Does the "Mail Filter" rule have priority over the system's SPF checking?

L

lonea

Active Member
Feb 25, 2020
30
3
28
49
I have a Whitelist Rule.
Within the Rule, there is the Whitelist WHO

The WHO includes
->email from address
->IP of the sending server, in this case it is a smarthost

However, it seems like the Mail Filter is checking the SPF first before going through the Mail Filter rules.

is not a designated mailserver....
Click to expand...

My question is other than disabling SPF checking temporarily, is there a way to allow this particular email in?

P.S Tried adding the IP and the from email under the Whitelist under Configuration -> Mail Proxy
 
Last edited:
Stoiko Ivanov said:
to circumvent the spf check in the mail-proxy you need to add an entry to the mail-proxy whitelist as @hata_ph said
see the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

I hope this helps!
Click to expand...
I did that as mentioned in my original post.

Here is how I test it.

Sender is
noreply@yourdomain.com

and the log is as

Sep 8 13:38:58 e1-na postfix/smtpd[3170521]: connect from outfilter2.relaydomain.com[x.x.x.226]

Sep 8 13:38:58 e1-na postfix/smtpd[3170521]: NOQUEUE: reject: RCPT from outfilter2.relaydomain.com[x.x.x.226]: 554 5.7.1 <dev@privatedev.party>: Recipient address rejected: Rejected by SPF: x.x.x.226 is not a designated mailserver for noreply%40yourdomain.com (context mfrom, on e1-na.incomingdomain.com); from=<noreply@yourdomain.com> to=<dev@privatedev.party> proto=ESMTP helo=<outfilter2.relaydomain.com>

Sep 8 13:38:58 e1-na postfix/smtpd[3170521]: disconnect from outfilter2.relaydomain.com[x.x.x.226] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
Click to expand...
I put the x.x.x.226 in the whitelist under mailproxy and also the sender email
 
Last edited:
in addition to what @hata_ph said - also show your mail-proxy whitelist (as a screenshot)
 
Huh? I showed the log on post 6. Not sure what other logs want.

If you want the screenshot, here it is

https://prnt.sc/T1MxPvzaivMh

This is a clear bug that the whitelist isn't working as intended. There's not much else to troubleshoot.
 
On a hunch could you please restart postfix : `systemctl restart postfix` and try again?
else - please check and verify that x.x.x.226 and noreply@yourdomain.com are listed in the files in /etc/postfix:
/etc/postfix/clientaccess
/etc/postfix/senderaccess
 
I can confim that adding an ip address to proxy>whitelist but still spf check fails.
Haven't tried to restart services yet.

Ver:Mail Gateway 7.2-3
 
Please post the logs of such a mail, which gets blocked due to SPF
 
Try adding xxx.domain as sender domain to the mailproxy whitelist
 
Last edited:
Jan 10 10:49:07 pmg postfix/smtpd[901090]: connect from esa1.hc374-32.eu.iphmx.com[207.54.68.96]
Jan 10 10:49:08 pmg postfix/smtpd[901090]: NOQUEUE: reject: RCPT from esa1.hc374-32.eu.iphmx.com[207.54.68.96]: 554 5.7.1 <XXXXXXXXX>: Recipient address rejected: Rejected by SPF: 207.54.68.96 is not a designated mailserver for XXXXXX (context mfrom, on XXXXXXXXX); from=<XXXXXXXX> to=<XXXXXXXXXXXXX> proto=ESMTP helo=<esa1.hc374-32.eu.iphmx.com>
Jan 10 10:49:13 pmg postfix/smtpd[901090]: disconnect from esa1.hc374-32.eu.iphmx.com[207.54.68.96] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7
 
Not sure - but it seems there is an issue with your DNS server config?
(the domain you listed before does not have an SPF record - so it should not be blocked due to SPF)
 
So if there is no SPF record set it should accept from that domain with any ip?

Message seem to suggest otherwise :

Rejected by SPF: 207.54.68.96 is not a designated mailserver

As if every domain should have SPF record set?
 
Sinancay said:
So if there is no SPF record set it should accept from that domain with any ip?
Click to expand...
yes - that's the idea - see https://www.rfc-editor.org/rfc/rfc7208#section-8.1
and https://en.wikipedia.org/wiki/Sender_Policy_Framework

Sinancay said:
Message seem to suggest otherwise :

Rejected by SPF: 207.54.68.96 is not a designated mailserver
Click to expand...
Yes - this is why I suggested to check your DNS setup - and to verify that the sending domain indeed does not have a SPF record.
 
But isn't that what a "whitelist" is supposed to do. Especially this is something you have to manually override?
A Whitelist should bypass any RFC, as this is something an system administrator would have to manually put in and understand the risk involved by whitelisting an IP.
Otherwise, this "whitelist" is simply a priority list. It doesn't take in your actual preference of accepting all mails from that host/ip/domain.
 
lonea said:
But isn't that what a "whitelist" is supposed to do. Especially this is something you have to manually override?
Click to expand...
It usually does that - do bypass SPF checking simply whitelist the domain

keep in mind that you do have to whitelist the relevant part (i.e. sometimes it is necessary to whitelist the IP (do override DNSBL lookups for that IP)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back