Mail Proxy Use SPF

osgit

Member
Jan 12, 2021
55
5
13
I have an issue when Mail Gateway is set to Use SPF, that it doesn't seem to work correctly to allow the following domain with a more specialized SPF record where they are using this for example: exists:%{i}.spf.hc4187-23.iphmx.com. Do you have any workaround, other than whitelisting their domain under Mail Proxy and/or disabling Use SPF or some flag that needs to be set to properly resolve this type of SPF record?

Domain:
Code:
chrobinson.com
MX Record:
Code:
chrobinson.com.         300     IN      TXT     "v=spf1 mx ip4:168.208.200.0/24 ip4:168.208.16.0/24 exists:%{i}.spf.hc4187-23.iphmx.com -all"
Error with Use SPF enabled:
Code:
NOQUEUE: reject: RCPT from esa.hc4187-23.iphmx.com[68.232.131.43]: 554 5.7.1 <user@domain.com>: Recipient address rejected: Rejected by SPF: 68.232.131.43 is not a designated mailserver for prvs%3D13886b7e3%3Dsome.user%40chrobinson.com (context mfrom, on smtp.domain.com); from=<prvs=13886b7e3=some.user@chrobinson.com> to=<user@domain.com> proto=ESMTP helo=<esa.hc4187-23.iphmx.com>
 
Last edited:
what is you 'pmgversion -v' ?
 
what is you 'pmgversion -v' ?
Here you go:
Code:
pmgversion -v
proxmox-mailgateway: 7.1-1 (API: 7.1-3/4c093c92, running kernel: 5.13.19-6-pve)
pmg-api: 7.1-3
pmg-gui: 3.1-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-15
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.4.174-2-pve: 5.4.174-2
pve-kernel-5.4.166-1-pve: 5.4.166-1
pve-kernel-5.4.162-1-pve: 5.4.162-2
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.151-1-pve: 5.4.151-1
pve-kernel-5.4.143-1-pve: 5.4.143-1
pve-kernel-5.4.140-1-pve: 5.4.140-1
pve-kernel-5.4.128-1-pve: 5.4.128-2
pve-kernel-5.4.124-1-pve: 5.4.124-2
pve-kernel-5.4.119-1-pve: 5.4.119-1
pve-kernel-5.4.114-1-pve: 5.4.114-1
pve-kernel-5.4.106-1-pve: 5.4.106-1
pve-kernel-5.4.103-1-pve: 5.4.103-1
pve-kernel-5.4.101-1-pve: 5.4.101-1
pve-kernel-5.4.78-2-pve: 5.4.78-2
pve-kernel-5.4.78-1-pve: 5.4.78-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
pve-kernel-5.4.65-1-pve: 5.4.65-1
pve-kernel-5.4.30-1-pve: 5.4.30-1
clamav-daemon: 0.103.5+dfsg-0+deb11u1
ifupdown: 0.8.36+pve1
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.2
libproxmox-acme-plugins: 1.4.2
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-1
libpve-http-server-perl: 4.1-2
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.1-2
pmg-i18n: 2.7-2
pmg-log-tracker: 2.3.1-1
postgresql-13: 13.7-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-4
proxmox-widget-toolkit: 3.5.1
pve-firmware: 3.4-2
pve-xtermjs: 4.16.0-1
zfsutils-linux: 2.1.4-pve1
 
do you by any chance use pfsense as your dns resolver? maybe it's the same (or a similar) issue to this: https://forum.proxmox.com/threads/rejected-mail-but-spf-record-seems-to-be-ok.84888/#post-372884
I have put those fixes in place for quite sometime, is there something specific to this?

Code:
server:
private-address: 127.0.0.0/8
private-domain: "zen.spamhaus.org"
private-domain: "bl.spamcop.net"
private-domain: "psbl.surriel.com"
private-domain: "spamrbl.imp.ch"
private-domain: "noptr.spamrats.com"
private-domain: "escalations.dnsbl.sorbs.net"
private-domain: "bl.score.senderscore.com"
private-domain: "bl.spameatingmonkey.net"
private-domain: "rbl.realtimeblacklist.com"
private-domain: "dnsbl.dronebl.org"
private-domain: "ix.dnsbl.manitu.net"
private-domain: "b.barracudacentral.org"
private-domain: "truncate.gbudb.net"
private-domain: "bl.blocklist.de"
 
the problem here seems to be that while the spf record says it's ok when '%{i}.spf.hc4187-23.iphmx.com' exists, it resolves to 127.0.0.2:
Code:
68.232.131.43.spf.hc4187-23.iphmx.com. 3600 IN A 127.0.0.2

which is blocked by pfsense since dns *should* not resolve to a local ip...
 
the problem here seems to be that while the spf record says it's ok when '%{i}.spf.hc4187-23.iphmx.com' exists, it resolves to 127.0.0.2:
Code:
68.232.131.43.spf.hc4187-23.iphmx.com. 3600 IN A 127.0.0.2

which is blocked by pfsense since dns *should* not resolve to a local ip...
I disabled DNS Rebind Check for testing purposes. I'll let you know what happens the next time I receive an email from them and report back the results. Thank you. :)
 
Last edited:
So I got two emails from this domain and they were both rejected.
Code:
Jul 22 07:50:00 smtp postfix/smtpd[162078]: connect from esa.hc4187-23.iphmx.com[68.232.131.43]
Jul 22 07:50:01 smtp postfix/smtpd[162078]: Anonymous TLS connection established from esa.hc4187-23.iphmx.com[68.232.131.43]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 22 07:50:01 smtp postfix/smtpd[162078]: NOQUEUE: reject: RCPT from esa.hc4187-23.iphmx.com[68.232.131.43]: 554 5.7.1 <user@domain.com>: Recipient address rejected: Rejected by SPF: 68.232.131.43 is not a designated mailserver for prvs%3D195daca47%3Duser%40chrobinson.com (context mfrom, on smtp.domain.com); from=<prvs=195daca47=user@chrobinson.com> to=<user@domain.com> proto=ESMTP helo=<esa.hc4187-23.iphmx.com>
Jul 22 07:50:06 smtp postfix/smtpd[162078]: disconnect from esa.hc4187-23.iphmx.com[68.232.131.43] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7
 
what does
Code:
dig 68.232.131.43.spf.hc4187-23.iphmx.com
show on your pmg installation? (you might need to install the package 'bind9-dnsutils' )
 
  • Like
Reactions: osgit
what does
Code:
dig 68.232.131.43.spf.hc4187-23.iphmx.com
show on your pmg installation? (you might need to install the package 'bind9-dnsutils' )
Sure, here is the response:
Code:
dig 68.232.131.43.spf.hc4187-23.iphmx.com

; <<>> DiG 9.16.27-Debian <<>> 68.232.131.43.spf.hc4187-23.iphmx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12400
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;68.232.131.43.spf.hc4187-23.iphmx.com. IN A

;; Query time: 96 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Thu Jul 28 12:00:50 MST 2022
;; MSG SIZE  rcvd: 66
 
Getting the issue with another domain now as well:

Domain:
Code:
medline.com
SPF Record:
Code:
medline.com.            1800    IN      TXT     "v=spf1 mx a ip4:205.233.244.245 ip4:205.233.245.135 ip4:205.233.245.77 include:_spf-a.medline.com include:_spf-b.medline.com include:_spf-c.medline.com -all"
Code:
Aug 16 08:23:21 smtp postfix/smtpd[255412]: connect from smtp-esa2.cloud.opentext.com[150.105.217.150]
Aug 16 08:23:21 smtp postfix/smtpd[255412]: Anonymous TLS connection established from smtp-esa2.cloud.opentext.com[150.105.217.150]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 16 08:23:22 smtp postfix/smtpd[255412]: NOQUEUE: reject: RCPT from smtp-esa2.cloud.opentext.com[150.105.217.150]: 554 5.7.1 <orders@domain.com>: Recipient address rejected: Rejected by SPF: 150.105.217.150 is not a designated mailserver for vendorrelations%40medline.com (context mfrom, on smtp.domain.com); from=<VendorRelations@medline.com> to=<orders@domain.com> proto=ESMTP helo=<smtp-esa2.cloud.opentext.com>
Aug 16 08:23:27 smtp postfix/smtpd[255412]: disconnect from smtp-esa2.cloud.opentext.com[150.105.217.150] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7
 
the link you posted specifically says:
SPF Failed for IP - 150.105.217.150

so if the mail got rejected based on SPF this is what I would expect?
 
can you please also post the relevant logs from pmg?

EDIT: please also include the output of dig - as @dcsapak requested for chrobinson above
 
  • Like
Reactions: osgit
can you please also post the relevant logs from pmg?

EDIT: please also include the output of dig - as @dcsapak requested for chrobinson above
Here is the log:
Code:
Aug 29 07:55:51 smtp postfix/smtpd[40934]: connect from esa2.hc2841-9.iphmx.com[216.71.140.81]
Aug 29 07:55:51 smtp postfix/smtpd[40934]: Anonymous TLS connection established from esa2.hc2841-9.iphmx.com[216.71.140.81]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 29 07:55:52 smtp postfix/smtpd[40934]: NOQUEUE: reject: RCPT from esa2.hc2841-9.iphmx.com[216.71.140.81]: 554 5.7.1 <support@domain.com>: Recipient address rejected: Rejected by SPF: 216.71.140.81 is not a designated mailserver for prvs%3D233365bfc%3Deprater%40hiscoinc.com (context mfrom, on smtp.domain.com); from=<prvs=233365bfc=eprater@hiscoinc.com> to=<support@domain.com> proto=ESMTP helo=<esa2.hc2841-9.iphmx.com>
Aug 29 07:55:57 smtp postfix/smtpd[40934]: disconnect from esa2.hc2841-9.iphmx.com[216.71.140.81] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7
and dig:
Code:
dig 216.71.140.81.spf.hc2841-9.iphmx.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81.spf.hc2841-9.iphmx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44173
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;216.71.140.81.spf.hc2841-9.iphmx.com. IN A

;; Query time: 172 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Mon Aug 29 10:30:04 MST 2022
;; MSG SIZE  rcvd: 65
 
sorry should have been more clear - not just take the command @dcsapak wrote - but do the dns lookups for the concrete spf-record and example.…

in this case - the matching part is:
Code:
dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
 
  • Like
Reactions: osgit
sorry should have been more clear - not just take the command @dcsapak wrote - but do the dns lookups for the concrete spf-record and example.…

in this case - the matching part is:
Code:
dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
Makes sense, here is that output.
Code:
dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN        A

;; Query time: 884 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Tue Aug 30 08:18:55 MST 2022
;; MSG SIZE  rcvd: 80
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!