mx bind ip

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

mx bind ip

Nick Edwards-2
Hi,

I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
I have dns'd one of each protocol for mx and ns
Trying to get postfix to play nice with mx on outbound. hostname,
mynetworks etc all setup right.
I have tried smtp_bind_address(6) but for some reason, although it
uses the correct IP,  the relays are denied for spf failure on the
main server, even though they are all permitted in spf RR, ok, evident
by fact that if I remove the option, it works again, I even downed
that IP on the box, and it relayed fine (yeah go figure) so, moved on
to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
but this uses the wrong ipv4 address when connecting

So, what is the preferred method for assigning the outbound IP ?
Thought about master.cf, but that will require an entry for ipv4 and
another separate for ipv6 from my reading of docs, which seems kinda
silly given sliding respources between the two protocols.


Thanks
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Wietse Venema
Nick Edwards:
> I have tried smtp_bind_address(6) but for some reason, although it
> uses the correct IP,  the relays are denied for spf failure on the
> main server, even though they are all permitted in spf RR, ok, evident

So we know that Postfix sends mail with the correct IP address
but you have made some mistake with SPF, or with the configuration
of the system that incorrectly uses SPF.

What have you done to to find out what the mistake is?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Reindl Harald-2
In reply to this post by Nick Edwards-2


Am 09.03.2012 16:01, schrieb Nick Edwards:

> Hi,
>
> I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
> I have dns'd one of each protocol for mx and ns
> Trying to get postfix to play nice with mx on outbound. hostname,
> mynetworks etc all setup right.
> I have tried smtp_bind_address(6) but for some reason, although it
> uses the correct IP,  the relays are denied for spf failure on the
> main server, even though they are all permitted in spf RR, ok, evident
> by fact that if I remove the option, it works again, I even downed
> that IP on the box, and it relayed fine (yeah go figure) so, moved on
> to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
> but this uses the wrong ipv4 address when connecting
as long you are not providing logs showing your
problem and "postconf -n" output nobody can help you

logs from both -> your relay machine and the main-server for
one specific message


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Nick Edwards-2
In reply to this post by Wietse Venema
On 3/10/12, Wietse Venema <[hidden email]> wrote:

> Nick Edwards:
>> I have tried smtp_bind_address(6) but for some reason, although it
>> uses the correct IP,  the relays are denied for spf failure on the
>> main server, even though they are all permitted in spf RR, ok, evident
>
> So we know that Postfix sends mail with the correct IP address
> but you have made some mistake with SPF, or with the configuration
> of the system that incorrectly uses SPF.
>
> What have you done to to find out what the mistake is?
>


As I said, I've dropped all other IP's except the mx2, so when it is
its only route out, it connects fine, but all goes up that famous
creek once I use these extra settings and I restart networking so the
other IPs are there, even the openspf.net reject message says  sender
is authorized but was rejected and it cant help why, the spf we use is
policy-spf.

Is the smtp bind address correct method? or inet_interfaces?

Nik
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Nick Edwards-2
In reply to this post by Reindl Harald-2
On 3/10/12, Reindl Harald <[hidden email]> wrote:

>
>
> Am 09.03.2012 16:01, schrieb Nick Edwards:
>> Hi,
>>
>> I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
>> I have dns'd one of each protocol for mx and ns
>> Trying to get postfix to play nice with mx on outbound. hostname,
>> mynetworks etc all setup right.
>> I have tried smtp_bind_address(6) but for some reason, although it
>> uses the correct IP,  the relays are denied for spf failure on the
>> main server, even though they are all permitted in spf RR, ok, evident
>> by fact that if I remove the option, it works again, I even downed
>> that IP on the box, and it relayed fine (yeah go figure) so, moved on
>> to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
>> but this uses the wrong ipv4 address when connecting
>
> as long you are not providing logs showing your
> problem and "postconf -n" output nobody can help you
>
> logs from both -> your relay machine and the main-server for
> one specific message
>
>



logs are no good because it simply says rejected (ip) spf -all method.

all other settings wont help either since the two new settings smtp
bind address and inet_interfaces are simply IP's given, as in my OP.

have to go to meeting now so ill check back in later.
ciao
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Ben Rosengart-2
In reply to this post by Nick Edwards-2
On Sat, Mar 10, 2012 at 02:19:55AM +1000, Nick Edwards wrote:
>
> Is the smtp bind address correct method? or inet_interfaces?

smtp_bind_address is for sending, inet_interfaces for receiving.

I think you will get better help if you get down to specifics.
Post the relevant IP addresses, the SPF record, and yes, the logs.

Regards,
--
  Ben Rosengart           "Like all those possessing a library,
  Sendmail, Inc.           Aurelian was aware that he was guilty of
  +1 718 431 3822          not knowing his in its entirety [...]"
                                      -- Jorge Luis Borges

NOTICE: If received in error, please destroy and notify sender.
Sender does not waive confidentiality or privilege, and use is prohibited.
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Wietse Venema
In reply to this post by Nick Edwards-2
Nick Edwards:
> Is the smtp bind address correct method? or inet_interfaces?

Everybody already knows that smtp_bind_address and smtp_bind_address6
set the correct IP address for SENDING mail.

If the RECEIVING server flags an error for the correct IP address,
then THAT is the problem you need to fix.

Over and out.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Reindl Harald-2
In reply to this post by Nick Edwards-2


Am 09.03.2012 17:23, schrieb Nick Edwards:

> On 3/10/12, Reindl Harald <[hidden email]> wrote:
>>
>>
>> Am 09.03.2012 16:01, schrieb Nick Edwards:
>>> Hi,
>>>
>>> I gave a secondary mx with 2 ipv4 and 2 ipv6 ip's.
>>> I have dns'd one of each protocol for mx and ns
>>> Trying to get postfix to play nice with mx on outbound. hostname,
>>> mynetworks etc all setup right.
>>> I have tried smtp_bind_address(6) but for some reason, although it
>>> uses the correct IP,  the relays are denied for spf failure on the
>>> main server, even though they are all permitted in spf RR, ok, evident
>>> by fact that if I remove the option, it works again, I even downed
>>> that IP on the box, and it relayed fine (yeah go figure) so, moved on
>>> to inet_interfaces included 127.0.0.1  ipv4 and ipv6 addresses for mx,
>>> but this uses the wrong ipv4 address when connecting
>>
>> as long you are not providing logs showing your
>> problem and "postconf -n" output nobody can help you
>>
>> logs from both -> your relay machine and the main-server for
>> one specific message
>
> logs are no good because it simply says rejected (ip) spf -all method.
>
> all other settings wont help either since the two new settings smtp
> bind address and inet_interfaces are simply IP's given, as in my OP
logs are good because they show the connection IP!

also you SPF-records are important
do you have different SPF views (WAN/LAN)
are the SPF records on all views sane?

"smtp -o smtp_bind_address=xx" in main.cf works for sure
__________________________

what type of entries are you using in your SPF record?
i found out that a/mx entries sometimes making troubles and since
we changed our backend to use only ip and let the backend
translate servernames automatically whle generating the
zone-files i never saw a single spf-error the last 2 years

thelounge.net.          86400   IN      SPF     "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 ip4:91.118.73.17
ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30 ip4:91.118.73.1 ip4:89.207.144.27 -all"

thelounge.net.          86400   IN      TXT     "v=spf1 ip4:91.118.73.15 ip4:91.118.73.20 ip4:91.118.73.17
ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30 ip4:91.118.73.1 ip4:89.207.144.27 -all"







signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Nick Edwards-2
In reply to this post by Wietse Venema
On 3/10/12, Wietse Venema <[hidden email]> wrote:
> Nick Edwards:
>> Is the smtp bind address correct method? or inet_interfaces?
>
> Everybody already knows that smtp_bind_address and smtp_bind_address6
> set the correct IP address for SENDING mail.
>
> If the RECEIVING server flags an error for the correct IP address,
> then THAT is the problem you need to fix.
>

thanks, and not everybody knows it, given by half the google responses
I've read, including some from zimbra :->


> Over and out.
>
Yes, now I have clarification, I will post followup once I get back to
work and nut out the issue, it is now time for bed :->
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Nick Edwards-2
In reply to this post by Reindl Harald-2
On 3/10/12, Reindl Harald <[hidden email]> wrote:

>
>
> Am 09.03.2012 17:23, schrieb Nick Edwards:
>> On 3/10/12, Reindl Harald <[hidden email]> wrote:
>>>
>>>
>>
>> logs are no good because it simply says rejected (ip) spf -all method.
>>
>> all other settings wont help either since the two new settings smtp
>> bind address and inet_interfaces are simply IP's given, as in my OP
>
> logs are good because they show the connection IP!
>
> also you SPF-records are important
> do you have different SPF views (WAN/LAN)
> are the SPF records on all views sane?
>
> "smtp -o smtp_bind_address=xx" in main.cf works for sure

> __________________________
>
> what type of entries are you using in your SPF record?
> i found out that a/mx entries sometimes making troubles and since
> we changed our backend to use only ip and let the backend
> translate servernames automatically whle generating the
> zone-files i never saw a single spf-error the last 2 years

SPF is setup correctly, I've been setting up SPF for  a great many
years , even back in the old qmail days, I know our SPF records are
perfect (I am no newbie to mail systems, just not 100% expert in
postfix)

> thelounge.net.          86400   IN      SPF     "v=spf1 ip4:91.118.73.15
> ip4:91.118.73.20 ip4:91.118.73.17
> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>
> thelounge.net.          86400   IN      TXT     "v=spf1 ip4:91.118.73.15
> ip4:91.118.73.20 ip4:91.118.73.17
> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>
>

yes but I also include  'mx' and I never use 'a' or ptr, they are
IMHO too wide, BTW, I hope you also use spf2.0 settings as well, makes
it easier to get higher confidence level in sending to
hotmail/live.com :->

Given what Wietse has said, I am tending more towards spfpolicy.pl on
master, but I'm too tired and it's late, so I'll investigate more
after some sleep.

Nik
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Noel Butler
On Sat, 2012-03-10 at 11:08 +1000, Nick Edwards wrote:

> On 3/10/12, Reindl Harald <[hidden email]> wrote:
> what type of entries are you using in your SPF record?
> i found out that a/mx entries sometimes making troubles and since
> we changed our backend to use only ip and let the backend
> translate servernames automatically whle generating the
> zone-files i never saw a single spf-error the last 2 years


Good advice on not using A (for many reasons), though I've never seen a  problem with MX myself.

SPF is setup correctly, I've been setting up SPF for  a great many
years , even back in the old qmail days, I know our SPF records are


When did you add these extra IP's? Recently?
What is the actual connecting IP type to the master, IPv4, or IPv6?
Does your primary mail server query a server that uses DNS views?
Are you perchance using another DNS server in your tests that your primary mail server is not?

You've been asked by others to supply actual details, if you don't want to make them public, try sending offlist, we can sit here for the next 6 months playing guessing games, if someone other than you has factual live information, they can perhaps run live tests using their DNS etc, kinda like a look at it with fresh eyes.


Given what Wietse has said, I am tending more towards spfpolicy.pl on
master, but I'm too tired and it's late, so I'll investigate more
after some sleep.


poppy, unless you have modified it (read as totally fscked it up)



signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Nick Edwards-2
On 3/10/12, Noel Butler <[hidden email]> wrote:

> On Sat, 2012-03-10 at 11:08 +1000, Nick Edwards wrote:
>
>> On 3/10/12, Reindl Harald <[hidden email]> wrote:
>
>> > what type of entries are you using in your SPF record?
>> > i found out that a/mx entries sometimes making troubles and since
>> > we changed our backend to use only ip and let the backend
>> > translate servernames automatically whle generating the
>> > zone-files i never saw a single spf-error the last 2 years
>>
>
>
> Good advice on not using A (for many reasons), though I've never seen a
> problem with MX myself.
>
>
>> SPF is setup correctly, I've been setting up SPF for  a great many
>> years , even back in the old qmail days, I know our SPF records are
>
>
>
> When did you add these extra IP's? Recently?
> What is the actual connecting IP type to the master, IPv4, or IPv6?
> Does your primary mail server query a server that uses DNS views?
> Are you perchance using another DNS server in your tests that your
> primary mail server is not?
>
> You've been asked by others to supply actual details, if you don't want
> to make them public, try sending offlist, we can sit here for the next 6
> months playing guessing games, if someone other than you has factual
> live information, they can perhaps run live tests using their DNS etc,
> kinda like a look at it with fresh eyes.
>
>
>
>> Given what Wietse has said, I am tending more towards spfpolicy.pl on
>> master, but I'm too tired and it's late, so I'll investigate more
>> after some sleep.
>>
>
>
> poppy, unless you have modified it (read as totally fscked it up)
>
>

Thanks! You have pointed me in the direction of my error, it was an
internal DNS server view that only had the original IP in it, not the
newer one. My testing of spf rules was on our normal caching server
which of course showed it was fine.

Sorry Wietse, you were right as usual, it was my configuration problem
and not postfix!
Reply | Threaded
Open this post in threaded view
|

OT: spf2.0 (was Re: mx bind ip)

Reindl Harald-2
In reply to this post by Nick Edwards-2


Am 10.03.2012 02:08, schrieb Nick Edwards:

>> thelounge.net.          86400   IN      SPF     "v=spf1 ip4:91.118.73.15
>> ip4:91.118.73.20 ip4:91.118.73.17
>> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
>> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>>
>> thelounge.net.          86400   IN      TXT     "v=spf1 ip4:91.118.73.15
>> ip4:91.118.73.20 ip4:91.118.73.17
>> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
>> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>
> yes but I also include  'mx' and I never use 'a' or ptr, they are
> IMHO too wide, BTW, I hope you also use spf2.0 settings as well, makes
> it easier to get higher confidence level in sending to
> hotmail/live.com :->
no because i did not notice about spf2.0 until now
and do not find anything about it on openspf.org
http://www.openspf.org/SPF_Record_Syntax

have you some good documentation/examples
since i am the developer of our admin-backends
it should be easy to integrate any record-types

P.S.:
i changed the above ip4-records recently to CIDR notification
should solve possible problems with too large TXT types for
UDP in case of additional entries for some domains


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OT: spf2.0 (was Re: mx bind ip)

Scott Kitterman-4


Reindl Harald <[hidden email]> wrote:

>
>
>Am 10.03.2012 02:08, schrieb Nick Edwards:
>>> thelounge.net.          86400   IN      SPF     "v=spf1
>ip4:91.118.73.15
>>> ip4:91.118.73.20 ip4:91.118.73.17
>>> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
>>> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>>>
>>> thelounge.net.          86400   IN      TXT     "v=spf1
>ip4:91.118.73.15
>>> ip4:91.118.73.20 ip4:91.118.73.17
>>> ip4:91.118.73.6 ip4:91.118.73.32 ip4:91.118.73.38 ip4:91.118.73.30
>>> ip4:91.118.73.1 ip4:89.207.144.27 -all"
>>
>> yes but I also include  'mx' and I never use 'a' or ptr, they are
>> IMHO too wide, BTW, I hope you also use spf2.0 settings as well,
>makes
>> it easier to get higher confidence level in sending to
>> hotmail/live.com :->
>
>no because i did not notice about spf2.0 until now
>and do not find anything about it on openspf.org
>http://www.openspf.org/SPF_Record_Syntax
>
>have you some good documentation/examples
>since i am the developer of our admin-backends
>it should be easy to integrate any record-types
>
I wouldn't worry too much about it.  You won't find anything about it on openspf.org because it's is a Microsoft variant that has virtually no support in the open source world. There's an IETF working group in progress to move SPF, the openspf.org kind, onto its standards track (SPFbis). One probable outcome of this work is to deprecate the Microsoft variant.

Scott K

Reply | Threaded
Open this post in threaded view
|

Re: OT: spf2.0 (was Re: mx bind ip)

Noel Butler
On Sat, 2012-03-10 at 22:33 -0500, Scott Kitterman wrote:

>no because i did not notice about spf2.0 until now
>and do not find anything about it on openspf.org
>http://www.openspf.org/SPF_Record_Syntax
>
>have you some good documentation/examples
>since i am the developer of our admin-backends
>it should be easy to integrate any record-types
>
I wouldn't worry too much about it.  You won't find anything about it on openspf.org because it's is a Microsoft variant that has virtually no support in the open source world. There's an IETF working group in progress to move SPF, the openspf.org kind, onto its standards track (SPFbis). One probable outcome of this work is to deprecate the Microsoft variant.


Scott, as pointed out by Nick, it does help a lot with delivery to hotmail, has done for years, and as of late last year, they still have far more users than gmail or yahoo, depends on your network, but if you're an ISP/ASP, it kinda is important if your network sends a bit of mail to them, given hotmails horrendous track record for silently trashing mail, every little bit helps.


Reindl, See RFC 4406, The format Ive used, which was recommended by an old hotmail postmaster website guide a few years back, when we had delivery issues to them (like everyone else) was essentially  TXT "spf2.0/mfrom,pra <same data as spf1>"  I only use spfv1 for the SPF RR.


passing comment - nice to see finally they fixed up openspf.org, which was dead for a very long time, had to alter my spf.pl's to use .net which did not fail.


signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OT: spf2.0 (was Re: mx bind ip)

Reindl Harald-2

Am 11.03.2012 09:44, schrieb Noel Butler:

> On Sat, 2012-03-10 at 22:33 -0500, Scott Kitterman wrote:
>> >have you some good documentation/examples
>> >since i am the developer of our admin-backends
>> >it should be easy to integrate any record-types
>> >
>> I wouldn't worry too much about it.  You won't find anything about it on openspf.org because it's is a Microsoft variant that has virtually no support in the open source world. There's an IETF working group in progress to move SPF, the openspf.org kind, onto its standards track (SPFbis). One probable outcome of this work is to deprecate the Microsoft variant.
>>
>
> Scott, as pointed out by Nick, it does help a lot with delivery to hotmail, has done for years, and as of late last
> year, they still have far more users than gmail or yahoo, depends on your network, but if you're an ISP/ASP, it
> kinda is important if your network sends a bit of mail to them, given hotmails horrendous track record for silently
> trashing mail, every little bit helps.
>
>
> Reindl, See RFC 4406, The format Ive used, which was recommended by an old hotmail postmaster website guide a few
> years back, when we had delivery issues to them (like everyone else) was essentially  TXT "spf2.0/mfrom,pra <same
> data as spf1>"  I only use spfv1 for the SPF RR.
>
>
> passing comment - nice to see finally they fixed up openspf.org, which was dead for a very long time, had to alter
> my spf.pl's to use .net which did not fail.
hm, since it contains the same data as spf1 and even hotmail itself
has only spf1 i tend to ignore it also in the future

;; QUESTION SECTION:
;hotmail.com.                   IN      TXT

;; ANSWER SECTION:
hotmail.com.            1391    IN      TXT     "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com
include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"

;; AUTHORITY SECTION:
hotmail.com.            10738   IN      NS      ns2.msft.net.
hotmail.com.            10738   IN      NS      ns5.msft.net.
hotmail.com.            10738   IN      NS      ns4.msft.net.
hotmail.com.            10738   IN      NS      ns3.msft.net.
hotmail.com.            10738   IN      NS      ns1.msft.net.


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: mx bind ip

Bastian Blank-3
In reply to this post by Nick Edwards-2
On Sat, Mar 10, 2012 at 01:01:00AM +1000, Nick Edwards wrote:
> I have tried smtp_bind_address(6) but for some reason, although it
> uses the correct IP,  the relays are denied for spf failure on the
> main server, even though they are all permitted in spf RR, ok, evident
> by fact that if I remove the option, it works again,

As you have no control about third party DNS records, this does not
help.

A secondary MX is all about accepting incoming mail from the world. It
have to do all policy checks. The main server can not longer do policy
checks by definition for mails already accepted by the secondary, so it
needs to be whitelisted.

Bastian

--
Each kiss is as the first.
                -- Miramanee, Kirk's wife, "The Paradise Syndrome",
                   stardate 4842.6
Reply | Threaded
Open this post in threaded view
|

Re: OT: spf2.0 (was Re: mx bind ip)

Noel Butler
In reply to this post by Reindl Harald-2
On Sun, 2012-03-11 at 11:01 +0100, Reindl Harald wrote:


hm, since it contains the same data as spf1 and even hotmail itself
has only spf1 i tend to ignore it also in the future


Just had a look and you're right,  but as it improved our deliverable success rates to hotmail many fold a few years back,  I won't give my CSRs headaches by risking influx of support requests/bitches over mail not getting through :)  certainly doesn't harm anything  even if they no longer give increases in reputation for those publishing it.

Personally never liked it, I did trial it once, but dumped it pretty quickly, it played merry hell with those using mailing lists where as spfv1 is perfectly fine.


signature.asc (501 bytes) Download Attachment