[SOLVED] Mail from postfix server to PMG gets SPF error

markc

Active Member
Sep 12, 2020
58
13
28
70
Gold Coast, Australia
spiderweb.com.au
I probably misunderstand how to set this up, but I have two PVE VMs, one long time Ubuntu VM with postfix/dovecot acting as my local public facing mailserver on my LAN. I've tried 3 times to set up pmg-api/7.3-3/a3d66da0 (running kernel: 5.15.107-2-pve) and follow whatever guides I can find to get my mailserver VM to talk to the PMG VM but I keep getting an SPF error.

My Ubuntu mailserver VM is 192.168.x.213 (mail.xcoast.org) and the PMG VM is 192.168.x.244 (mx1.xcoast.org). I use pihole to provide local DNS/PTR resolution for a "real" domain of xcoast.org and both VMs use pihole in /etc/resolv.conf. Pihole then uses my local broadband provider's DNS servers (not 1.1.1.1 or 8.8.8.8) so RBL lookups will work. Main router port forwards to 192.168.x.244:26

My (mail.xcoast.org) 192.168.x.213 mailservers main.cf has relayhost = 192.168.x.244:26 (mx1.xcoast.org) added to what is a working postfix server (with spf, dkim, dmarc etc). Within PMG, the changed settings are...

Mail Proxy > Relaying > Default Relay is set to 192.168.x.213
Relay Domains = xcoast.org
Ports = External 25 - Internal 26
Options > Use SPF = no
Transports = xcoast.org - 192.168.x.213 - smtp - 25 - no
Networks =
DKIM = no
Whitelist = IP Network - sender - 192.168.x.0/24

I think all else is default (a fresh reinstall). Outgoing mail to my mailserver (unchanged in my MUA) from local markc@xcoast.org to remote markc@xxxxx.net relayed through PMG works. Replaying back to that message from my remote offsite markc@xxxxx.net mail account gets...

mx1.xcoast.org - 192.168.x.244 (PMG)

Code:
May 18 21:14:49 mx1 postfix/postscreen[1521]: CONNECT from [203.25.xxx.xxx]:40111 to [192.168.x.244]:25
May 18 21:14:49 mx1 postfix/postscreen[1521]: PASS OLD [203.25.xxx.xxx]:40111
May 18 21:14:49 mx1 postfix/smtpd[1743]: connect from mail.xxxxx.net[203.25.xxx.xxx]
May 18 21:14:49 mx1 pmgpolicy[1490]: reloading configuration Proxmox_ruledb
May 18 21:14:49 mx1 postfix/smtpd[1743]: 8AAB7201A0: client=mail.xxxxx.net[203.25.xxx.xxx]
May 18 21:14:49 mx1 postfix/cleanup[1747]: 8AAB7201A0: message-id=<ddf72be1-0a94-0bb7-5e35-d3c384af8910@xxxxx.net>
May 18 21:14:49 mx1 postfix/qmgr[1202]: 8AAB7201A0: from=<markc@xxxxx.net>, size=1705, nrcpt=1 (queue active)
May 18 21:14:49 mx1 postfix/smtpd[1743]: disconnect from mail.xxxxx.net[203.25.xxx.xxx] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 18 21:14:49 mx1 pmg-smtp-filter[1393]: 2023/05/18-21:14:49 CONNECT TCP Peer: "[127.0.0.1]:40550" Local: "[127.0.0.1]:10024"
May 18 21:14:49 mx1 pmg-smtp-filter[1393]: reloading configuration Proxmox_ruledb
May 18 21:14:49 mx1 pmg-smtp-filter[1393]: 202D7646608A9AC394: new mail message-id=<ddf72be1-0a94-0bb7-5e35-d3c384af8910@xxxxx.net>#012
May 18 21:14:50 mx1 pmg-smtp-filter[1393]: 202D7646608A9AC394: SA score=0/5 time=0.711 bayes=undefined autolearn=no autolearn_force=no hi
ts=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),KAM_NUMSUBJECT(0.5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T
_SCC_BODY_TEXT_LINE(-0.01)
May 18 21:14:50 mx1 postfix/smtpd[1753]: connect from localhost.localdomain[127.0.0.1]
May 18 21:14:50 mx1 postfix/smtpd[1753]: 7526D202DF: client=localhost.localdomain[127.0.0.1], orig_client=mail.xxxxx.net[203.25.xxx.xxx]
May 18 21:14:50 mx1 postfix/cleanup[1747]: 7526D202DF: message-id=<ddf72be1-0a94-0bb7-5e35-d3c384af8910@xxxxx.net>
May 18 21:14:50 mx1 postfix/qmgr[1202]: 7526D202DF: from=<markc@xxxxx.net>, size=2550, nrcpt=1 (queue active)
May 18 21:14:50 mx1 pmg-smtp-filter[1393]: 202D7646608A9AC394: accept mail to <markc@xcoast.org> (7526D202DF) (rule: default-accept)
May 18 21:14:50 mx1 postfix/smtpd[1753]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands
=5
May 18 21:14:50 mx1 pmg-smtp-filter[1393]: 202D7646608A9AC394: processing time: 0.833 seconds (0.711, 0.032, 0)
May 18 21:14:50 mx1 postfix/lmtp[1748]: 8AAB7201A0: to=<markc@xcoast.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.1/0.0
3/0.07/0.86, dsn=2.5.0, status=sent (250 2.5.0 OK (202D7646608A9AC394))
May 18 21:14:50 mx1 postfix/qmgr[1202]: 8AAB7201A0: removed
May 18 21:14:50 mx1 postfix/smtp[1754]: Trusted TLS connection established to 192.168.x.213[192.168.x.213]:25: TLSv1.3 with cipher TLS_
AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)
May 18 21:14:51 mx1 postfix/smtp[1754]: 7526D202DF: to=<markc@xcoast.org>, relay=192.168.x.213[192.168.x.213]:25, delay=0.79, delays
=0.06/0.03/0.45/0.25, dsn=5.7.1, status=bounced (host 192.168.x.213[192.168.x.213] said: 550 5.7.1 <markc@xcoast.org>: Recipient add
ress rejected: Please see http://www.openspf.org/Why?s=mfrom;id=markc%40xxxxx.net;ip=192.168.x.244;r=mail.xcoast.org (in reply to RCP
T TO command))
May 18 21:14:51 mx1 postfix/cleanup[1747]: 41865202E1: message-id=<20230518111451.41865202E1@mx1.xcoast.org>
May 18 21:14:51 mx1 postfix/bounce[1755]: 7526D202DF: sender non-delivery notification: 41865202E1
May 18 21:14:51 mx1 postfix/qmgr[1202]: 41865202E1: from=<>, size=4832, nrcpt=1 (queue active)
May 18 21:14:51 mx1 postfix/qmgr[1202]: 7526D202DF: removed
May 18 21:14:51 mx1 postfix/smtp[1754]: Trusted TLS connection established to mail.xxxxx.net[203.25.xxx.xxx]:25: TLSv1.3 with cipher TLS_AE
S_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)
May 18 21:14:51 mx1 postfix/smtp[1754]: 41865202E1: to=<markc@xxxxx.net>, relay=mail.xxxxx.net[203.25.xxx.xxx]:25, delay=0.65, delays=0.01/
0/0.32/0.31, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CC9761E09CF)
May 18 21:14:51 mx1 postfix/qmgr[1202]: 41865202E1: removed

mail.xcoast.org - 192.168.x.213 (Postfix/Dovecot VM)

Code:
May 18 21:12:53 mail 0.0.0.0/postscreen[4121]: CONNECT from [192.168.x.244]:45702 to [192.168.x.213]:25
May 18 21:12:53 mail 0.0.0.0/postscreen[4121]: PASS OLD [192.168.x.244]:45702
May 18 21:12:53 mail 0.0.0.0/smtpd[4123]: connect from mx1.xcoast.org[192.168.x.244]
May 18 21:12:54 mail postfix/policy-spf[4128]: Policy action=550 Please see http://www.openspf.org/Why?s=mfrom;id=markc%40xxxxx.net;ip=19
2.168.x.244;r=mail.xcoast.org
May 18 21:12:54 mail 0.0.0.0/smtpd[4123]: NOQUEUE: reject: RCPT from mx1.xcoast.org[192.168.x.244]: 550 5.7.1 <markc@xcoast.org>:
Recipient address rejected: Please see http://www.openspf.org/Why?s=mfrom;id=markc%40xxxxx.net;ip=192.168.x.244;r=mail.xcoast.org; fr
om=<markc@xxxxx.net> to=<markc@xcoast.org> proto=ESMTP helo=<mx1.xcoast.org>
May 18 21:12:54 mail 0.0.0.0/smtpd[4123]: disconnect from mx1.xcoast.org[192.168.x.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rs
et=1 quit=1 commands=6/8

Hopefully I've made a silly, dumb mistake. Can anyone see it?

 
On a quick look at the logs:

host 192.168.x.213[192.168.x.213] said: 550 5.7.1 <markc@xcoast.org>: Recipient add ress rejected
(postfix/policy-spf in the logs from 192.168.x.213 also says this)
The mail is rejected by 192.168.x.213 - because your PMG(192.168.x.244) is not in the SPF record of xxxxx.net
PMG can do SPF checks quite fine - consider simply disabling them in your downstream server (192.168.x.213)
or simply add PMG's IP as trusted relay to it.


Pihole then uses my local broadband provider's DNS servers (not 1.1.1.1 or 8.8.8.8) so RBL lookups will work.
Not necessarily - usually ISP's DNS are used by quite many customers running DNS-queries - so check the logs to see if you are indeed not blocked by the DNSBL providers.
You can setup a dedicated DNS Resolver on PMG, which usually is enough for most setups to not run into rate-limits:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

I hope this helps!
 
Thanks yet again, Stoiko. I disabled spf, dkim and dmarc on my mailserver and sure enough emails are no longer rejected by PMG. The same SPF rejection error appeared in both logs, so it wasn't obvious to me which server was at fault. Again, for that pesky futureme, these are the changed settings for postfix on my manually managed mailserver (just reverse these changes to return to a normal working standalone mailserver)...

/etc/postfix/main.cf

Code:
relayhost = 192.168.x.244:26

#smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
#non_smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
    reject_unauth_destination reject_non_fqdn_recipient
    reject_unknown_recipient_domain
#    check_policy_service unix:private/policy-spf

/etc/postfix/master.cf

Code:
#policy-spf unix  -       n       n       -       -       spawn user=nobody
#    argv=/usr/sbin/postfix-policyd-spf-perl
 
Last edited:
  • Like
Reactions: Stoiko Ivanov
Glad you found the issue and managed to resolve it :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!