Rejected Mail - but SPF record seems to be ok

Exo

New Member
Feb 4, 2021
15
3
3
58
Hi.

Can you please check if the handling of spf records is working properly?

Following mail was rejected with a spf error:

Code:
mail1 postfix/smtpd[68211]: connect from smtp06-dfw-sp4.mta.salesforce.com[136.147.62.181]
Feb 25 11:26:54 mail1 postfix/smtpd[68211]: NOQUEUE: reject: RCPT from smtp06-dfw-sp4.mta.salesforce.com[136.147.62.181]: 554 5.7.1 <someone@somedomain.de>: Recipient address rejected: Rejected by SPF: 136.147.62.181 is not a designated mailserver for support_case%40nutanix.com (context mfrom, on mail1.somedomain.de); from=<support_case@nutanix.com> to=<someone@somedomain.de> proto=ESMTP helo=<smtp06-dfw-sp4.mta.salesforce.com>
Feb 25 11:27:00 mail1 postfix/smtpd[68211]: disconnect from smtp06-dfw-sp4.mta.salesforce.com[136.147.62.181] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

https://www.spf-record.de/spf-lookup/nutanix.com says:

Code:
include:_spf.salesforce.com
v=spf1 exists:%{i}._spf.mta.salesforce.com -all

I'm not deep into SPF record-handling (just learning my lessons). So pls tell me things are working correct or there is a bug somewhere.

Cheers
Exo
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,084
164
hmm - that took me a while as well - my first run-in with SPF macros.

I quickly checked with a test-script and PMG's spf-check implementation should handle this correctly (and I did get a pass result for 136.147.62.181 and 'support_case@nutanix.com' ).

on a hunch I would suspect this to be an issue with your local DNS-resolver:
* nutanix.com set of TXT records is quite large (it does not fit in a single UDP -answer, and thus the request needs to be done via TCP)
* some dns-servers don't do that (or are configured not to do that )

not 100% sure how to debug that - but you could try the following (you might need to install 'dnsutils' and 'ldnsutils')
Code:
dig txt nutanix.com
dig txt _spf.salesforce.com
dig a 136.147.62.181._spf.mta.salesforce.com
(and the same commands with drill instead of dig)

I hope this helps!
 

Exo

New Member
Feb 4, 2021
15
3
3
58
Fast answer: We are using a pfSense firewall in front of the proxmox and the pfsense handles all external DNS requests. The firewall is configured to use both udp and tcp for dns requests. I'll check your dig an drill commands from above tomorrow as I'm out of office now. Results follows...

Thanks for help.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,084
164
have a pfsense virtualized here for testing purposes :) - can confirm that using the pfsense resolver does not work for this domain... (but it works with our local DNS-server (as well as with 8.8.8.8 )
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,084
164
ok - after a bit of further digging:
debug: sanitize: removing public name with private address <136.147.62.181._spf.mta.salesforce.com.> 127.0.0.9

seems this is a protection from dns-rebinding attacks (disabling this setting fixes the lookup - but you should consider the potential security implications):
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-resolver-unbound

found via:
https://blog.jenningsga.com/pfsense-dns-resolver-and-private-domains/
https://forum.netgate.com/topic/152671/dns-query-to-rbl-blacklists-return-no-answer/24

however - if you use the pfsense as your PMGs resolver I guess you will also run into similar problems with most DNSBLs (configured in the mailproxy) -> DNSBLs are one of the most effective ways to fight spam these days - so you probably should make sure that at least DNS-requests to the DNSBL sites return a correct answer...

I hope this helps!
 

Exo

New Member
Feb 4, 2021
15
3
3
58
Hi Stoiko. Thanks for the update and further tests! I can confirm your findings! pfsense rebind check (if active) suppressed the answer. I think it's not a great security risk if the pmg uses our providers and also some public dns.

Top support!

Regards,
Exo
 
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!