Support

Blog

Browsing all articles in government

Some of our clients are experiencing delivery issues to some domains that use Gmail/Google for their email.

I previously covered that here – http://www.computersolutions.cn/blog/2015/04/gmail-and-other-google-hosted-mail-delivery-issues/

The issue is that China is still blocking Gmail/ Google hosted mail, and the recipient domain hasn’t setup their MX records correctly.

This is fine for servers outside of China, where all of googles mail servers (should) work, but breaks things for those inside China, where only a few servers are reachable.

Google hosted mail settings are here: https://support.google.com/a/answer/33915?hl=en

You’ll note that there are 5 different email servers that are listed in priority order.

Priority Mail Server
1 ASPMX.L.GOOGLE.COM.
5 ALT1.ASPMX.L.GOOGLE.COM.
5 ALT2.ASPMX.L.GOOGLE.COM.
10 ALT3.ASPMX.L.GOOGLE.COM.
10 ALT4.ASPMX.L.GOOGLE.COM.

For mail servers, the higher number is more important, so a priority of 1 will be the first server tried, then the next highest number, and so on.

If I try to connect to the servers from China.

telnet ASPMX.L.GOOGLE.COM 25
Trying 74.125.200.27…
(times out)

telnet ALT1.ASPMX.L.GOOGLE.COM 25
Trying 173.194.72.26…
(times out)

telnet ALT2.ASPMX.L.GOOGLE.COM 25
Trying 74.125.25.26…
(times out)

telnet ALT3.ASPMX.L.GOOGLE.COM 25
Trying 64.233.169.26…
Connected to ALT3.ASPMX.L.GOOGLE.COM.
Escape character is ‘^]’.
(yay, we have a winner!)

telnet ALT4.ASPMX.L.GOOGLE.COM 25
Trying 74.125.70.27…
Connected to ALT4.ASPMX.L.GOOGLE.COM.
Escape character is ‘^]’.
(yay, we have a winner!)

So, we can see that alt3, alt4 work, but none of the others do (as of 9th September 2015 from Shanghai)

So, some rudimentary testing shows that some servers work, and some do not.
How does that apply to real world examples.

Lets look at a non-working domain – ihg.com

dig mx ihg.com

;; ANSWER SECTION:
ihg.com. 600 IN MX 100 aspmx3.googlemail.com.
ihg.com. 600 IN MX 50 alt1.aspmx.l.google.com.
ihg.com. 600 IN MX 50 alt2.aspmx.l.google.com.
ihg.com. 600 IN MX 100 aspmx2.googlemail.com.
ihg.com. 600 IN MX 10 aspmx.l.google.com.

You should easily be able to see 2 things.
1 – that the MX records are not as per Google settings.
2 – that the 2 working MX records are not listed.

This means that while their MX records probably work oversea’s, they will not be deliverable from China. They need to amend their MX records to Googles recommended settings.

Lets look at another example.

dig mx rsms-west.com

;; ANSWER SECTION:
rsms-west.com. 6238 IN MX 30 alt2.aspmx.l.google.com.
rsms-west.com. 6238 IN MX 10 aspmx.l.google.com.
rsms-west.com. 6238 IN MX 40 aspmx2.googlemail.com.
rsms-west.com. 6238 IN MX 50 aspmx3.googlemail.com.
rsms-west.com. 6238 IN MX 20 alt1.aspmx.l.google.com.

Once again, we can see that the alt3, and alt4 servers are missing, and unfortunately none of the other listed servers are connectable from China.

Lastly, lets look at a working server

dig mx teamsequel.com

teamsequel.com. 12878 IN MX 1 ASPMX.L.GOOGLE.com.
teamsequel.com. 12878 IN MX 5 ALT1.ASPMX.L.GOOGLE.com.
teamsequel.com. 12878 IN MX 5 ALT2.ASPMX.L.GOOGLE.com.
teamsequel.com. 12878 IN MX 10 ALT3.ASPMX.L.GOOGLE.com.
teamsequel.com. 12878 IN MX 10 ALT4.ASPMX.L.GOOGLE.com.

You can see that they have the correct Gmail settings as per Gmail / Google settings page, and mail to them is deliverable (as alt3, alt4 are currently not being blocked by the beneficent government of China).

Unfortunately as this is an issue that is out of our control (MX records are incorrect, and China is being difficult), we cannot mitigate against it. The affected domains will need to amend their MX records appropriately as per the page here- https://support.google.com/a/answer/33915?hl=en.

Update

Google has added another MX (mail server) for Google Hosted mail – alt4.gmail-smtp-in.l.google.com.

This does not currently appear to be blocked (unlike their other 4 MX servers), so we have removed the forwarding, and mail is transiting normally.


China has completely blocked gmail hosted mail as of today [28th April 2015]

This means that all mails heading to google’s servers is now blocked from Chinese ISP’s like ourselves.

Symptoms will include bounce messages where our server has given up retrying to send out the mail, as the remote server is not accessible over the Chinese internet.

EG –

Hi. This is the qmail-send program at mail.computersolutions.cn.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

:
Sorry, I wasn’t able to establish an SMTP connection. (#4.4.1)
I’m not going to try again; this message has been in the queue too long.

In the interim, we have added forwarding for all gmail addressed mail to transit through our oversea’s mail servers in the USA.

This should solve email delivery issues for gmail addresses – essentially anything addressed to someone @gmail.com

We are looking at solutions for resolving delivery to other google hosted mail clients, this will take some time to come up with a usable solution. In the interim, we can manually add routes on a server by server basis.

Be aware that this specific issue is out of our control, and we can only mitigate against it.

Examples of google hosted mail clients from recent queries/failure notices:

teamsequel.com – Their mail is served by google.

dig mx teamsequel.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mx teamsequel.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11757 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;teamsequel.com. IN MX ;; ANSWER SECTION: teamsequel.com. 2320 IN MX 5 ALT1.ASPMX.L.GOOGLE.com. teamsequel.com. 2320 IN MX 5 ALT2.ASPMX.L.GOOGLE.com. teamsequel.com. 2320 IN MX 10 ALT3.ASPMX.L.GOOGLE.com. teamsequel.com. 2320 IN MX 10 ALT4.ASPMX.L.GOOGLE.com. teamsequel.com. 2320 IN MX 1 ASPMX.L.GOOGLE.com.

dreamonproductions.com – their mail is served by google.

dig mx dreamonproductions.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mx dreamonproductions.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dreamonproductions.com. IN MX ;; ANSWER SECTION: dreamonproductions.com. 3600 IN MX 5 alt1.aspmx.l.google.com. dreamonproductions.com. 3600 IN MX 1 aspmx.l.google.com. dreamonproductions.com. 3600 IN MX 10 aspmx2.googlemail.com. dreamonproductions.com. 3600 IN MX 5 alt2.aspmx.l.google.com. dreamonproductions.com. 3600 IN MX 10 aspmx3.googlemail.com.

China wanted control over the internet, and now they have it.

2 years ago, China was a spammer haven, as domain registration was cheap, and USA based spammers (which still is the source of 99% of spam) registered a gazillion odd spam domains.

The powers that be decided to change that.

They changed the law.

First it only affected new domain registrations, you needed to provide real info for those registrations. Once they had that down, then they extended that to only Chinese people or Chinese organizations could register chinese domains. Then they started enforcing ICP registration for domains – each domain in china requires an ICP licence, or it can’t be hosted. For bonus annoyance points to do a ICP registration the website must be shutdown till the licence gets issued.

Then they extended that to no ICP licence, no domain – if your domain doesn’t have an ICP licence, bam, its put in suspended state at the registrar.
Now they’re rigorously enforcing ICP registrations to the n’th degree.

They’ve been cancelling those left right and center for no real reason, forcing people to resubmit.

Currently an ICP submission requires that you have an ISP licence, as only ISP’s can submit ICP’s for their hosted domains.

Each ISP has to verify sites as follows. Have the owner or representative for the site provide fill in 3 forms, make certified copies of business licence, copy of their ID, and take a photo of them in the ISP’s office. Which is the reason why all our clients need to come to our office now for photo’s and bring documents for their registrations.

These are scanned and submitted to the local Telecom authority through the ICP backend registration system. The user is then assigned a login and password where they can check their ICP licence at the MII official website.

Its been a pain in the ass for us recently as the Telco has been arbitrarily cancelling perfectly good ICP licences without notice or reason.
The Telecom bureau for each region does publish blacklists, but guess what – the cancelled ones don’t appear the blacklist.

If you host a domain with a cancelled licence (which unless you literally check all your clients licence stuff daily, you have no way of knowing about currently), then the Telco will also do fun lets call you at 6:30 on a Friday evening, and tell you that you have 30 minutes to remove that domain, or they shut down that ip address (shutting off hundreds of clients). What fun.

Its gotten to the point that I’m seriously considering moving all my non .cn clients to a new oversea’s server because we can’t keep up with their ever changing needs.

They keep changing the rules and regulations, they don’t have a decent mechanism in place for tracking stuff, and there is no warning if they arbitrarily cancel a licence.

What its meant for us is that domain management has gotten dramatically more time intensive over the last year, as the regulations and requirements for paperwork have changed a number of times now, requiring resubmissions, constant checks, and a lot more work. We have had to hire additional staff a few times already to cater for this at various points in time too.

All this does is increase our costs substantially, and annoy clients who ask why they need to do the ICP stuff yet again when they already did it.

Thank you China. Not.

As the law has changed regarding pet dogs in Shanghai (again), here are the steps to get your dog licensed.

The new rules state that people can only own 1 pet per household from now on.
The only exception to this is where you had more pets previously licensed in your household; you can continue to renew their licenses, but not add new dogs.

Note that the instructions below are for Xu Hui District, but are similar for other districts.

I suggest buy a plastic file, and keep all related paperwork together.
To succeed in this mission, you’ll need patience, some cash, and some kind of canine.

Ouch that hurt! aka vaccinations

Bring
Dog
Money (few hundred rmb).

In Xu Hui district (also would be ok for other districts), this is the large pet hospital at 2451 Xie Tu Lu
带狗去斜土路2451号打疫苗

You’ll need to ask for a “gou yi miao ban zheng” 办理狗证续证

The dog will get a vaccination shot, price for this varies depending on which vet you visit, but should be less than 100rmb.
You’ll also get a piece of paper. This is called a da zhen ping zheng. This is important, don’t lose it!

If your dog has never been licenced before, you will also need to get an id implanted too.
This is a small rfid tag that gets injected somewhere around the neck area.

This will also cost somewhere in the less than 100rmb range.
You’ll also get a piece of paper for that, again, don’t lose it.

If you don’t have the magic piece of paper, have the vet make another one for you. China runs on small bits of paper that are easily lost, so make sure that you have anything you possibly may need in a folder.

Lastly, don’t forget to get an official fapiao for the above, and keep that together with everything else.

The Joy of Paperwork! (at your local neighborhood police station)

Bring
The rental contract for where you live (or a property ownership book if you own your apartment).
Your Passport (with your work permit / residence permit inside).
The 2 or 3 papers from the vet that you got in step 1.
Your dog.
More money (500rmb)

In Chinese that looks like this – 带上狗证,房产证,护照去徐汇区湖南派出所登记
Take all of the above to your local police station.
(Not all do licenses, but they’ll be able to point you to which one in your district is responsible for doing dog licenses)

In Xu Hui district this is on Xiang Yang Lu, near Fuxing road (opposite the fake electronics mall)

    电话:23037446
    办公时间:8:30am-5:00pm
    地址:襄阳南路203号靠近复兴中路( Xiangyang Nanlu 203#(Near fuxingzhonglu)

Give them all the paperwork you have so far, and 500RMB.
They should give you another slip of paper with a receipt, and a date to come back.
OR they’ll do it all there and then.
This depends on your districts setup.

Success!

Whichever of the above, at some point you’ll collect a pack of goodies!

This will include a dated sticker (this should be stuck on your door)
A Dog licence photo id card (this should be carried whenever you walk your dog).
A dog tag (which you should put on your dogs collar).
Plus some other assorted bits and pieces depending on which dog food company is sponsoring the gifts (last year was a bowl and some dog food).

I usually make copies of everything, and put into that file I told you to make in step one, and throw it into a safe place.

Currently you don’t need to bring photo’s, but from the 15th of June 2011, you’ll need to bring photos.
One side view, and one front view of your dog, in passport photo sized (1×3″) shots.
This was immense fun last time I tried to do this, as my dog doesn’t want to sit still for photo’s, and it took a while to get that done.

At time of writing this is all currently correct, but rules change (eg the we’re not sure about the photo’s thing yet), so have a chinese person call, and confirm first. Make sure that they ask for a clear answer that you understand, as its not unknown for people in China to forget to tell you about some essential item you need to bring, so ask clearly for what exactly is needed, and have them repeat it out to you.

Good luck!

Archives

Categories

Tags

PHOTOSTREAM