Smarthost SPF Fail

Hau

New Member
Jul 1, 2019
2
0
1
43
Hi,

PMG v5.2

We are using our PMG as a smarthost for our mail servers. We have added the PMG server as the mx for the domain but when we try to send emails, the log in the PMG server still says SPF fail.

Please advise...

ext-sgp.com. 86400 IN MX 10 emailgateway01.dotcomindonesia.com.
ext-sgp.com. 86400 IN TXT "v=spf1 +a +mx ~all"

Jul 1 10:24:52 emailgateway01 postfix/smtpd[4093]: connect from deeh01.dotcomindonesia.com[103.89.0.187]
Jul 1 10:24:52 emailgateway01 postfix/smtpd[4093]: BE6D961746: client=deeh01.dotcomindonesia.com[103.89.0.187]
Jul 1 10:24:52 emailgateway01 postfix/cleanup[4015]: BE6D961746: info: header From: test@ext-sgp.com from deeh01.dotcomindonesia.com[103.89.0.187]; from=<test@ext-sgp.com> to=<jerrynur0287@gmail.com> proto=ESMTP helo=<deeh01.dotcomindonesia.com>
Jul 1 10:24:52 emailgateway01 postfix/cleanup[4015]: BE6D961746: info: header To: jerrynur0287@gmail.com, haumanto.irawan@gmail.com from deeh01.dotcomindonesia.com[103.89.0.187]; from=<test@ext-sgp.com> to=<jerrynur0287@gmail.com> proto=ESMTP helo=<deeh01.dotcomindonesia.com>
Jul 1 10:24:52 emailgateway01 postfix/cleanup[4015]: BE6D961746: message-id=<1156077128.12822.1561951492311.JavaMail.zimbra@ext-sgp.com>
Jul 1 10:24:52 emailgateway01 postfix/cleanup[4015]: BE6D961746: info: header Subject: test email via webmail from deeh01.dotcomindonesia.com[103.89.0.187]; from=<test@ext-sgp.com> to=<jerrynur0287@gmail.com> proto=ESMTP helo=<deeh01.dotcomindonesia.com>
Jul 1 10:24:52 emailgateway01 postfix/smtpd[4093]: disconnect from deeh01.dotcomindonesia.com[103.89.0.187] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6
Jul 1 10:24:52 emailgateway01 postfix/qmgr[19101]: BE6D961746: from=<test@ext-sgp.com>, size=2252, nrcpt=2 (queue active)
Jul 1 10:24:52 emailgateway01 pmg-smtp-filter[2956]: A1A335D197D04DC62D: new mail message-id=<1156077128.12822.1561951492311.JavaMail.zimbra@ext-sgp.com>
Jul 1 10:24:55 emailgateway01 pmg-smtp-filter[2956]: A1A335D197D04DC62D: SA score=2/5 time=2.988 bayes=undefined autolearn=no autolearn_force=no hits=AWL(1.201),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_MESSAGE(0.001),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972),URIBL_BLOCKED(0.001)
Jul 1 10:24:56 emailgateway01 pmg-smtp-filter[2956]: A1A335D197D04DC62D: accept mail to <haumanto.irawan@gmail.com> (rule: , F1B6761750)
Jul 1 10:24:56 emailgateway01 pmg-smtp-filter[2956]: A1A335D197D04DC62D: accept mail to <jerrynur0287@gmail.com> (rule: , F1B6761750)
Jul 1 10:24:56 emailgateway01 pmg-smtp-filter[2956]: A1A335D197D04DC62D: processing time: 3.158 seconds (2.988, 0.067, 0)
Jul 1 10:24:56 emailgateway01 postfix/lmtp[4016]: BE6D961746: to=<haumanto.irawan@gmail.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=3.3, delays=0.02/0/0.09/3.2, dsn=2.5.0, status=sent (250 2.5.0 OK (A1A335D197D04DC62D))
Jul 1 10:24:56 emailgateway01 postfix/lmtp[4016]: BE6D961746: to=<jerrynur0287@gmail.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=3.3, delays=0.02/0/0.09/3.2, dsn=2.5.0, status=sent (250 2.5.0 OK (A1A335D197D04DC62D))
Jul 1 10:24:56 emailgateway01 postfix/qmgr[19101]: BE6D961746: removed
 
* you allow the ip of ext-sgp.com (116.90.165.20), and the mx of ext-sgp.com (emailgateway01.dotcomindonesia.com.) - which i guess is the PMG you're posting the logs from.
* however the PMG gets the mail from deeh01.dotcomindonesia.com[103.89.0.187] - which is not in the spf-record

This makes sense since you probably want mail to be sent out only from the PMG - but then the SPF-record check on PMG will fail (because it receives the mail from an internal system, which is not in the SPF-record.

You have the following options:
* use the internal port of PMG (defaults to 26) to send mail from your systems to the internet
* create an internal only SPF record, which the PMG sees, which includes the internal mailserver deeh01.dotcomindonesia.com

additionally SPF_SOFTFAIL can also be related to a not-working DNS-setup - make sure that you can resolve IP-addresses and hostnames from PMG (otherwise many things don't work, and the spamdetection is rather bad).

hope this helps!
 
Dear Stoiko,

Thank you for your response. I think my question should be why as a smarthost, my PMG (emailgateway01.dotcomindonesia.com) is still checking the SPF record for the domain (ext-sgp.com) from my internal mail server (deeh01.dotcomindonesia.com)?

I thought as a smarthost, as long as the internal mail server is already listed as the trusted network and the domain is also listed as relay domain, it should be fine.

Please advise...

* use the internal port of PMG (defaults to 26) to send mail from your systems to the internet --> I had already relayed the internal mail server to the port 26 of my PMG

* you allow the ip of ext-sgp.com (116.90.165.20), and the mx of ext-sgp.com (emailgateway01.dotcomindonesia.com.) - which i guess is the PMG you're posting the logs from.
* however the PMG gets the mail from deeh01.dotcomindonesia.com[103.89.0.187] - which is not in the spf-record

This makes sense since you probably want mail to be sent out only from the PMG - but then the SPF-record check on PMG will fail (because it receives the mail from an internal system, which is not in the SPF-record.

You have the following options:
* use the internal port of PMG (defaults to 26) to send mail from your systems to the internet
* create an internal only SPF record, which the PMG sees, which includes the internal mailserver deeh01.dotcomindonesia.com

additionally SPF_SOFTFAIL can also be related to a not-working DNS-setup - make sure that you can resolve IP-addresses and hostnames from PMG (otherwise many things don't work, and the spamdetection is rather bad).

hope this helps!
 
This depends on your rule setup.
Spamassassin is unaware of the mailrouting in your organisation - if you put a mail through the spamcheck, and it's sent from a host which is not part of the SPF-record it will get tagged.
-> add an internal dns-record that includes your internal server in the SPF, which is only accessible to pmg
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!