Mail Proxy Use SPF

[osgit]

I have an issue when Mail Gateway is set to Use SPF, that it doesn't seem to work correctly to allow the following domain with a more specialized SPF record where they are using this for example: exists:%{i}.spf.hc4187-23.iphmx.com. Do you have any workaround, other than whitelisting their domain under Mail Proxy and/or disabling Use SPF or some flag that needs to be set to properly resolve this type of SPF record?

Domain:

chrobinson.com

MX Record:

chrobinson.com.         300     IN      TXT     "v=spf1 mx ip4:168.208.200.0/24 ip4:168.208.16.0/24 exists:%{i}.spf.hc4187-23.iphmx.com -all"

Error with Use SPF enabled:

NOQUEUE: reject: RCPT from esa.hc4187-23.iphmx.com[68.232.131.43]: 554 5.7.1 <user@domain.com>: Recipient address rejected: Rejected by SPF: 68.232.131.43 is not a designated mailserver for prvs%3D13886b7e3%3Dsome.user%40chrobinson.com (context mfrom, on smtp.domain.com); from=<prvs=13886b7e3=some.user@chrobinson.com> to=<user@domain.com> proto=ESMTP helo=<esa.hc4187-23.iphmx.com>

 

[dcsapak]

what is you 'pmgversion -v' ?

 

[osgit]

what is you 'pmgversion -v' ?

Here you go:

pmgversion -v
proxmox-mailgateway: 7.1-1 (API: 7.1-3/4c093c92, running kernel: 5.13.19-6-pve)
pmg-api: 7.1-3
pmg-gui: 3.1-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-15
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.4.174-2-pve: 5.4.174-2
pve-kernel-5.4.166-1-pve: 5.4.166-1
pve-kernel-5.4.162-1-pve: 5.4.162-2
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.151-1-pve: 5.4.151-1
pve-kernel-5.4.143-1-pve: 5.4.143-1
pve-kernel-5.4.140-1-pve: 5.4.140-1
pve-kernel-5.4.128-1-pve: 5.4.128-2
pve-kernel-5.4.124-1-pve: 5.4.124-2
pve-kernel-5.4.119-1-pve: 5.4.119-1
pve-kernel-5.4.114-1-pve: 5.4.114-1
pve-kernel-5.4.106-1-pve: 5.4.106-1
pve-kernel-5.4.103-1-pve: 5.4.103-1
pve-kernel-5.4.101-1-pve: 5.4.101-1
pve-kernel-5.4.78-2-pve: 5.4.78-2
pve-kernel-5.4.78-1-pve: 5.4.78-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
pve-kernel-5.4.65-1-pve: 5.4.65-1
pve-kernel-5.4.30-1-pve: 5.4.30-1
clamav-daemon: 0.103.5+dfsg-0+deb11u1
ifupdown: 0.8.36+pve1
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.2
libproxmox-acme-plugins: 1.4.2
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-1
libpve-http-server-perl: 4.1-2
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.1-2
pmg-i18n: 2.7-2
pmg-log-tracker: 2.3.1-1
postgresql-13: 13.7-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-4
proxmox-widget-toolkit: 3.5.1
pve-firmware: 3.4-2
pve-xtermjs: 4.16.0-1
zfsutils-linux: 2.1.4-pve1

 

[dcsapak]

do you by any chance use pfsense as your dns resolver? maybe it's the same (or a similar) issue to this: https://forum.proxmox.com/threads/rejected-mail-but-spf-record-seems-to-be-ok.84888/#post-372884

 

[osgit]

do you by any chance use pfsense as your dns resolver? maybe it's the same (or a similar) issue to this: https://forum.proxmox.com/threads/rejected-mail-but-spf-record-seems-to-be-ok.84888/#post-372884

I have put those fixes in place for quite sometime, is there something specific to this?

server:
private-address: 127.0.0.0/8
private-domain: "zen.spamhaus.org"
private-domain: "bl.spamcop.net"
private-domain: "psbl.surriel.com"
private-domain: "spamrbl.imp.ch"
private-domain: "noptr.spamrats.com"
private-domain: "escalations.dnsbl.sorbs.net"
private-domain: "bl.score.senderscore.com"
private-domain: "bl.spameatingmonkey.net"
private-domain: "rbl.realtimeblacklist.com"
private-domain: "dnsbl.dronebl.org"
private-domain: "ix.dnsbl.manitu.net"
private-domain: "b.barracudacentral.org"
private-domain: "truncate.gbudb.net"
private-domain: "bl.blocklist.de"

 

[dcsapak]

the problem here seems to be that while the spf record says it's ok when '%{i}.spf.hc4187-23.iphmx.com' exists, it resolves to 127.0.0.2:

68.232.131.43.spf.hc4187-23.iphmx.com. 3600 IN A 127.0.0.2

which is blocked by pfsense since dns *should* not resolve to a local ip...

 

[osgit]

the problem here seems to be that while the spf record says it's ok when '%{i}.spf.hc4187-23.iphmx.com' exists, it resolves to 127.0.0.2:

68.232.131.43.spf.hc4187-23.iphmx.com. 3600 IN A 127.0.0.2

which is blocked by pfsense since dns *should* not resolve to a local ip...

I disabled DNS Rebind Check for testing purposes. I'll let you know what happens the next time I receive an email from them and report back the results. Thank you.

 

[osgit]

So I got two emails from this domain and they were both rejected.

Jul 22 07:50:00 smtp postfix/smtpd[162078]: connect from esa.hc4187-23.iphmx.com[68.232.131.43]
Jul 22 07:50:01 smtp postfix/smtpd[162078]: Anonymous TLS connection established from esa.hc4187-23.iphmx.com[68.232.131.43]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 22 07:50:01 smtp postfix/smtpd[162078]: NOQUEUE: reject: RCPT from esa.hc4187-23.iphmx.com[68.232.131.43]: 554 5.7.1 <user@domain.com>: Recipient address rejected: Rejected by SPF: 68.232.131.43 is not a designated mailserver for prvs%3D195daca47%3Duser%40chrobinson.com (context mfrom, on smtp.domain.com); from=<prvs=195daca47=user@chrobinson.com> to=<user@domain.com> proto=ESMTP helo=<esa.hc4187-23.iphmx.com>
Jul 22 07:50:06 smtp postfix/smtpd[162078]: disconnect from esa.hc4187-23.iphmx.com[68.232.131.43] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

 

[dcsapak]

what does

dig 68.232.131.43.spf.hc4187-23.iphmx.com

show on your pmg installation? (you might need to install the package 'bind9-dnsutils' )

 

[osgit]

what does

dig 68.232.131.43.spf.hc4187-23.iphmx.com

show on your pmg installation? (you might need to install the package 'bind9-dnsutils' )

Sure, here is the response:

dig 68.232.131.43.spf.hc4187-23.iphmx.com

; <<>> DiG 9.16.27-Debian <<>> 68.232.131.43.spf.hc4187-23.iphmx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12400
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;68.232.131.43.spf.hc4187-23.iphmx.com. IN A

;; Query time: 96 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Thu Jul 28 12:00:50 MST 2022
;; MSG SIZE  rcvd: 66

 

[osgit]

Getting the issue with another domain now as well:

Domain:

medline.com

SPF Record:

medline.com.            1800    IN      TXT     "v=spf1 mx a ip4:205.233.244.245 ip4:205.233.245.135 ip4:205.233.245.77 include:_spf-a.medline.com include:_spf-b.medline.com include:_spf-c.medline.com -all"

Aug 16 08:23:21 smtp postfix/smtpd[255412]: connect from smtp-esa2.cloud.opentext.com[150.105.217.150]
Aug 16 08:23:21 smtp postfix/smtpd[255412]: Anonymous TLS connection established from smtp-esa2.cloud.opentext.com[150.105.217.150]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 16 08:23:22 smtp postfix/smtpd[255412]: NOQUEUE: reject: RCPT from smtp-esa2.cloud.opentext.com[150.105.217.150]: 554 5.7.1 <orders@domain.com>: Recipient address rejected: Rejected by SPF: 150.105.217.150 is not a designated mailserver for vendorrelations%40medline.com (context mfrom, on smtp.domain.com); from=<VendorRelations@medline.com> to=<orders@domain.com> proto=ESMTP helo=<smtp-esa2.cloud.opentext.com>
Aug 16 08:23:27 smtp postfix/smtpd[255412]: disconnect from smtp-esa2.cloud.opentext.com[150.105.217.150] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

 

[Stoiko Ivanov]

In this case both https://www.spf-record.com/spf-lookup/medline.com?ip=150.105.217.150&opt_out=on
and
https://mxtoolbox.com/SuperTool.aspx?action=spf:medline.com:150.105.217.150&run=toolpage
agree that the ip is not covered by the SPF record...

 

[osgit]

In this case both https://www.spf-record.com/spf-lookup/medline.com?ip=150.105.217.150&opt_out=on
and
https://mxtoolbox.com/SuperTool.aspx?action=spf:medline.com:150.105.217.150&run=toolpage
agree that the ip is not covered by the SPF record...

Yeah, I looked closer after posting and saw that as well. Forgot to edit my post.

 

[osgit]

I have another one, same issue as the chrobinson.com one, the IP is covered by the SPF record as well.

https://mxtoolbox.com/SuperTool.aspx?action=spf:hiscoinc.com:216.71.140.81&run=toolpage

I have the DNS rebind disabled in pFsense as well.

 

[Stoiko Ivanov]

the link you posted specifically says:

SPF Failed for IP - 150.105.217.150

so if the mail got rejected based on SPF this is what I would expect?

 

[osgit]

the link you posted specifically says:


so if the mail got rejected based on SPF this is what I would expect?

That was the incorrect link, I edited the post with the correct link. The domain is hiscoinc.com.

 

[Stoiko Ivanov]

can you please also post the relevant logs from pmg?

EDIT: please also include the output of dig - as @dcsapak requested for chrobinson above

 

[osgit]

can you please also post the relevant logs from pmg?

EDIT: please also include the output of dig - as @dcsapak requested for chrobinson above

Here is the log:

Aug 29 07:55:51 smtp postfix/smtpd[40934]: connect from esa2.hc2841-9.iphmx.com[216.71.140.81]
Aug 29 07:55:51 smtp postfix/smtpd[40934]: Anonymous TLS connection established from esa2.hc2841-9.iphmx.com[216.71.140.81]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 29 07:55:52 smtp postfix/smtpd[40934]: NOQUEUE: reject: RCPT from esa2.hc2841-9.iphmx.com[216.71.140.81]: 554 5.7.1 <support@domain.com>: Recipient address rejected: Rejected by SPF: 216.71.140.81 is not a designated mailserver for prvs%3D233365bfc%3Deprater%40hiscoinc.com (context mfrom, on smtp.domain.com); from=<prvs=233365bfc=eprater@hiscoinc.com> to=<support@domain.com> proto=ESMTP helo=<esa2.hc2841-9.iphmx.com>
Aug 29 07:55:57 smtp postfix/smtpd[40934]: disconnect from esa2.hc2841-9.iphmx.com[216.71.140.81] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

and dig:

dig 216.71.140.81.spf.hc2841-9.iphmx.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81.spf.hc2841-9.iphmx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44173
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;216.71.140.81.spf.hc2841-9.iphmx.com. IN A

;; Query time: 172 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Mon Aug 29 10:30:04 MST 2022
;; MSG SIZE  rcvd: 65

 

[Stoiko Ivanov]

sorry should have been more clear - not just take the command @dcsapak wrote - but do the dns lookups for the concrete spf-record and example.…

in this case - the matching part is:

dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

 

[osgit]

sorry should have been more clear - not just take the command @dcsapak wrote - but do the dns lookups for the concrete spf-record and example.…

in this case - the matching part is:

dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

Makes sense, here is that output.

dig 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com

; <<>> DiG 9.16.27-Debian <<>> 216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;216.71.140.81._i.hiscoinc.com._d.espf.dmp.cisco.com. IN        A

;; Query time: 884 msec
;; SERVER: 192.168.56.1#53(192.168.56.1)
;; WHEN: Tue Aug 30 08:18:55 MST 2022
;; MSG SIZE  rcvd: 80