Backup mx relay got rejected due to SPF

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
gao
Reply | Threaded
Open this post in threaded view
|

Backup mx relay got rejected due to SPF

gao
Hi,

I just built a postfix mail server(mail.mytestmx.com) with PostfixAdmin, SPF and DKIM.,etc. It works very well. Now I try to use the new built server as the backup mail server of another server (zeta.othermx.com), so I add a backup domain in PostfixAdmin and setup DNS accordingly. Later there is an email came with destination to [hidden email], the relay attempt got rejected at zeta.othermx.com because of SPF.  

So what is the solution here? Should I add the mail.mytestmx.com to zeta.othermx.com's SPF record and make it trust it? If so are there any risk?

Here I copied the maillog:
------------------------------------------
 Nov 17 11:12:43 mail postfix/postscreen[9604]: CONNECT from [70.38.36.41]:57302 to [10.11.22.33]:25
Nov 17 11:12:49 mail postfix/postscreen[9604]: PASS NEW [70.38.36.41]:57302
Nov 17 11:12:49 mail postfix/smtpd[9612]: connect from r41.emails.aircanada.com[70.38.36.41]
Nov 17 11:12:50 mail postfix/policy-spf[9622]: Policy action=PREPEND Received-SPF: pass (emails.aircanada.com ... p18.neolane.net: 70.38.36.41 is authorized to use '[hidden email]' in 'mfrom' identity (mechanism 'ip4:70.38.36.40/30' matched)) receiver=mail.mytestmx.com; identity=mailfrom; envelope-from=[hidden email]; helo=r41.emails.aircanada.com; client-ip=70.38.36.41
Nov 17 11:12:50 mail postfix/smtpd[9612]: 9202040121F2: client=r41.emails.aircanada.com[70.38.36.41]
Nov 17 11:12:50 mail postfix/cleanup[9625]: 9202040121F2: hold: header Received: from r41.emails.aircanada.com (r41.emails.aircanada.com [70.38.36.41])??by mail.mytestmx.com (Postfix) with ESMTP id 9202040121F2??for [hidden email]; Fri, 17 Nov 2017 11:12:49 -0800  from r41.emails.aircanada.com[70.38.36.41]; from=[hidden email] to=[hidden email] proto=ESMTP helo=<r41.emails.aircanada.com>
Nov 17 11:12:50 mail postfix/cleanup[9625]: 9202040121F2: message-id=[hidden email]
Nov 17 11:12:50 mail opendkim[1277]: 9202040121F2: r41.emails.aircanada.com [70.38.36.41] not internal
Nov 17 11:12:50 mail opendkim[1277]: 9202040121F2: not authenticated
Nov 17 11:12:50 mail opendkim[1277]: 9202040121F2: DKIM verification successful
Nov 17 11:12:53 mail MailScanner[9148]: New Batch: Scanning 1 messages, 38613 bytes
Nov 17 11:12:53 mail MailScanner[9148]: Virus and Content Scanning: Starting
Nov 17 11:12:53 mail MailScanner[9148]: Spam Checks: Starting
Nov 17 11:12:53 mail MailScanner[9148]: Expired 2 records from the SpamAssassin cache
Nov 17 11:12:53 mail MailScanner[9148]: MailWatch: Blacklist refresh time reached
Nov 17 11:12:53 mail MailScanner[9148]: MailWatch: Starting up MailWatch SQL Blacklist
Nov 17 11:12:53 mail MailScanner[9148]: MailWatch: Read 0 blacklist entries
Nov 17 11:12:56 mail postfix/smtpd[9612]: disconnect from r41.emails.aircanada.com[70.38.36.41] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 17 11:13:00 mail MailScanner[9637]: Found phishing fraud from http://t.emails.aircanada.com/r/?id=h6f6c61ee,1448d239,1448e479 claiming to be www.aeroplan.com in 9202040121F2.A6CDC
Nov 17 11:13:00 mail MailScanner[9637]: Found phishing fraud from http://t.emails.aircanada.com/r/?id=h6f6c61ee,1448d239,1448e47b claiming to be www.aircanada.com in 9202040121F2.A6CDC
Nov 17 11:13:00 mail MailScanner[9637]: Found phishing fraud from http://t.emails.aircanada.com/r/?id=h6f6c61ee,1448d239,1448e47c claiming to be www.aircanada.com in 9202040121F2.A6CDC
Nov 17 11:13:00 mail MailScanner[9148]: Content Checks: Detected and have disarmed web bug, phishing tags in HTML message in 9202040121F2.A6CDC from [hidden email]
Nov 17 11:13:00 mail MailScanner[9148]: Requeue: 9202040121F2.A6CDC to EEAA64012121
Nov 17 11:13:00 mail MailScanner[9148]: Uninfected: Delivered 1 messages
Nov 17 11:13:00 mail postfix/qmgr[5097]: EEAA64012121: from=[hidden email], size=37534, nrcpt=1 (queue active)
Nov 17 11:13:00 mail MailScanner[9148]: Deleted 1 messages from processing-database
Nov 17 11:13:00 mail MailScanner[9148]: MailWatch: Logging message 9202040121F2.A6CDC to SQL
Nov 17 11:13:00 mail MailScanner[9153]: MailWatch: 9202040121F2.A6CDC: Logged to MailWatch SQL
Nov 17 11:13:01 mail postfix/smtp[9639]: Anonymous TLS connection established to zeta.othermx.com[206.116.44.138]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 17 11:13:02 mail postfix/smtp[9639]: EEAA64012121: to=[hidden email], relay=zeta.othermx.com[206.116.44.138]:25, delay=12, delays=10/0.01/1.3/0.33, dsn=5.7.1, status=bounced (host zeta.othermx.com[206.116.44.138] said: 550 5.7.1 [hidden email]: Recipient address rejected: Please see http://www.openspf.net/Why?s=mfrom;id=communications%40emails.aircanada.com;ip=209.53.201.252;r=zeta.othermx.com (in reply to RCPT TO command))
Nov 17 11:13:02 mail postfix/cleanup[9625]: 14AA440121F2: message-id=[hidden email]
Nov 17 11:13:02 mail postfix/qmgr[5097]: 14AA440121F2: from=<>, size=41119, nrcpt=1 (queue active)
Nov 17 11:13:02 mail postfix/bounce[9640]: EEAA64012121: sender non-delivery notification: 14AA440121F2
Nov 17 11:13:02 mail postfix/qmgr[5097]: EEAA64012121: removed
Nov 17 11:13:03 mail postfix/smtp[9641]: 14AA440121F2: to=[hidden email], relay=a.mx.p18.neolane.net[70.38.33.129]:25, delay=0.99, delays=0/0.01/0.65/0.32, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BF68E1461D6F)
Nov 17 11:13:03 mail postfix/qmgr[5097]: 14AA440121F2: removed


Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Scott Kitterman-4
On Friday, November 17, 2017 12:34:06 PM Gao wrote:

> Hi,
>
> I just built a postfix mail server(mail.mytestmx.com) with PostfixAdmin,
> SPF and DKIM.,etc. It works very well. Now I try to use the new built
> server as the backup mail server of another server (zeta.othermx.com),
> so I add a backup domain in PostfixAdmin and setup DNS accordingly.
> Later there is an email came with destination to [hidden email], the
> relay attempt got rejected at zeta.othermx.com because of SPF.
>
> So what is the solution here? Should I add the mail.mytestmx.com to
> zeta.othermx.com's SPF record and make it trust it? If so are there any
> risk?

SPF checks can only be accurately done at the border of your mail receiving
architecture.  In the case of mail relayed through your backup MX, the backup
MX is the boundary and the receipt of mail from the backup MX at the primary
is (at least architecturally) internal.

White list your backup MX from SPF checks.  Depending on what software you are
using for SPF checking, exactly how you do that will vary.

Scott K
Reply | Threaded
Open this post in threaded view
|

RE: Backup mx relay got rejected due to SPF

Fazzina, Angelo
In reply to this post by gao

Hi, to me it looks like email  from=[hidden email] to=[hidden email]

 

Came in and was cleaned

Nov 17 11:13:00 mail MailScanner[9148]: Content Checks: Detected and have disarmed web bug, phishing tags in HTML message in 9202040121F2.A6CDC from [hidden email]

And requeued

Nov 17 11:13:00 mail MailScanner[9148]: Requeue: 9202040121F2.A6CDC to EEAA64012121

 

And rejected

Nov 17 11:13:02 mail postfix/smtp[9639]: EEAA64012121: to=[hidden email], relay=zeta.othermx.com[206.116.44.138]:25, delay=12, delays=10/0.01/1.3/0.33, dsn=5.7.1, status=bounced (host zeta.othermx.com[206.116.44.138] said: 550 5.7.1 [hidden email]: Recipient address rejected: Please see http://www.openspf.net/Why?s=mfrom;id=communications%40emails.aircanada.com;ip=209.53.201.252;r=zeta.othermx.com (in reply to RCPT TO command))

WHY ??

According to

http://www.openspf.org/Why?s=mfrom;id=communications%40emails.aircanada.com;ip=209.53.201.252;r=zeta.othermx.com

 

the MX of mxdove.com is mail.mxdove.com but mail.mxdove.com has no SPF entry that I can find.

Also From was @emails.aircanada.com and allowed IP’s are

p18.neolane.net.        1229    IN      TXT     "v=spf1 ip4:70.38.33.128/30 ip4:70.38.36.40/30 ip4:174.142.154.200/30 ip4:174.142.245.174 ip4:174.142.245.175 -all"

But the email came from mail.mxdove.com (209.53.201.252) according to the link above.

 

Your logs show it came from [70.38.36.41]

 

In short I think SPF checking looks only one hop back, and you want to relay, so you need to configure things for that.

Not sure I helped but I tried.

 

 

-ANGELO FAZZINA

 

UITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

Hi,

I just built a postfix mail server(mail.mytestmx.com) with PostfixAdmin, SPF and DKIM.,etc. It works very well. Now I try to use the new built server as the backup mail server of another server (zeta.othermx.com), so I add a backup domain in PostfixAdmin and setup DNS accordingly. Later there is an email came with destination to [hidden email], the relay attempt got rejected at zeta.othermx.com because of SPF.  

So what is the solution here? Should I add the mail.mytestmx.com to zeta.othermx.com's SPF record and make it trust it? If so are there any risk?


Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Benny Pedersen-2
In reply to this post by gao
Gao skrev den 2017-11-17 21:34:

> So what is the solution here? Should I add the mail.mytestmx.com to
> zeta.othermx.com's SPF record and make it trust it? If so are there
> any risk?

yes recipient validation on backup mx mta, eq dont accept mails that
cant be delivered

the error is that mx dont add all ips to spf, and or final destination
did forget to whitelist backup mx ip, since this is not a border mx ip

silly and simple
gao
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

gao
Thank you all for the help.

Well, then how do I whitelist in SPF? I am using openspf (postfix-policyd-spf-perl) on both server.

At the end of my master.cf, I have:
policy     unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/local/sbin/postfix-policyd-spf-perl


I couldn't figure out how to whitelist the backup mx on the destitution server.

Gao

Gao skrev den 2017-11-17 21:34:

So what is the solution here? Should I add the mail.mytestmx.com to
zeta.othermx.com's SPF record and make it trust it? If so are there
any risk?

yes recipient validation on backup mx mta, eq dont accept mails that cant be delivered

the error is that mx dont add all ips to spf, and or final destination did forget to whitelist backup mx ip, since this is not a border mx ip

silly and simple

Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Benny Pedersen-2
Gao skrev den 2017-11-17 22:26:

> I couldn't figure out how to whitelist the backup mx on the
> destitution server.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468388

i dont know if thats resolved or not

following this link here

https://answers.launchpad.net/postfix-policyd-spf-perl/+question/237219

its seems dropped

so only solution is to add mx into senders spf records v=spf1 mx -all
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Noel Jones-2
In reply to this post by gao
On 11/17/2017 2:34 PM, Gao wrote:

> Hi,
>
> I just built a postfix mail server(mail.mytestmx.com) with
> PostfixAdmin, SPF and DKIM.,etc. It works very well. Now I try to
> use the new built server as the backup mail server of another server
> (zeta.othermx.com), so I add a backup domain in PostfixAdmin and
> setup DNS accordingly. Later there is an email came with destination
> to [hidden email], the relay attempt got rejected at
> zeta.othermx.com because of SPF.  
>
> So what is the solution here? Should I add the mail.mytestmx.com to
> zeta.othermx.com's SPF record and make it trust it? If so are there
> any risk?


Remember that SPF is for checking the sender, not the recipient, so
the SPF is complaining about the emails.aircanada.com sender
address.  Adjusting your own SPF record won't help this particular
problem.

Add a whitelist entry for the backup MX IP to your postfix main.cf
before the spf policy check, or even better, before any checks.

For a table with a single entry, the inline map type is great; if
you need to whitelist more than a handful of IPs, then a hash: or
cdb: map is probably cleaner.  Your whitelist entry should be near
the top of your restrictions list, typically just after
reject_unauth_destination.  Something like:
# main.cf
...
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination
  check_client_access inline:{192.0.2.33=OK}
  ... other restrictions ...
  check_policy_service ... spf check

If you need more detailed help, please show your "postconf -n" output.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Noel Jones-2
In reply to this post by Benny Pedersen-2
On 11/17/2017 3:47 PM, Benny Pedersen wrote:

> Gao skrev den 2017-11-17 22:26:
>
>> I couldn't figure out how to whitelist the backup mx on the
>> destitution server.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468388
>
> i dont know if thats resolved or not
>
> following this link here
>
> https://answers.launchpad.net/postfix-policyd-spf-perl/+question/237219
>
> its seems dropped

Yes, the best solution is to whitelist the backup MX in postfix.

>
> so only solution is to add mx into senders spf records v=spf1 mx -all

No, the sender could be any domain on the internet.  The solution is
to whitelist the backup MX in postfix.



 -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Scott Kitterman-4
In reply to this post by gao
The man page explains how to do it, but it's not the most user friendly package.  The Python implementation is much more mature and easier to configure.  It can be found in your distribution/OS packaging system, on pypi, or at https://launchpad.net/pypolicyd-spf .

Scott K

On November 17, 2017 4:26:09 PM EST, Gao <[hidden email]> wrote:

>Thank you all for the help.
>
>Well, then how do I whitelist in SPF? I am using openspf
>(postfix-policyd-spf-perl) on both server.
>
>At the end of my master.cf, I have:
>policy     unix  -       n       n       - -       spawn
>         user=nobody argv=/usr/bin/perl
>/usr/local/sbin/postfix-policyd-spf-perl
>
>I couldn't figure out how to whitelist the backup mx on the destitution
>
>server.
>
>Gao
>
>> Gao skrev den 2017-11-17 21:34:
>>
>>> So what is the solution here? Should I add the mail.mytestmx.com to
>>> zeta.othermx.com's SPF record and make it trust it? If so are there
>>> any risk?
>>
>> yes recipient validation on backup mx mta, eq dont accept mails that
>> cant be delivered
>>
>> the error is that mx dont add all ips to spf, and or final
>destination
>> did forget to whitelist backup mx ip, since this is not a border mx
>ip
>>
>> silly and simple
gao
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

gao
In reply to this post by Noel Jones-2
In the perl script /usr/local/sbin/postfix-policyd-spf-perl, (got from https://launchpad.net/postfix-policyd-spf-perl/)
I see these code:
# ----------------------------------------------------------
#                handler: relay exemption
# ----------------------------------------------------------

sub exempt_relay {
    my %options = @_;
    my $attr = $options{attr};
    if ($attr->{client_address} ne '') {
        my $client_address = NetAddr::IP->new($attr->{client_address});
        return "PREPEND Authentication-Results: $host; none (SPF not checked for whitelisted relay)"
            if grep($_->contains($client_address), relay_addresses);
    };
    return 'DUNNO';
}


Is there anything I can configure it to whitelist my backup mx IP?

P.S.
I am also reading this article: https://www.lux-medien.com/blog/policyd-spf-and-whitelisting.html
I may try that if I have to.

Gao
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Benny Pedersen-2
Gao skrev den 2017-11-17 23:56:

> Is there anything I can configure it to whitelist my backup mx IP?

http://search.cpan.org/dist/Net-CIDR/CIDR.pm
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Dominic Raferd
This thread has prompted me to look at my opendmarc log records - these cover all incoming mails to my mailservers, not only those from senders that use dmarc. Helpfully, the logs show the pure spf test results; these actually come from policyd-spf which I run with 'defaultSeedOnly = 1' so it merely adds headers to be read by opendmarc and does not actually block anything.

I find that there are very few spf 'hard' fails [code 7] (34 out of >45000) and about half of these are clearly from legitimate senders with misconfigured spf. There is a higher level of softfails [code 2] (252) of which the vast majority are clearly from legitimate senders.

I conclude that, for me, blocking on the basis of spf would have a negligible effect on my incoming spam and an unacceptable level of false positives. Obviously other people's mileage might vary.
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Benny Pedersen-2
Dominic Raferd skrev den 2017-11-18 09:55:

> I conclude that, for me, blocking on the basis of spf would have a
> negligible effect on my incoming spam and an unacceptable level of
> false positives. Obviously other people's mileage might vary.

and opendmarc have spf bugs :/
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Dominic Raferd
On 18 November 2017 at 14:46, Benny Pedersen <[hidden email]> wrote:
Dominic Raferd skrev den 2017-11-18 09:55:

I conclude that, for me, blocking on the basis of spf would have a
negligible effect on my incoming spam and an unacceptable level of
false positives. Obviously other people's mileage might vary.

and opendmarc have spf bugs :/

​opendmarc 1.3.2 can use libspf2 which I think is reliable; but I use python-policyd-spf to provide spf data for opendmarc.

Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

/dev/rob0
In reply to this post by gao
On Fri, Nov 17, 2017 at 02:56:17PM -0800, Gao wrote:
> Is there anything I can configure it to whitelist my backup mx IP?

Again, as Noel said twice upthread, it makes more sense to do the
whitelisting in Postfix rather than in the policy server.  Just a
simple check_client_access lookup, an example of which was given
already.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Benny Pedersen-2
/dev/rob0 skrev den 2017-11-18 18:36:

> Again, as Noel said twice upthread, it makes more sense to do the
> whitelisting in Postfix rather than in the policy server.  Just a
> simple check_client_access lookup, an example of which was given
> already.

why not help resolve policyd-spf-perl to have whitelist support ?

its opensource

i think its needed to make it into a policy class in postfix to only
check spf if not in mynetworks, the check client accept will aswell fail
as no whitelist in spf

oh never mind
Reply | Threaded
Open this post in threaded view
|

Re: Backup mx relay got rejected due to SPF

Noel Jones-2
On 11/18/2017 12:54 PM, Benny Pedersen wrote:
> /dev/rob0 skrev den 2017-11-18 18:36:
>
>> Again, as Noel said twice upthread, it makes more sense to do the
>> whitelisting in Postfix rather than in the policy server.  Just a
>> simple check_client_access lookup, an example of which was given
>> already.
>
> why not help resolve policyd-spf-perl to have whitelist support ?
>

The primary mx must never reject mail from the backup mx.  The
backup mx must be whitelisted in postfix so none of the other
restrictions reject it.

While it would be nice if the policy had whitelist support, that's
not the right place to whitelist a backup mx.


  -- Noel Jones