SPF rejection for redirect (forwarded) email from microsoft (hotmail) for some messages.

[das1996]

I'll preface by saying I am new to PMG.

Forwarding to another email address is enabled in the hotmail account.

It seems for most this work with spf enabled in PMG, but an email from openwrt.org failed.

The log is pretty sparse, here's the sanitized lines. This is all that shows up for this session.

PMG 8.0

2023-07-23T18:29:55.172047-05:00 pmgserver postfix/smtpd[6328]: connect from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]
2023-07-23T18:29:55.392586-05:00 pmgserver postfix/smtpd[6328]: NOQUEUE: reject: RCPT from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]: 554 5.7.1 <userabc@domain.com>: Recipient address rejected: Rejected by SPF: 104.47.57.177 is not a designated mailserver for mail%40forum.openwrt.org (context mfrom, on pochta2.local.domain); from=<mail@forum.openwrt.org> to=<userabc@domain.com> proto=ESMTP helo=<NAM11-DM6-obe.outbound.protection.outlook.com>
2023-07-23T18:29:55.392680-05:00 pmgserver postfix/smtpd[6328]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "userabc@domain.com" from client "mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]"
2023-07-23T18:29:55.448906-05:00 pmgserver postfix/smtpd[6328]: disconnect from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

Looking at the original received email at hotmail.com it does show the validated ip from openwrt.org's spf record, but appears on this redirect message that got lost and it's doing the validation against the redirecting server's ip.

 

[Stoiko Ivanov]

I guess this is expected - the forward you created seems to 'bounce' the e-mail (meaning it reuses the original envelope-addresses) - so mail-dm6nam11lp2177.outbound.protection.outlook.com sends the mail
with MAIL FROM mail@forum.openwrt.org
and this does not pass the SPF test (since forum.openwrt.org does not list outlook in its spf)

You have the following options:
* configure the mail-forward to send the mails with your local recipient as envelope-address (mail resending instead of mail forwarding)
* add all potentiell sending IPs of this forwarded address (I guess a prettly large set of IPs from microsoft) to the Mail Proxy whitelist (GUI->Configuration->Mail Proxy->Whitelist)
* disable the SPF checking in the Mail Proxy Options

I hope this helps!

 

[das1996]

Thank you for the reply.

The first option would be ideal, but this is microsoft. It doesn't give many options. I will see about setting up a "rule" (filter in hotmail) to forward instead of redirecting. That should hopefully keep the envelope intact.

 

[das1996]

Just wanted to confirm the above.

Setting up an actual forwarding rule rather than using the forward option appears to have solved the issue. Both are forwarding target email addr. I suspect the "bad" is doing (or not doing) something to the headers.

Good



Bad

 

[Stoiko Ivanov]

Just wanted to confirm the above.

Setting up an actual forwarding rule rather than using the forward option appears to have solved the issue. Both are forwarding target email addr. I suspect the "bad" is doing (or not doing) something to the headers.

Thanks for coming back to share how you solved this!
I'm sure this will help others who also want to set something similar up!