SPF on internal IP Adresses

P

pmbaeum

Active Member
Sep 29, 2020
23
6
43
40
Hi,
I'm currently having some issues with internal systems that used to work fine.

I recently upgraded to Mail Gateway 9.1.0 kernel: 7.0.6-2-pve
Now my internal services seem to have troubles sending E-Mails:
Code: 
SMTP Error: The following recipients failed: {USER]@{Domain}.de: <{USER]@{Domain}.de>: Recipient address rejected: Rejected by SPF: 192.168.60.120 is not a designated mailserver for noreply%40{DOMAIN}.de (context mfrom, on mail.{DOMAIN}.de)\r\n"}}

mail.{DOMAIN}.de is my PMG.

1781272433193.png

Has anyone experienced similar issues?
 
Hi,

The SPF reject usually means the service is still submitting mail to PMG on the external SMTP port 25, where SPF checks are applied. Could you please configure the internal service to use PMG as smarthost on the internal SMTP port, default 26 [0], and retest?

If it must use port 25, add `192.168.60.120/32` or the subnet to the SMTP Welcomelist [1] to bypass SPF checks for that internal sender.

[0] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_ports
[1] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_smtp_welcomelist
 
Last edited:
  • Like
Reactions: w4rl0xX and MKle
Moayad said:
Hi,

The SPF reject usually means the service is still submitting mail to PMG on the external SMTP port 25, where SPF checks are applied. Could you please configure the internal service to use PMG as smarthost on the internal SMTP port, default 26 [0], and retest?

If it must use port 25, add `192.168.60.120/32` or the subnet to the SMTP Welcomelist [1] to bypass SPF checks for that internal sender.

[0] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_ports
[1] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_smtp_welcomelist
Click to expand...

Hi, I just stumbled across this, because currently I am trying to tweak our mail configuration at my work place.

Happily for us is, that we are using split DNS for internal hosts resolving and for external hosts resolving. So what we did (because SpamAssassin also does SPF checks while spam evaluation) was, that we implemented a different SPF-Record for internal hosts, so that our PMG would see any internal relaying SMTP-Servers as designated senders.

The SMTP Welcomelist feature is new, isn't it? Or did I just over-read it anytime I was digging through the manual :D -> But good to know that this is there!

Regards
~s.
 
You must log in or register to reply here.
Top Bottom
Back