Browsing all articles tagged with china

Flattr this!

Some of our clients are experiencing delivery issues to some domains that use Gmail/Google for their email.

I previously covered that here –

The issue is that China is still blocking Gmail/ Google hosted mail, and the recipient domain hasn’t setup their MX records correctly.

This is fine for servers outside of China, where all of googles mail servers (should) work, but breaks things for those inside China, where only a few servers are reachable.

Google hosted mail settings are here:

You’ll note that there are 5 different email servers that are listed in priority order.

Priority Mail Server

For mail servers, the higher number is more important, so a priority of 1 will be the first server tried, then the next highest number, and so on.

If I try to connect to the servers from China.

(times out)

(times out)

(times out)

Escape character is ‘^]’.
(yay, we have a winner!)

Escape character is ‘^]’.
(yay, we have a winner!)

So, we can see that alt3, alt4 work, but none of the others do (as of 9th September 2015 from Shanghai)

So, some rudimentary testing shows that some servers work, and some do not.
How does that apply to real world examples.

Lets look at a non-working domain –

dig mx

;; ANSWER SECTION: 600 IN MX 100 600 IN MX 50 600 IN MX 50 600 IN MX 100 600 IN MX 10

You should easily be able to see 2 things.
1 – that the MX records are not as per Google settings.
2 – that the 2 working MX records are not listed.

This means that while their MX records probably work oversea’s, they will not be deliverable from China. They need to amend their MX records to Googles recommended settings.

Lets look at another example.

dig mx

;; ANSWER SECTION: 6238 IN MX 30 6238 IN MX 10 6238 IN MX 40 6238 IN MX 50 6238 IN MX 20

Once again, we can see that the alt3, and alt4 servers are missing, and unfortunately none of the other listed servers are connectable from China.

Lastly, lets look at a working server

dig mx 12878 IN MX 1 12878 IN MX 5 12878 IN MX 5 12878 IN MX 10 12878 IN MX 10

You can see that they have the correct Gmail settings as per Gmail / Google settings page, and mail to them is deliverable (as alt3, alt4 are currently not being blocked by the beneficent government of China).

Unfortunately as this is an issue that is out of our control (MX records are incorrect, and China is being difficult), we cannot mitigate against it. The affected domains will need to amend their MX records appropriately as per the page here-

Flattr this!


Google has added another MX (mail server) for Google Hosted mail –

This does not currently appear to be blocked (unlike their other 4 MX servers), so we have removed the forwarding, and mail is transiting normally.

China has completely blocked gmail hosted mail as of today [28th April 2015]

This means that all mails heading to google’s servers is now blocked from Chinese ISP’s like ourselves.

Symptoms will include bounce messages where our server has given up retrying to send out the mail, as the remote server is not accessible over the Chinese internet.

EG –

Hi. This is the qmail-send program at
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

Sorry, I wasn’t able to establish an SMTP connection. (#4.4.1)
I’m not going to try again; this message has been in the queue too long.

In the interim, we have added forwarding for all gmail addressed mail to transit through our oversea’s mail servers in the USA.

This should solve email delivery issues for gmail addresses – essentially anything addressed to someone

We are looking at solutions for resolving delivery to other google hosted mail clients, this will take some time to come up with a usable solution. In the interim, we can manually add routes on a server by server basis.

Be aware that this specific issue is out of our control, and we can only mitigate against it.

Examples of google hosted mail clients from recent queries/failure notices: – Their mail is served by google.

dig mx

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11757 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN MX ;; ANSWER SECTION: 2320 IN MX 5 2320 IN MX 5 2320 IN MX 10 2320 IN MX 10 2320 IN MX 1 – their mail is served by google.

dig mx

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN MX ;; ANSWER SECTION: 3600 IN MX 5 3600 IN MX 1 3600 IN MX 10 3600 IN MX 5 3600 IN MX 10

Flattr this!

As our clients probably know, we run our own email servers.

Email is one of those things that looks simple on the surface, but isn’t necessarily so simple when it comes down to troubleshooting.

As is typical, the day started with a trouble ticket from a client letting us know that they were having difficulties receiving mail from one of their clients.

I was also given enough information to start troubleshooting without having to ask for additional information, which was nice, as this sometimes takes time to get.

We do have an email issues page with some notes and instructions for what is needed linked off of our webmail page; the issues page is here.

The bounce message supplied included headers, so it was fairly straightforward to work out what server they were using.

The sender ( was seeing the below as an error, when emailing us:

Failure notice from

I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

As we have multiple mail servers in different countries, I first needed to identify which server they were connecting too, so I could check logs.

I usually do this by searching through our logs for occurrences of the senders domain.

If that doesn’t find any results, then I lookup what their mail servers should be and check for entries in our logs from those servers.

This doesn’t always guarantee a result, but in this case I had enough information to get a result.

Our sender was coming from, so I checked to see what mail servers they might use.

To check what mail servers are used, we check the MX (Mail Exchanger) records for their domain. In this instance I used dig – a dns lookup tool.

dig mx 3600 IN MX 10 3600 IN MX 0

We can see that mail is served by for the domain. We can also see that the MX records are incorrect, as their are 2 entries pointing at the same server with different preferences. This won’t cause mail to be rejected though, so its not the issue we’re looking for.

Next we check the ip address for

Some mail servers are on shared servers, so the domain name does not always match up with the ip address. We need the ip address as we need to search the logs for that, or addresses close to that range.

A simple ping should return their ip address.


Reply from

In this instance, points at

As mail servers also require valid reverse DNS entries, I also checked if that ip address has a valid reverse dns entry with nslookup.

Server: ::1
Address: ::1#53

Non-authoritative answer: name =

In this case, their reverse DNS is
Just to double check thats valid, I pinged the name, and got a valid response.

PING ( 56(84) bytes of data.
64 bytes from ( icmp_req=1 ttl=51 time=29.0 ms

So, we’ve done some basic checks –

We’ve checked that the sender domain has MX records.
We’ve checked that their mail server exists, and it has both forward and reverse dns.

Next up, I need to search the logs for connections from their server.

If I search for connections to our mail servers from 218.244.133 I saw the following:

USA – no results.
CN – no results.
CN2 – rejections.

Looking at the logs, I immediately saw that our server was rejecting their mail for failing MFCHECK

@400000004fb3951e1f2ee324 tcpserver: ok 8328
@400000004fb3951e28966374 jgreylist[8328]: OK known
@400000004fb3952504477f44 qmail-smtpd[8328]: MFCHECK fail []

The MFCHECK code checks the domain portion of the envelope sender address (in the MAIL FROM command) to make sure it’s a real domain which has at least one MX record. This prevents spammers from being able to use phony domain names in their forged sender addresses.

In this case, our server was rejecting mail from them due to this failure.

As we didn’t have sufficient logs to see *why* this was happening, I turned on full connection logging for their ip address, and asked them to send us another mail.

They did so, and I checked the logs for what was happening.
(see below)

@400000004fb48fad0004630c tcpserver: ok 17315
400000004fb48fae061430c4 17315 > 220 NO UCE ESMTP
400000004fb48fae090ae354 17315 < EHLO 400000004fb48fae090decac 17315 > NO UCE
400000004fb48fae090df094 17315 > 250-SIZE 0
400000004fb48fae090df47c 17315 > 250-PIPELINING
400000004fb48fae090df864 17315 > 250 8BITMIME
400000004fb48fae0c26ec7c 17315 < MAIL FROM:
400000004fb48fc0396b0344 17315 > 451 DNS temporary failure (#4.3.0)
400000004fb48fc10a1b68f4 17315 < QUIT

In this case, their server started off the conversation with

As mail servers need to provide a valid domain that they claim to be sending from, I checked if existed.
It didn't.

So, that was the reason.

Having identified that, I whitelisted their server ip address for the MFCHECK portion of our checks, and asked them to resend mail again.

Unfortunately this did not let them send mail as they failed another test!

@400000004fb495f92bd72ec4 qmail-smtpd[22644]: Received-SPF: error ( error in processing during lookup of DNS problem)

As SPF relies on TXT records, I tried to manually lookup their DNS

dig TXT

; <<>> DiG 9.7.3 <<>> TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11512 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

That failed.


I then tried using an oversea's server to lookup their domain.

dig ns

; <<>> DiG 9.7.3 <<>> ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41739 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN NS ;; ANSWER SECTION: 2931 IN NS 2931 IN NS

That lookup worked.

So, we're getting somewhere.

We've identified a number of issues, and its starting to look like their DNS servers are blocked in China from a cursory test.

To confirm this I checked if using their DNS servers worked from within China.

Check from ns53 fails -
> server
Default server:
Default server:
Address: 2607:f208:206::1b#53
;; connection timed out; no servers could be reached

Check from ns54 fails -
> server
Default server:
Default server:
Address: 2607:f208:302::1b#53
;; connection timed out; no servers could be reached

As those failed, I tried pinging their server.
PING ( 56(84) bytes of data.
--- ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7056ms

Ping test fails

Next, I tried to see where it was failing with traceroute.

root@edm:/home/shanghaiguide# traceroute
traceroute to (, 30 hops max, 60 byte packets
1 ( 5.723 ms 5.899 ms 6.078 ms
2 ( 3.860 ms 3.878 ms 3.936 ms
3 ( 3.545 ms 3.608 ms 3.686 ms
4 ( 4.154 ms 4.421 ms 4.419 ms
5 ( 4.657 ms 4.632 ms 4.635 ms
6 ( 4.671 ms 5.401 ms 5.367 ms
7 ( 6.387 ms 6.330 ms 6.301 ms
8 ( 8.003 ms 7.941 ms 7.743 ms
9 ( 7.829 ms 7.656 ms 7.647 ms
10 ( 175.491 ms 175.982 ms 171.405 ms
11 ( 155.507 ms 155.755 ms 155.750 ms
12 ( 191.389 ms 191.306 ms 191.544 ms
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *

Traceroute fails (at

% [ node-5]
% Whois data copyright terms

inetnum: -
descr: Chinanet POP in American
descr: 201 S. Lake Ave. Suite 604, Pasadena, CA 91101
country: CN
admin-c: CH93-AP
tech-c: CH93-AP
changed: 20020221
source: APNIC

So, it looks like there are 3 issues.

1) Invalid MX setup (although this is not going to stop mail from failing).
2) Their Mail server claims to be a non-existent domain.
(Note that this seems to have been subsequently rectified, as that domain now resolves).
3) Their DNS servers are blocked within China.

To solve that, I added an external DNS lookup from outside the country.

In summation, simple things may involve multiple issues, as we can see from above!

In this case, we resolved the issue by whitelisting the senders ip to bypass the MFCHECK failure. We then added external DNS resolvers to our Mail Servers to bypass the block.
Lastly informed the sender, and the client of all of the issues noted so that they could be resolved.

Flattr this!

Dear Clients,

The government has imposed extended legislation regarding domains and domain hosting in China.  As part of these new requirements, we will be required to keep and maintain a set of registration documents for each domain we host.

We will also need to impose a small service fee (300rmb per client for first domain, 100rmb for subsequent domains) for providing assistance with application submission, so that we can cover our costs.

We are now required to do the following for all .CN domains we administer according to Chinese Law.

  1. Take a color headshot of the contact person of the Applicant Company.This photo must be taken in our office against an official backdrop image.
  2. Provide:
    – A copy of the Certificate of Business License of Legal Entity for the applicant company or a copy of the Certificate of National Organization Code of the applicant company.

    – A copy of the Chinese Resident Identity Card of the contact person of the applicant company.

    Applicants will need to bring the originals to our office so that we can scan them in color in an acceptable format for CNNIC and MII.

  3. Have the applicant sign/ chop a registration form confirming all information is correct.
  4. Ensure that your ICP 备案 is up to date and information is correct.
  5. Verify domain content, and ICP presence on your site.

Note that no personal .CN domain registrations are currently allowed for foreigners.

We are required to submit a valid China business licence, and Chinese ID to the applicable authorities.

If this information cannot be submitted, and your domain url ends in .CN , you will lose your .CN domain..

This information has to be submitted by us to the relevant involved bureau’s (MII, CNNIC, Shanghai Telecom) before the end of October.

We appreciate that this is quite short notice, and urge you to arrange a time to come to our office to fulfil these requirements before the end of October.

We will be updating our ICP and other customer support sites shortly to take into account new requirements.

Mini FAQ

What is a .cn domain?

Any domain that ends in .cn


Is this applicable to .com or other domains too?


We are required to submit and verify identification information for all domains that we host prior to November 1st.

All clients with domains will need to submit information by coming to our offices with the required information.

Where can I read more about this?
(Note that requirements were extended on October 1st to be applicable for all domains, not just new registrations.)




– 提供一份申请公司联系人的中国居民身份证复印件一份。
-你需带上原始件,以便我们能够彩色扫描为CNNIC 和 MII格式。



如果此信息不能提交,那么你将失去 CN域名。




Mini FAQ

这个对.com 或其他域名也适用吗?


Flattr this!

When DNS goes bad

This year someone in China misconfigured something which effectively exported China’s main method of implementing blocks (man in the middle DNS spoofing) semi globally over the Global Crossing backbone for the last few weeks.

Effectively, China’s blocking, went global (for certain providers).

Read more »

Flattr this!

As I’m currently in the airport, waiting for a flight back to the UAE, I thought I’d share this small snippet of transparency vs secrecy.

As most China users will know, there is no official agency that “blocks” websites. In fact, most of the time, the government states that sites are not blocked, despite fairly obvious proof to the contrary.

China typically asserts that “connection resets” to sites like Facebook and Youtube are just network issues, despite those network issues solely appearing at the ip addresses associated with the government firewalls at the gateway routers to overseas.

Here in the UAE (Dubai), the government still blocks, but at least they’re upfront about it:
See below for an example of a blocked site

Why is this important?

Transparency is a big problem for western entities doing business in China. As with the recent Google PR stunt/debacle, most companies have no real mechanism for dealing with arbitrary judgements for / against things that affect their business.

A clear and transparent mechanism for dealing with why sites are blocked, coupled with a delisting mechanism would be a good place to start. It would also help to defuse the detractors against censorship – although most countries censor, China is one of the usual scapegoats picked on.

Maybe if China implemented a what (was blocked) / why (it was blocked) / how (to get unblocked) system, detractors would have less to complain about.


Flattr this!

Although I’m loathe to call ourselves a corporation – we’re not!, we do try to do the odd bit of good for the community, whether locally, or regionally.

Last year saw our first donation to the Library Project. The Library Project is a worthy cause, and donates books and libraries to under financed schools and orphanages in the developing world.

Computer Solutions donated funds for a Library, which ended up going to Chen Jia Gou Elementary school in Shaanxi province.

Link to our donated library here –

We also donate support to a more local cause – LifeLine Shanghai.

Computer Solutions has been providing complementary IT, and Web Services for a number of years now for Lifeline. Last year, after a few months of persuasion they finally agreed to let us redesign their existing volunteer created website too.

Our design team took note of LifeLine’s requirements, and came up with something more visually appealing, with a clearer layout and site structure. Visit their site here –

Lastly, we also support a cause which donates items and books for schools up in Qinghai. We’ve previously donated computers, funds, and other items to help out. More info about that here: Do your part too, and help out, donations of clothes and other items are very welcome!

Lastly, if you are a charity organization in Shanghai, or China, and would like us to assist you in some way, please contact us. We’re more than happy to donate our services to worthy causes.

Flattr this!

This rather well done song and video about swine flu (aka H1N1) has been doing the rounds on the Chinese sites that I frequent.

As Shanghai Tattoo says “Hopefully this means the end now that it’s made it to pop culture”.

猪流感之歌 lyrics below.
Now sing along – Zhuuuuuuuuu!

Sung by:欧子
Words by: 每子爱


Crappy google auto-translation for those who don’t read Chinese as well as I *obviously do*.

Cough. Cough, ahem, sorry a bit of H1N1 there…

Pigs, your earth-shattering influenza
When you are scared of the cold I can not breathe

Pigs, blame your foreign brother
Sneeze their victims, we avoid

Pig, you had such a poor physical
We are all victims do not know the result in the吃啥

Pigs, blame you eat and sleep ah
Raining Cats and the nose is punished by God

Ah … …

Marshal canopy you get into trouble this time
Sneeze a dozen of his victims home

He worried about every day they are worried
Ah his meat
I dare not吃啦

Pigs, I know you is not easy
In fact, your meat
Our already can not afford to eat

Pig, I help you put on cotton coat
Cold if you fall ill
God can not afford

Marshal canopy you get into trouble this time
Sneeze a dozen of his victims home

He worried about every day they are worried
Ah his meat

Flattr this!

Why do I need an ICP licence?

As we often get asked why people need to register an ICP licence, as well as whats required. I thought it would be a good idea to explain what it is, and why its needed.

Essentially, an ICP licence is a permit from the Ministry of Industry and Information Technology (MII) in order to have a website in China.
In Chinese this licence is called a Bei An (ICP备案).

This was made law way back in September 2000, but not enforced until the late parts of this decade – 2007 onwards.
The latest documentation about this, and other requirements (in Chinese) is over here –

It is mandatory for any websites hosted in China to have an ICP licence, under penalty of law.
This applies whether the site is a .com, or a .cn or any other kind of domain name.

How do you apply for an ICP licence?

Website ICP licences are applied for at the MII website ( ), as this is all in Chinese, we typically assist clients with this process.

What do I need to apply for an ICP licence?

The official requirements are below:

Name of the website owner
Ownership information – ( Is the site is owned by an individual or a company? )
Valid identification documents (e.g., passport, ID card, etc)
Passport ID or Identification ID

Name of website investor
Your Location (in China)
Address (in China)
Operation type

Contact Person
Types of valid identification documents of the contact Person (e.g., passport or ID card, etc)
Passport ID or other Identification ID of the contact person
Office Phone (in China)
Mobile Phone (in China)

Name of the website
Home page of the website
Domain name of the site
What type of site it is (e.g., blog, forum, etc.)
What is the content of the site?

Although foreigners should be able to apply for an ICP licence, in practice that’s not possible (we haven’t been able to successfully have an ICP licence issued for a foreigner for at least a year).
Effectively this limits us to the following two requirements (we can fill in the rest for you):

Legal Chinese Company Licence Number
Company Name (in Chinese and English)


Chinese Name
ID number.

Note that while companies are able to register multiple websites, individuals are only permitted to register a single site.

Where do I put the licence?
The excerpt from the official wording reads as follows: 并在取得经营许可证或备案号后 3 天内放在网站主页下方显著位置.
This basically says that the licence must be placed on the website within 3 days of receiving the licence, and must be placed on the home page at the bottom of the page.

Note that we do check clients sites on a semi regular basis for this, so if you redesign your site and forget to put the ICP licence in, you may find your site closed until this is done.

How long does it take?
Typically licence application takes less than two weeks. We have seen licenses issued in as little as a day though, through to taking 2-3 months!
This all depends on when you apply, and what kind of business you are doing in China.

We recommend that you avoid leaving things until the Chinese Holidays if things are urgent, as the relevant departments are usually understaffed, and about to go on vacation.
In a worst case scenario, we can host sites oversea’s until the licence is issued.

The licence department will ask us to close down acccess to the site when they perform the check though.

We recommend that licenses are applied for well ahead of time, so that you don’t have any downtime.

What does it cost?
Applying for an ICP licence is free. If you are one of our clients, we perform licence application as part of our service.
If you aren’t one of our clients, then why not become one!

What kind of sites can get licenses? / What can we host?
Any site that does not contravene China law can get a license. We cannot assist you with hosting anything that is illegal in China!

China law prohibits the following kinds of websites:

  • Pornographic or promoting immoral behaviour.
  • Sites offensive to the Chinese government or people.
  • Sites that sell online drugs or satellite equipment
  • Sites that promote banned activities or organizations.

Note that certain kinds of content do require additional licensing, in addition to an ICP licence.

An example would be BBS (Forums).
If you require a forum, we recommend that the forum is hosted outside of China until a license can be issued.

Note that BBS licensing requires additional fee’s and documentation due to the amount of work involved.

Flattr this!

I wrote this for a post on an Expat site, its good info for those of you with Chinese licence’s going abroad.

China driver licence holders info:

China is not a signatory to the IDP (International Drivers Permit) international law.
So, China has NO IDP to issue,and no IDP issuer.

For China drivers licence holders, you just need an official translation of the licence into English (or the official language of the country you will be driving in) from a notary.

Suggest get that done here in China, where the notaries read Chinese.
Put a copy in your licence wallet, and you are good to drive in other countries.

Some other rules apply in certain countries – eg in Europe you can drive for a maximum of 6 months during visits, then they require you to apply for a local licence.

The basic facts aren’t clear (and they should be).

Basically each country thats a signatory has an official IDP issuer, and the IDP *must* be procured from them, or its invalid.

If the country is not a signatory, then a translation in the language of the destination country is sufficient.