Rejected Mail - but SPF record seems to be ok

Feb 4, 2021
19
4
8
60
Hi.

Can you please check if the handling of spf records is working properly?

Following mail was rejected with a spf error:

Code:
mail1 postfix/smtpd[68211]: connect from smtp06-dfw-sp4.mta.salesforce.com[136.147.62.181]
Feb 25 11:26:54 mail1 postfix/smtpd[68211]: NOQUEUE: reject: RCPT from smtp06-dfw-sp4.mta.salesforce.com[136.147.62.181]: 554 5.7.1 <someone@somedomain.de>: Recipient address rejected: Rejected by SPF: 136.147.62.181 is not a designated mailserver for support_case%40nutanix.com (context mfrom, on mail1.somedomain.de); from=<support_case@nutanix.com> to=<someone@somedomain.de> proto=ESMTP helo=<smtp06-dfw-sp4.mta.salesforce.com>
Feb 25 11:27:00 mail1 postfix/smtpd[68211]: disconnect from smtp06-dfw-sp4.mta.salesforce.com[136.147.62.181] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

https://www.spf-record.de/spf-lookup/nutanix.com says:

Code:
include:_spf.salesforce.com
v=spf1 exists:%{i}._spf.mta.salesforce.com -all

I'm not deep into SPF record-handling (just learning my lessons). So pls tell me things are working correct or there is a bug somewhere.

Cheers
Exo
 
hmm - that took me a while as well - my first run-in with SPF macros.

I quickly checked with a test-script and PMG's spf-check implementation should handle this correctly (and I did get a pass result for 136.147.62.181 and 'support_case@nutanix.com' ).

on a hunch I would suspect this to be an issue with your local DNS-resolver:
* nutanix.com set of TXT records is quite large (it does not fit in a single UDP -answer, and thus the request needs to be done via TCP)
* some dns-servers don't do that (or are configured not to do that )

not 100% sure how to debug that - but you could try the following (you might need to install 'dnsutils' and 'ldnsutils')
Code:
dig txt nutanix.com
dig txt _spf.salesforce.com
dig a 136.147.62.181._spf.mta.salesforce.com
(and the same commands with drill instead of dig)

I hope this helps!
 
Fast answer: We are using a pfSense firewall in front of the proxmox and the pfsense handles all external DNS requests. The firewall is configured to use both udp and tcp for dns requests. I'll check your dig an drill commands from above tomorrow as I'm out of office now. Results follows...

Thanks for help.
 
have a pfsense virtualized here for testing purposes :) - can confirm that using the pfsense resolver does not work for this domain... (but it works with our local DNS-server (as well as with 8.8.8.8 )
 
ok - after a bit of further digging:
debug: sanitize: removing public name with private address <136.147.62.181._spf.mta.salesforce.com.> 127.0.0.9

seems this is a protection from dns-rebinding attacks (disabling this setting fixes the lookup - but you should consider the potential security implications):
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-resolver-unbound

found via:
https://blog.jenningsga.com/pfsense-dns-resolver-and-private-domains/
https://forum.netgate.com/topic/152671/dns-query-to-rbl-blacklists-return-no-answer/24

however - if you use the pfsense as your PMGs resolver I guess you will also run into similar problems with most DNSBLs (configured in the mailproxy) -> DNSBLs are one of the most effective ways to fight spam these days - so you probably should make sure that at least DNS-requests to the DNSBL sites return a correct answer...

I hope this helps!
 
Hi Stoiko. Thanks for the update and further tests! I can confirm your findings! pfsense rebind check (if active) suppressed the answer. I think it's not a great security risk if the pmg uses our providers and also some public dns.

Top support!

Regards,
Exo
 
  • Like
Reactions: Stoiko Ivanov
Sorry for resurrecting this topic but it seems the best place to ask my question.

I noticed and spf reject for an apparently valid IP.

Code:
Nov 17 10:18:42 smtp postfix/smtpd[304690]: NOQUEUE: reject: RCPT from mailgwln03.rightnowtech.com[147.154.227.175]: 554 5.7.1 <user@mydomain.com>: Recipient address rejected: Rejected by SPF: 147.154.227.175 is not a designated mailserver for osc-admin-personal%40mailln.custhelp.com (context mfrom, on smtp.mydomain.com); from=<osc-admin-personal@mailln.custhelp.com> to=<user@mydomain.com> proto=ESMTP helo=<mailgwln03.rightnowtech.com>

I believe the IP is a designated sender. If so, what might cause that particular SPF check to fail?

BTW I am using pfsense & unbound as resolver. I did configure unbound to mitigate rebind protection for DNSBL. Though this does not affect SPF as far as I understand it:
Code:
private-domain: "zen.spamhaus.org"
private-domain: "bl.spamcop.net"
postscreen dnsbl seems to be working fine.

Thanks.
 
Thanks @poetry.

Using this tool, which checks IP vs SPF record, the IP is designated.
I've rarely encountered SPF fails with my PMG installation and the only reason I looked in to this one was the fact the mail was anticipated.
AIUI pfsense the rebind protection relates to stripping RFC1918 addresses from DNS replies. So that would not affect the processing of a typical SPF DNS query. Would that be correct? If so, what else might cause the SPF query or its processing to fail?
Thanks again.
 
Is it possible to perform the spf check (sending MTA IP & sender domain) with verbose output from the command line in PMG?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!