Forward being rejected because of spf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Forward being rejected because of spf

Joey J
Hello All,

I'm trying to figure out the workaround for when a domain sends an email to lets say [hidden email] and then that is supposed to forward to [hidden email] but [hidden email] postfix is rejecting the message:
(Yes, names and IP's have been changed to protect the innocent)

Oct 16 23:16:12 mgw postfix/smtpd[1443]: connect from postfix.xyz.com[152.30.131.212]
Oct 16 23:16:12 mgw postfix/smtpd[1443]: Anonymous TLS connection established from postfix.xyz.com[152.30.131.212]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 16 23:16:12 mgw postfix/smtpd[1443]: NOQUEUE: reject: RCPT from postfix.xyz.com[152.30.131.212]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Rejected by SPF: 152.30.131.212 is not a designated mailserver for noreply%40e.fiverr.com (context mfrom, on mgw.innovativeinternet.net); from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<postfix.xyz.com>
Oct 16 23:16:13 mgw postfix/smtpd[1443]: disconnect from postfix.xyz.com[152.30.131.212] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

--
Thanks!
Joey

Reply | Threaded
Open this post in threaded view
|

Re: Forward being rejected because of spf

Bill Cole-3
On 16 Oct 2020, at 23:51, Joey J wrote:

> Hello All,
>
> I'm trying to figure out the workaround for when a domain sends an
> email to
> lets say [hidden email] and then that is supposed to forward to [hidden email]
> but
> [hidden email] postfix is rejecting the message:
> (Yes, names and IP's have been changed to protect the innocent)
>
> Oct 16 23:16:12 mgw postfix/smtpd[1443]: connect from postfix.xyz.com
> [152.30.131.212]
> Oct 16 23:16:12 mgw postfix/smtpd[1443]: Anonymous TLS connection
> established from postfix.xyz.com[152.30.131.212]: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Oct 16 23:16:12 mgw postfix/smtpd[1443]: NOQUEUE: reject: RCPT from
> postfix.xyz.com[152.30.131.212]: 554 5.7.1 <[hidden email]>: Recipient
> address
> rejected: Rejected by SPF: 152.30.131.212 is not a designated
> mailserver
> for noreply%40e .fiverr.com (context mfrom, on
> mgw.innovativeinternet.net);
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<postfix.xyz.com
>>
> Oct 16 23:16:13 mgw postfix/smtpd[1443]: disconnect from
> postfix.xyz.com[152.30.131.212]
> ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7


This a well-known feature of SPF: it is incompatible with traditional
transparent forwarding as done with aliases or .forward files.

The possible workarounds are:

1. If you run the destination mail server, don't enforce SPF so
strictly.

2. Rewrite the sender using SRS. There are multiple tools that will do
SRS via TCP lookup tables (e.g. PostSRSd) or milter (there appear to be
multiple variants of "srs-milter").

3. Encapsulate forwarded messages in new messages that you send with a
sender in your own domain which you can programatically convert back to
the original sender for bounces. If I was doing this I'd use MIMEDefang
(a milter that can be extended to do anything you can write Perl for)
but I'm biased.

4. Instead of forwarding, deliver locally and have the user pull their
mail to the target mailbox via POP3 or IMAP. GMail (and probably other
webmail providers) supports this. There are also tools like imapsync,
getmail, and fetchmail which one can use to pull mail from one email
account and dump it into another. The major advantages of this "pull"
model for you as the intermediate system are:
   A. You aren't responsible for managing a 2-way address translation
mechanism (e.g. SRS or encapsulation) to support bounces which will
mostly end up being undeliverable anyway.
   B. The receiving system won't see you as a spam source for forwarding
what they deem to be spam via SMTP.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire