from our servers or disable our filters completely and report our servers as spam sources. There's nothing practical we can do to prevent this from happening. We strongly recommend adding the incoming mail servers (mail.rollernet.us and mail2.rollernet.us) to a whitelist or trusted relay list on your mail server. Although some lists like SpamCop are kind enough to trust our servers as known incoming-only relays, other lists are not so accommodating.

We never use our incoming mail servers to send outgoing mail - messages submitted under outbound mail and for forwarding originate from sources dedicated to outgoing mail. The incoming servers are dedicated to processing incoming mail, filtering it, and delivering it to its intended destination. This separation of roles is designed to protect our mail paths. Our outbound mail paths are monitored to ensure they aren't listed by any of the major blacklists.

If my server rejects a message does that still count for usage?

Yes, it does. Even though your server rejected the message and you didn't receive it from your perspective, we still filtered, processed, accepted, queued, and attempted delivery on that message. Messages that complete that process are recorded as incoming mail usage, irrespective of the delivery attempt result. To reduce your usage profile we recommend using the mail filters.

How do I configure Microsoft Exchange to work with Roller Network mail?

See our How To Configure Microsoft Exchange page for detailed instructions.

Why does sending mail through the Outbound Mail service seem slow?

We do scanning and filtering a bit different than everyone else: we do it in real time (or as close to it as possible). This means that when you submit a message through our outbound mail service the submission restrictions are being applied before we'll return an "accept" or "reject" response at the cost of a few extra seconds of processing time. This slight acceptance delay has no bearing on the actual delivery to the intended recipient. The same process is applied to incoming mail, but due to the non-interactive nature of MTA-to-MTA communications, it goes unnoticed.

Can you offer Challenge/Response (C&R) service?

No. We consider challenge/response (like Spam Arrest) to be a form of spamming itself. Since many junk messages use a forged return address, our system would be sending unsolicited email to an unrelated party. For those that use a real address sending a reply simply confirms to the spammer that they have a working address to keep trying. C&R can also be used to facilitate a DDoS attack on an innocent third party. C&R simply shifts the spam problem to someone else, and that would make us a "bad neighbor".

What should I have in SPF for Outbound Mail?

We offer the include include:a._spf.rollernet.us if you publish SPF records for your domain.

Why can't forwarded email be reported as spam?

When an email forwarded to an external address (such as Yahoo, Hotmail, Gmail, etc.) is reported as spam you aren't actually reporting the true source: you're reporting our forwarding servers as spam sources. In order to protect other customers who use forwarding and understand not to report forwarded messages as spam, we will automatically block or disable forwarders that break this rule.

While mail forwarding is still popular, it is generally impractical today due to problems with spam, automated spam reporting, and "chain of trust" validation methods. We strongly recommend against relying on external forwarding alone.

Non-English characters aren't showing up in SquirrelMail.

This can happen if the display language is set to "English". The solution is to change the language setting under OptionsDisplay Preferences after logging in.


DNS Services

My master name server is cached with an old IP address, how can I fix this?

The Secondary DNS configuration will accept either a full hostname (ns.mydomain.com) or an IP address. If your hostname has been cached with an old IP address, we recommend changing the master to your new IP address. After the cached DNS entry for the hostname has expired, you may change it back. We recommend using IP addresses for master name servers.

What does "Administratively prohibited domain name" mean when I try to add a domain?

Some domain names are simply not allowed; these are typically large providers that should never be in our domain tables. Examples are: gmail.com, aol.com, hotmail.com, yahoo.com, and soforth. There's no reason for these to be in our system so we don't allow it.


Billing and Services

Why can't I auto-pay with PayPal?

PayPal does not provide a method for us to initiate or request a payment after we generate an invoice.

Why am I getting a renewal invoice two weeks after I first upgraded?

We generate renewal invoices for Mail and DNS services 15 days before their renewal date (as shown on the account profile page in the account control center), so the first renewal after upgrading your account may seem early. There's no need to worry: you will always get the full month of service that was paid for. Our system uses the service renewal date when adding the next term, not the invoice date. Your service is always active for the full term that it was paid for.

Home | Account Control Center | Status | Help | Contact | Policy | IPv6

© Roller Network LLC