Frequently Asked Questions
General Questions
Mail Services
DNS Services
Billing and Services
General Questions
Can I use Roller Network mail with our current web hosting?
Yes, you can! All that is required to switch to using Roller Network mail services is to change the MX (mail exchanger) records for your domain name. This will send email for your domain to us while leaving the DNS records for your website (the A records) unchanged.
What is "CIDR Notation" and how do I convert to it from subnet masks?
Generally no; this is a manual process and you can use IP addresses in the control center for most things to avoid DNS lookups. The mail servers and DNS servers use separate systems dedicated to recursive DNS lookups and caching. If you are having issues with cached DNS please read:
All changes made through the account control center are live, with the exception of adding or removing a Secondary DNS zone which only updates on certain intervals.
I just set everything up and it doesn't work. What's wrong?
If you're just changing your MX or NS records to start using our services be aware that changes made to existing configurations don't happen instantly; it takes time for changes to move across the DNS servers of the world and for caches to expire. Give DNS changes at least 24 hours to take effect. You can always connect with telnet to port 25 and initate a manual SMTP session for testing purposes.
Can you configure my system for me?
We unfortunately do not offer consulting type services.
Will you provide a new service or new feature?
Suggestions for improvement are always welcome. You can reach us at any of the addresses listed on the contact page.
No, account names for the account control center can't be changed.
Mail Services
This is normal. Secondary MX doesn't have any status and it's always active. The decision about which MX to send to is made by the original sender's mail server. There are a few reasons why you might see mail go from source->secondary->primary rather than source->primary when the primary is operational:
Preventing Address Forgery with SPF
SPF is commonly mistaken as an anti-spam tool, but it's actually a mechanism for preventing forgery. SPF allows a domain owner to declare legitimate mail sources for a domain and a policy for those that aren't. There is nothing in the SMTP protocol that prevents a sender from using an arbitrary email address as their sending address. SPF attempts to correct this deficiency.
To configure SPF you must be familiar with DNS and know where email from your domain originates from. Using this information, you can create an SPF record that is published as a TXT record in DNS for the domain. Make sure that the SPF filter is enabled so our servers can reject forged mail, too.
When creating an SPF record only the "-all" type will result in forged mail being rejected. The other types such as the "~all" the setup tool on openspf.org will create still allows forged mail through. (Although you can change the SoftFail action to reject in our SPF filter, too.) If you are certain the SPF record describes all sources of mail for your domain, change this to "-all". If you're using our outbound mail service add "include:auth.spf.rollernet.us" to your SPF record.
Preventing Address Forgery with the Deny List and Allow List
If SPF isn't feasible for some reason, you can still prevent forged mail from transitioning our mail services using a similar technique by combining Mail Deny List and Mail Allow List entries. You will still need to make a list of legitimate mail sources for your domain, but it won't be published in DNS like SPF.
The concept is simple: add a "Sender Domain Name" Deny List entry for the domain name you want to protect and then add Allow List entries of your authorized mail sources to bypass the Deny List filter. (Whitelist entries should be "Host", "Network" or "Host Name" types to be effective.) Any server that attempts to use the blocked domain as the sender address but isn't on the Allow List will be rejected.
Roller Network servers automatically allow themselves to prevent internal rejection loops.
Why can't I delete a domain that has status "Free Use Limit Exceeded"?
Domains on free accounts that have exceeded their daily usage limit are locked and cannot be deleted from an account in addition to rejecting any incoming messages. If you try to delete a domain with status "Free Use Limit Exceeded", you will see the following error message: "Unable to delete domain currently exceeding resource limits - this domain is locked. Contact technical support for assistance or upgrade your account."
The reason for this is simple - if you're exceeding the usage limits, the domain could be deleted and added back to reset it. Since this is not allowed, we lock the domain to your account. If you need to delete this domain, please wait until the usage is reset (every day at midnight Pacific time).
What does "Administratively prohibited domain name" mean when I try to add a domain?
Some domain names are simply not allowed; these are typically large providers that should never be in our domain tables. Examples are: gmail.com, aol.com, hotmail.com, yahoo.com, and soforth. There's no reason for these to be in our system so we don't allow it.
In extreme cases we also block domains from being added to our system for policy reasons.
Why don't your mail servers accept "domain literal" format?
Messages addresses in domain literal format will never end up at a destination other than local to our mail servers, and since we process messages for thousands of domains, there's no point in accepting literal format. Although some testing tools may report this as an error, it is harmless.
Why do some of my messages shown in the incoming mail logs seem to disappear?
"Disappearing" messages (those with an entry in the incoming logs but no corresponding entry in the outgoing logs) are a side effect of how our logging works. Entries in the incoming logs are created by the filtering system on each RCPT TO command in the SMTP session. Entries in the outgoing logs are parsed from Postfix's mail logs. If a mail server drops the connection after the RCPT TO phase but before the DATA or end of DATA phase, there will not be a corresponding outgoing entry. However, these errors are not provided to the account control center.
This is commonly caused by the source dropping the connection or sending a zero-byte message, and can safely be ignored. If you'd like to know the actual error messages for a specific entry, contact us and give us your account name, the domain name, and instance ID you'd like to know about. We'll provide as much information as we have from the raw mail logs about your particular message.
Why is a valid user table required?
Configuring the valid user table for a domain is required because it will prevent backscatter and misdirected bounces. It also has the benefit of stopping dictionary attacks at our border, rather than propagating them to your mail server. This allows our servers to reject invalid addresses, rather than accepting and bouncing after the fact, which can be considered a form of spamming. We also have a backscatter prevention policy that will disable your domain if you fail to create a valid user table.
For more information on the reasons behind requiring the use of this feature, you can read this thread in the forums: http://forums.rollernet.us/viewtopic.php?p=510#510
There's no way around this requirement. If you need to integrate updating the valid user table with an internal system on your end, consider using the URL verification call in Auto-Learn mode or use our API.
My MX records are cached with old IP address, how can I fix this?
When a domain is in Secondary MX mode, our system will use the MX records provided by DNS for your domain name to find the primary mail server. These lookups (including the associated A records) are cached by our DNS caches. In the event that an old MX or associated A record is cached, you can easily fix this by changing the domain to SMTP Redirection mode.
Change the domain in question to SMTP Redirection mode, and use the new IP address of your mail server as the destination server. This can also be useful to continue delivery to your site while other servers around the world continue to use old information until those DNS entries expire as well. Since the DNS information for our servers does not change, mail will continue to be delivered to you through us directly to the IP address you specify. (Do NOT delete the domain; this will cause the queue to bounce. Click on the domain name in the "Domain" column and change the service mode from there.)
This will not affect the mail queue or any other settings; it simply changes the delivery transport method. Any mail that is currently in the "active" queue will not see the mode change until the next delivery attempt, so it may take a few queue releases to get everything out. Once all of the cached DNS entries have expired, you can change the mode back to Secondary MX or a hostname as the destination server in SMTP Redirection mode.
Why can't I remove 'abuse' or 'postmaster' from my valid user table?
Those addresses are required by one or more RFC, although it is possible the message may still be discarded by the recipient. An "abuse" address is required by RFC2142, while "postmaster" is required by RFC2821 section 4.5.1.
How can I use a tool like "fetchmail" to send ETRN?
Since our servers accept ETRN commands, you can have fetchmail send them in a cron job or interface-up script. Something like this will work:
fetchmail -p ETRN --fetchdomains example.net mail.rollernet.us fetchmail -p ETRN --fetchdomains example.net mail2.rollernet.us |
If your ISP blocks port 25, our servers will also accept ETRN on port 2525.
fetchmail -p ETRN -P 2525 --fetchdomains example.net mail.rollernet.us fetchmail -p ETRN -P 2525 --fetchdomains example.net mail2.rollernet.us |
Do I need to send an ETRN to all your mail servers?
Yes. All of our mail servers operate independently from each other for redundancy purposes, so you will need to send each of them an ETRN command.
When I send an ETRN, I always get "queuing started" even if the queue is empty. Why?
Postfix does not report that information. It keeps track of queue numbers in the fast flush feature (which is enabled), but only uses that info to expedite delivery. It will always report "250 Queuing started" if the domain is valid, or "459 <example.com>: service unavailable" if the domain is invalid. Check your queue status online for detailed information on your queues.
Do I have to use "fetchmail" to send ETRN commands?
No, any mail that is delayed is periodically retried or any tool that has an ETRN function will work. We're merely using "fetchmail" for illustrative purposes. If we still can't contact your mail server after three weeks is removed from the queue. If your mail server is online and we receive a message it is redirected to you immediately. You can always check your queue status online or use the API to send a queue release.
Do ETRN commands need to be authenticated?
No, an ETRN command can't be authenticated. Since the system will only release the queue to the primary MX or final destination server for SMTP redirection, there is no need for authentication. To ensure messages will be released to a specific IP address, we recommend using SMTP Redirection mode with your mail server's IP address and a random port other than 25.
How can I use ETRN if my ISP blocks port 25?
Use port 2525 to issue an ETRN command in the event that port 25 is blocked.
What IP addresses should I add to my trusted servers list?
Anyone who uses our mail services should add our mail servers to your trusted servers list. See the resource access page for a current list of IP addresses. If you are publishing an SPF record for your domain, we recommend adding "include:auth.spf.rollernet.us" to your SPF record. Failure to list our servers from additional filtering may cause lost mail.
How often do you attempt delivery on deferred mail?
The Roller Network uses a sliding scale to prevent large blocks of concurrent retries. If a message destined for your mail server ends up deferred in the queue it will be delayed for 15 minutes (minimal_backoff_time). After 15 minutes has elapsed a delivery attempt will be made. Should your mail server still be unreachable the time will be doubled and the process repeated. The maximum retry interval is one week (maximal_backoff_time). If your mail server is frequently offline for long periods of time you will need to send ETRN (either manually or with a third-party tool such as Fetchmail) to ensure a timely delivery of queued messages. Once a queued message is over three weeks old it will be deleted from the queue as undeliverable after a final delivery attempt (maximal_queue_lifetime). The Mail Mirror feature is recommended for out-of-queue protection. Domains in "Accept and Hold" mode will follow the same rules, although no attempts to contact your mail server will be made. If you're familiar with Postfix we use the following settings:
maximal_backoff_time=1w minimal_backoff_time=15m maximal_queue_lifetime=3w |
Won't Greylisting delay my email from valid sources?
Yes, it will; but only the first time a certain sender/server/recipient triplet is seen. If you regulary get mail from the same person then future messages will be passed through the Greylist filter immediately. The delay blocks most spam sources since the vast majority of them will never retry a message like real mail servers will. If you can accept the delay that Greylisting will incur, it is well worth the reduction in spam. We recommend adding trusted sources to your Allow List to avoid delays.
Does the Roller Network enforce any filtering for all accounts?
No, there aren't any enforced or required filters. There are Minimum Requirements to Receive Messages for all domain names described on the Mail Services help page.
Why can't I send email? I added my domain to the mail service.
You need to use our Outbound Mail Account feature. The MX servers that handle incoming mail and filtering are incapable of accepting and originating email.
Why does your server say "501 Bad address syntax" when I send it a MAIL FROM command?
The Roller Network requires proper RFC821 envelopes. This means you need to enclose the address portion of MAIL FROM and RCPT TO commands with < > For example, the format "MAIL FROM:admin@rollernet.us" is invalid and will be rejected. The correct form is "MAIL FROM:<admin@rollernet.us>".
Why is your server acting as an open relay for my domain?
If you have a Roller Network account and you have set up domains for mail services, our servers will accept any mail that is destined for that domain. They will either relay it immediately, or hold it in the queue to be delivered later.
A common tactic spammers will use in an attempt bypass filter is connecting to all of the MX records listed for a domain. Since many backup MX services do not offer the same level of filtering controls that we do, this method can bypass any filtering that happens at connection time on your server since your server would normally trust the backup MX servers. We recommend configuring your Roller Network filtering options to match the filtering on your primary mail server as closely as possible.
If you don't have a Roller Network account and we accept a message for a domain, then someone configured that domain in our account manager. If you, the domain owner, have not configured your domain in our system and would like to request its removal pelase contact support@rollernet.us for assistance. We will use the information in "whois" to validate your request.
One of your servers is on a DNS block list!
This happens occasionally with the incoming mail servers because some of our customers choose to run additional filtering on connections from our servers or disable our filters completely and report our servers as spam sources. There's nothing practical we can do to prevent this from happening. We strongly recommend adding the incoming mail servers (mail.rollernet.us and mail2.rollernet.us) to a trusted relay list on your mail server. Although some lists like SpamCop are kind enough to trust our servers as known incoming-only relays, other lists are not so accommodating.
We never use our incoming mail servers to send outgoing mail - messages submitted under outbound mail and for forwarding originate from sources dedicated to outgoing mail. The incoming servers are dedicated to processing incoming mail, filtering it, and delivering it to its intended destination. This separation of roles is designed to protect our mail paths. Our outbound mail paths are monitored to ensure they aren't listed by any of the major DNSBLs.
If my server rejects a message does that still count for usage?
Yes, it does. Even though your server rejected the message and you didn't receive it from your perspective, we still filtered, processed, accepted, queued, and attempted delivery on that message. Messages that complete that process are recorded as incoming mail usage, irrespective of the delivery attempt result. To reduce your usage profile we recommend using the mail filters.
How do I configure Microsoft Exchange to work with Roller Network mail?
See our How To Configure Microsoft Exchange page for detailed instructions.
Why does sending mail through the Outbound Mail service seem slow?
We do scanning and filtering a bit different than everyone else: we do it in real time (or as close to it as possible). This means that when you submit a message through our outbound mail service the submission restrictions are being applied before we'll return an "accept" or "reject" response at the cost of a few extra seconds of processing time. This slight acceptance delay has no bearing on the actual delivery to the intended recipient. The same process is applied to incoming mail, but due to the non-interactive nature of MTA-to-MTA communications, it goes unnoticed.
Can you offer Challenge/Response (C&R) service?
No. We consider challenge/response to be a form of spam itself. Messages that use a forged return address would cause the "challenge" to send an unsolicited email to a third party. C&R can also be used to facilitate a DDoS attack on a third party. C&R simply shifts the spam problem to someone else.
What should I have in SPF for Outbound Mail?
We offer the include include:auth.spf.rollernet.us if you publish SPF records for your domain.
Why can't forwarded email be reported as spam?
When an email forwarded to an external address (such as Yahoo, Hotmail, Gmail, etc.) is reported as spam you aren't actually reporting the true source: you're reporting our forwarding servers as spam sources. In order to protect other customers who use forwarding and understand not to report forwarded messages as spam, we will automatically block or disable forwarders that break this rule.
While mail forwarding is still popular, it is generally impractical today due to problems with spam, automated spam reporting, and "chain of trust" validation methods. We strongly recommend against relying on external forwarding alone.
Non-English characters aren't showing up in SquirrelMail.
Try changing the language setting under Options → Display Preferences after logging in.
DNS Services
My master name server is cached with an old IP address, how can I fix this?
Use an IP address instead. The Secondary DNS configuration will accept either a full hostname (ns.mydomain.com) or an IP address. We recommend using IP addresses for master name servers.
What does "Administratively prohibited domain name" mean when I try to add a domain?
Some domain names are simply not allowed; these are typically large providers that should never be in our domain tables. Examples are: gmail.com, aol.com, hotmail.com, yahoo.com, and soforth. There's no reason for these to be in our system so we don't allow it.
In extreme cases we also block domains from being added to our system for policy reasons.
Billing and Services
Why can't I auto-pay with PayPal?
PayPal does not provide a method for us to initiate or request a payment after we generate an invoice.
Why am I getting a renewal invoice two weeks after I first upgraded?
We generate renewal invoices for Mail and DNS services 15 days before their renewal date (as shown on the account profile page in the account control center), so the first renewal after upgrading your account may seem early. There's no need to worry: you will always get the full month of service that was paid for. Our system uses the service renewal date when adding the next term, not the invoice date. Your service is always active for the full term that it was paid for.