Office365 emails are not getting through

M

manf0001

Member
Jul 11, 2013
10
1
21
Hello,

I'm running a postfix email server at home and I've deployed the Proxmox Mail gateway. Running 7.2-2. If I send emails from hotmail or gmail my emails will get through proxmox.

I've found out that if emails are sent from domains hosted on M365, proxmox will reject the message saying with the following error "Recipient address rejected: Message rejected due to: SPF fail - not authorized" I have a few 365 accounts to test, as my work and client's whom I do admin tasks for all get the same rejection, and I've verified their spf records are correct.. using the default one provided by 365 setup.

Just to make sure, I changed the port forward rules in the firewall to deliver directly to my mail server bypass proxmox. And those same emails do get delivered.

I've done the following:

1) disable spf check... that puts it into a greylist.
2) If I disable spf and greylist - and restart proxmox, the emails from 365 will get bounced again with the error as above.
3) I've whitelisted both an email address and the domain (one at a time) but proxmox keeps rejecting them.

Is there something I can do to allow these emails through?

Thanks
 
Please post logs from messages that are problematic from tracking center the full log for each message so we can see what is going on. Without logs we can't help you.

One way to solve this is to just add network's from Microsoft on mail proxy whitelist. This will bypass SPF checks for their servers but there is probably something else wrong with your configuration.

To add Microsoft networks to proxy whitelist you can do this:
Configuration - Mail Proxy - Whitelist - Add - IP Network (Sender) for each record.
Add this networks (from their spf record include:spf.protection.outlook.com)
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
20.47.149.138/32
51.4.80.0/27

After you have done this restart postfix service or this changes are not applied.
Go to Administration - Services - click on postfix service and click Restart

Test again if messages are delivered OK now.
 
Last edited:
  • Like
Reactions: maatsche
poetry said:
Please post logs from messages that are problematic from tracking center the full log for each message so we can see what is going on. Without logs we can't help you.

One way to solve this is to just add network's from Microsoft on mail proxy whitelist. This will bypass SPF checks for their servers but there is probably something else wrong with your configuration.

To add Microsoft networks to proxy whitelist you can do this:
Configuration - Mail Proxy - Whitelist - Add - IP Network (Sender) for each record.
Add this networks (from their spf record include:spf.protection.outlook.com)
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
20.47.149.138/32
51.4.80.0/27

After you have done this restart postfix service or this changes are not applied.
Go to Administration - Services - click on postfix service and click Restart

Test again if messages are delivered OK now.
Click to expand...
Thanks for the response. Unfortunately, the above did not work for me. It's still rejecting the email.

Here is one of the logs, (email address have been redacted)

Dec 4 17:35:49 mailwash postfix/smtpd[4945]: connect from mail-dm6nam12on2068.outbound.protection.outlook.com[40.107.243.68]
Dec 4 17:35:49 mailwash postfix/smtpd[4945]: 4A7BA1A0B57: client=mail-dm6nam12on2068.outbound.protection.outlook.com[40.107.243.68]
Dec 4 17:35:49 mailwash postfix/cleanup[4949]: 4A7BA1A0B57: message-id=<PH0P222MB0112ABAD4DD2B6D3FD8D8BB2BF199@PH0P222MB0112.NAMP222.PROD.OUTLOOK.COM>
Dec 4 17:35:49 mailwash postfix/qmgr[4769]: 4A7BA1A0B57: from=<365 email>, size=440213, nrcpt=1 (queue active)
Dec 4 17:35:49 mailwash postfix/smtpd[4945]: disconnect from mail-dm6nam12on2068.outbound.protection.outlook.com[40.107.243.68] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Dec 4 17:35:49 mailwash pmg-smtp-filter[863]: 160776638D20C5C6756: new mail message-id=<PH0P222MB0112ABAD4DD2B6D3FD8D8BB2BF199@PH0P222MB0112.NAMP222.PROD.OUTLOOK.COM>#012
Dec 4 17:35:52 mailwash pmg-smtp-filter[863]: 160776638D20C5C6756: SA score=0/5 time=2.098 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.025),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_UNSUB1(0.1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),RCVD_IN_ZEN_BLOCKED_OPENDNS(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)
Dec 4 17:35:52 mailwash postfix/smtpd[4957]: connect from localhost.localdomain[127.0.0.1]
Dec 4 17:35:52 mailwash postfix/smtpd[4957]: 30DB41A1A61: client=localhost.localdomain[127.0.0.1], orig_client=mail-dm6nam12on2068.outbound.protection.outlook.com[40.107.243.68]
Dec 4 17:35:52 mailwash postfix/cleanup[4949]: 30DB41A1A61: message-id=<PH0P222MB0112ABAD4DD2B6D3FD8D8BB2BF199@PH0P222MB0112.NAMP222.PROD.OUTLOOK.COM>
Dec 4 17:35:52 mailwash postfix/qmgr[4769]: 30DB41A1A61: from=<365 email>, size=441773, nrcpt=1 (queue active)
Dec 4 17:35:52 mailwash pmg-smtp-filter[863]: 160776638D20C5C6756: accept mail to <personal email> (30DB41A1A61) (rule: default-accept)
Dec 4 17:35:52 mailwash postfix/smtpd[4957]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 4 17:35:52 mailwash pmg-smtp-filter[863]: 160776638D20C5C6756: processing time: 2.411 seconds (2.098, 0.147, 0)
Dec 4 17:35:52 mailwash postfix/lmtp[4951]: 4A7BA1A0B57: to=<personal email>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=0.38/0.02/0.12/2.5, dsn=2.5.0, status=sent (250 2.5.0 OK (160776638D20C5C6756))
Dec 4 17:35:52 mailwash postfix/qmgr[4769]: 4A7BA1A0B57: removed
Dec 4 17:35:53 mailwash postfix/smtp[4958]: 30DB41A1A61: to=<personal email>, relay=192.168.6.167[192.168.6.167]:25, delay=1.4, delays=0.07/0.02/0.1/1.2, dsn=5.7.23, status=bounced (host 192.168.6.167[192.168.6.167] said: 550 5.7.23 <personal email>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=365 email;ip=192.168.6.168;r=<UNKNOWN> (in reply to RCPT TO command))
Dec 4 17:35:53 mailwash postfix/qmgr[4769]: 30DB41A1A61: removed



My Initial setup was very basic..

under Configuration--MailProxy -- Relaying.. I have the internal IP address of my mail server as the Default Relay, and my domain name under the Relay Domains tab.
 
manf0001 said:
Dec 4 17:35:53 mailwash postfix/smtp[4958]: 30DB41A1A61: to=<personal email>, relay=192.168.6.167[192.168.6.167]:25, delay=1.4, delays=0.07/0.02/0.1/1.2, dsn=5.7.23, status=bounced (host 192.168.6.167[192.168.6.167] said: 550 5.7.23 <personal email>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=365 email;ip=192.168.6.168;r=<UNKNOWN> (in reply to RCPT TO command))
Dec 4 17:35:53 mailwash postfix/qmgr[4769]: 30DB41A1A61: removed
Click to expand...
your downstream server (the one at 192.168.6.167) rejects the mail because it does not pass SPF verification (which is clear since your PMG will not be in the SPF record of a domain in the internet...)

-> configure your downstream mailer to 'trust' mails from your PMG...

else
manf0001 said:
URIBL_DBL_BLOCKED_OPENDNS(0.001),URIBL_ZEN_BLOCKED_OPENDNS(0.001)
Click to expand...
these hits indicate that you use a (public) DNS-resolver which is over quota at many of the DNSBLs SpamAssassin is using - consider changing that (else the detection rates will be quite bad) - see:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
(all of it - but especially: https://pmg.proxmox.com/wiki/index....dicated_DNS_Resolver_on_Proxmox_Mail_Gateway_
 
  • Like
Reactions: maatsche
Stoiko Ivanov said:
your downstream server (the one at 192.168.6.167) rejects the mail because it does not pass SPF verification (which is clear since your PMG will not be in the SPF record of a domain in the internet...)

-> configure your downstream mailer to 'trust' mails from your PMG...

else

these hits indicate that you use a (public) DNS-resolver which is over quota at many of the DNSBLs SpamAssassin is using - consider changing that (else the detection rates will be quite bad) - see:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
(all of it - but especially: https://pmg.proxmox.com/wiki/index....dicated_DNS_Resolver_on_Proxmox_Mail_Gateway_
Click to expand...

Ahh.. that makes sense now.. because my pmg was forwarding that email, my postfix couldn't properly verify it as it thought it was coming from it and not MS... Once I added my pmg to my postfix mynetworks field it accepted the emails from 365 perfectly, without the whitelisted networks above. Thanks
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back