Mail Proxy Use SPF

osgit

Member
Jan 12, 2021
44
5
8
I have an issue when Mail Gateway is set to Use SPF, that it doesn't seem to work correctly to allow the following domain with a more specialized SPF record where they are using this for example: exists:%{i}.spf.hc4187-23.iphmx.com. Do you have any workaround, other than whitelisting their domain under Mail Proxy and/or disabling Use SPF or some flag that needs to be set to properly resolve this type of SPF record?

Domain:
Code:
chrobinson.com
MX Record:
Code:
chrobinson.com.         300     IN      TXT     "v=spf1 mx ip4:168.208.200.0/24 ip4:168.208.16.0/24 exists:%{i}.spf.hc4187-23.iphmx.com -all"
Error with Use SPF enabled:
Code:
NOQUEUE: reject: RCPT from esa.hc4187-23.iphmx.com[68.232.131.43]: 554 5.7.1 <user@domain.com>: Recipient address rejected: Rejected by SPF: 68.232.131.43 is not a designated mailserver for prvs%3D13886b7e3%3Dsome.user%40chrobinson.com (context mfrom, on smtp.domain.com); from=<prvs=13886b7e3=some.user@chrobinson.com> to=<user@domain.com> proto=ESMTP helo=<esa.hc4187-23.iphmx.com>
 
Last edited:

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
7,871
952
163
33
Vienna
what is you 'pmgversion -v' ?
 

osgit

Member
Jan 12, 2021
44
5
8
what is you 'pmgversion -v' ?
Here you go:
Code:
pmgversion -v
proxmox-mailgateway: 7.1-1 (API: 7.1-3/4c093c92, running kernel: 5.13.19-6-pve)
pmg-api: 7.1-3
pmg-gui: 3.1-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.4: 6.4-15
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.4.174-2-pve: 5.4.174-2
pve-kernel-5.4.166-1-pve: 5.4.166-1
pve-kernel-5.4.162-1-pve: 5.4.162-2
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.151-1-pve: 5.4.151-1
pve-kernel-5.4.143-1-pve: 5.4.143-1
pve-kernel-5.4.140-1-pve: 5.4.140-1
pve-kernel-5.4.128-1-pve: 5.4.128-2
pve-kernel-5.4.124-1-pve: 5.4.124-2
pve-kernel-5.4.119-1-pve: 5.4.119-1
pve-kernel-5.4.114-1-pve: 5.4.114-1
pve-kernel-5.4.106-1-pve: 5.4.106-1
pve-kernel-5.4.103-1-pve: 5.4.103-1
pve-kernel-5.4.101-1-pve: 5.4.101-1
pve-kernel-5.4.78-2-pve: 5.4.78-2
pve-kernel-5.4.78-1-pve: 5.4.78-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
pve-kernel-5.4.65-1-pve: 5.4.65-1
pve-kernel-5.4.30-1-pve: 5.4.30-1
clamav-daemon: 0.103.5+dfsg-0+deb11u1
ifupdown: 0.8.36+pve1
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.2
libproxmox-acme-plugins: 1.4.2
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-1
libpve-http-server-perl: 4.1-2
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.1-2
pmg-i18n: 2.7-2
pmg-log-tracker: 2.3.1-1
postgresql-13: 13.7-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-4
proxmox-widget-toolkit: 3.5.1
pve-firmware: 3.4-2
pve-xtermjs: 4.16.0-1
zfsutils-linux: 2.1.4-pve1
 

osgit

Member
Jan 12, 2021
44
5
8
do you by any chance use pfsense as your dns resolver? maybe it's the same (or a similar) issue to this: https://forum.proxmox.com/threads/rejected-mail-but-spf-record-seems-to-be-ok.84888/#post-372884
I have put those fixes in place for quite sometime, is there something specific to this?

Code:
server:
private-address: 127.0.0.0/8
private-domain: "zen.spamhaus.org"
private-domain: "bl.spamcop.net"
private-domain: "psbl.surriel.com"
private-domain: "spamrbl.imp.ch"
private-domain: "noptr.spamrats.com"
private-domain: "escalations.dnsbl.sorbs.net"
private-domain: "bl.score.senderscore.com"
private-domain: "bl.spameatingmonkey.net"
private-domain: "rbl.realtimeblacklist.com"
private-domain: "dnsbl.dronebl.org"
private-domain: "ix.dnsbl.manitu.net"
private-domain: "b.barracudacentral.org"
private-domain: "truncate.gbudb.net"
private-domain: "bl.blocklist.de"
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
7,871
952
163
33
Vienna
the problem here seems to be that while the spf record says it's ok when '%{i}.spf.hc4187-23.iphmx.com' exists, it resolves to 127.0.0.2:
Code:
68.232.131.43.spf.hc4187-23.iphmx.com. 3600 IN A 127.0.0.2

which is blocked by pfsense since dns *should* not resolve to a local ip...
 

osgit

Member
Jan 12, 2021
44
5
8
the problem here seems to be that while the spf record says it's ok when '%{i}.spf.hc4187-23.iphmx.com' exists, it resolves to 127.0.0.2:
Code:
68.232.131.43.spf.hc4187-23.iphmx.com. 3600 IN A 127.0.0.2

which is blocked by pfsense since dns *should* not resolve to a local ip...
I disabled DNS Rebind Check for testing purposes. I'll let you know what happens the next time I receive an email from them and report back the results. Thank you. :)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!