[SOLVED] Rejected by SPF: IP is not a designated mailserver for ...

ljety

Active Member
Oct 25, 2018
43
9
28
I have 2 node cluster. Works well but last time I get a lot of rejects for one domain.

Get this error issue:

Code:
Nov 25 15:26:48 pmg postfix/smtpd[30129]: connect from esa2.hc333-29.ca.iphmx.com[216.71.130.199]
Nov 25 15:26:49 pmg postfix/smtpd[30129]: Anonymous TLS connection established from esa2.hc333-29.ca.iphmx.com[216.71.130.199]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 25 15:26:51 pmg postfix/smtpd[30129]: NOQUEUE: reject: RCPT from esa2.hc333-29.ca.iphmx.com[216.71.130.199]: 554 5.7.1 <ab@domain.de>: Recipient address rejected: Rejected by SPF: 216.71.130.199 is not a designated mailserver for 123%40soti.net (context mfrom, on pmg.domain.de); from=<123@soti.net> to=<ab@domain.de> proto=ESMTP helo=<esa2.hc333-29.ca.iphmx.com>
Nov 25 15:26:56 pmg postfix/smtpd[30129]: disconnect from esa2.hc333-29.ca.iphmx.com[216.71.130.199] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

My "spfquery" check from master node:

Code:
root@pmg:~# spfquery --ip-address 216.71.130.199 -s 123@soti.net
pass
soti.net: Sender is authorized to use '123@soti.net' in 'mfrom' identity (mechanism 'exists:%{i}.spf.hc333-29.ca.iphmx.com' matched)
soti.net: Sender is authorized to use '123@soti.net' in 'mfrom' identity (mechanism 'exists:%{i}.spf.hc333-29.ca.iphmx.com' matched)
Received-SPF: pass (soti.net: Sender is authorized to use '123@soti.net' in 'mfrom' identity (mechanism 'exists:%{i}.spf.hc333-29.ca.iphmx.com' matched)) receiver=pmg.domain.de; identity=mailfrom; envelope-from="123@soti.net"; client-ip=216.71.130.199

Sender domain is entered in the whitelist. Why is the sender blocked anyway by SPF?
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,555
1,101
174
34
Vienna
entered in the whitelist
which whitelist? the smtp whitelist, or in the rule system? the latter does not prevent spf checks.

i guess the dns resolution either did not work, or was wrong at that time. does it still trigger the spf rejects currently from that server/domain?
if yes, how does your dns setup and '/etc/resolv.conf' look like?
 

ljety

Active Member
Oct 25, 2018
43
9
28
I entered rule under Mailfilter > Who objects > Whitelist. Should I enter sender domain under Configuration > Mail Proxy > Whitelist ?

My resolv.conf:

Code:
root@pmg:~# cat /etc/resolv.conf
search mydomain.de
nameserver 192.168.1.221
nameserver 192.168.1.222
nameserver 1.1.1.1
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,443
1,198
169

poetry

Active Member
May 28, 2020
179
37
33
the hard SPF-check happens during the SMTP-dialogue and if you want to Whitelist a particular domain/ip/address you'd need to add it to the mail proxy whitelist - see the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_whitelist_overview

Is this actually true? I have a case where I need to create an exception for SPF for a domain. If I add this domain to Configuration - Mail Proxy - Whitelist (Type Domain, Direction Sender Value example.com) and then restart postfix will it work?
I have done it and will see if I still get Rejected by SPF...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!