[SOLVED] Rejected by SPF: IP is not a designated mailserver for ...

ljety

Well-Known Member
Oct 25, 2018
56
16
48
I have 2 node cluster. Works well but last time I get a lot of rejects for one domain.

Get this error issue:

Code:
Nov 25 15:26:48 pmg postfix/smtpd[30129]: connect from esa2.hc333-29.ca.iphmx.com[216.71.130.199]
Nov 25 15:26:49 pmg postfix/smtpd[30129]: Anonymous TLS connection established from esa2.hc333-29.ca.iphmx.com[216.71.130.199]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 25 15:26:51 pmg postfix/smtpd[30129]: NOQUEUE: reject: RCPT from esa2.hc333-29.ca.iphmx.com[216.71.130.199]: 554 5.7.1 <ab@domain.de>: Recipient address rejected: Rejected by SPF: 216.71.130.199 is not a designated mailserver for 123%40soti.net (context mfrom, on pmg.domain.de); from=<123@soti.net> to=<ab@domain.de> proto=ESMTP helo=<esa2.hc333-29.ca.iphmx.com>
Nov 25 15:26:56 pmg postfix/smtpd[30129]: disconnect from esa2.hc333-29.ca.iphmx.com[216.71.130.199] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

My "spfquery" check from master node:

Code:
root@pmg:~# spfquery --ip-address 216.71.130.199 -s 123@soti.net
pass
soti.net: Sender is authorized to use '123@soti.net' in 'mfrom' identity (mechanism 'exists:%{i}.spf.hc333-29.ca.iphmx.com' matched)
soti.net: Sender is authorized to use '123@soti.net' in 'mfrom' identity (mechanism 'exists:%{i}.spf.hc333-29.ca.iphmx.com' matched)
Received-SPF: pass (soti.net: Sender is authorized to use '123@soti.net' in 'mfrom' identity (mechanism 'exists:%{i}.spf.hc333-29.ca.iphmx.com' matched)) receiver=pmg.domain.de; identity=mailfrom; envelope-from="123@soti.net"; client-ip=216.71.130.199

Sender domain is entered in the whitelist. Why is the sender blocked anyway by SPF?
 
entered in the whitelist
which whitelist? the smtp whitelist, or in the rule system? the latter does not prevent spf checks.

i guess the dns resolution either did not work, or was wrong at that time. does it still trigger the spf rejects currently from that server/domain?
if yes, how does your dns setup and '/etc/resolv.conf' look like?
 
I entered rule under Mailfilter > Who objects > Whitelist. Should I enter sender domain under Configuration > Mail Proxy > Whitelist ?

My resolv.conf:

Code:
root@pmg:~# cat /etc/resolv.conf
search mydomain.de
nameserver 192.168.1.221
nameserver 192.168.1.222
nameserver 1.1.1.1
 
the hard SPF-check happens during the SMTP-dialogue and if you want to Whitelist a particular domain/ip/address you'd need to add it to the mail proxy whitelist - see the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

Is this actually true? I have a case where I need to create an exception for SPF for a domain. If I add this domain to Configuration - Mail Proxy - Whitelist (Type Domain, Direction Sender Value example.com) and then restart postfix will it work?
I have done it and will see if I still get Rejected by SPF...
 
I need to follow up:
Server A received email from sender.com for Domain a.com.
Server A is set to forward all mail for any user@a.com to a.com@b.com
b.com has PMG als MX - lets call it pmg.com
Added IP 201.*.*.* of a.com to mail proxy whitelist of the PMG at pmg.com.
Mail log of a.com says:

status=bounced (host pmg.com[195.*.*.*] said: 554 5.7.1 <a.com@b.com>: Recipient address rejected: Rejected by SPF: 201.*.*.* is not a designated mailserver for user%40sender.com (context mfrom, on pmg.com) (in reply to RCPT TO command))

(Why) is PMG ignoring the whitelist-ing of the IP?

Cheers,
~R.
 
Last edited:
I need to follow up:
Server A received email from sender.com for Domain a.com.
Server A is set to forward all mail for any user@a.com to a.com@b.com
b.com has PMG als MX - lets call it pmg.com
Added IP 201.*.*.* of a.com to mail proxy whitelist of the PMG at pmg.com.
Mail log of a.com says:
It would really be better to open a fresh thread since the original thread started 2.5 years ago...

anyways - the mailproxy whitelist should have caught this - are you sure you added the ip as IP address (Sender) at GUI->Configuration->Mail Proxy-> Whitelist ?

just to be on the safe side try restarting the pmgpolicy service as well
 
  • Like
Reactions: Riesling.Dry

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!