SPF rejection for redirect (forwarded) email from microsoft (hotmail) for some messages.

das1996

Member
May 26, 2021
63
8
13
123
I'll preface by saying I am new to PMG.

Forwarding to another email address is enabled in the hotmail account.

It seems for most this work with spf enabled in PMG, but an email from openwrt.org failed.

The log is pretty sparse, here's the sanitized lines. This is all that shows up for this session.

PMG 8.0

Code:
2023-07-23T18:29:55.172047-05:00 pmgserver postfix/smtpd[6328]: connect from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]
2023-07-23T18:29:55.392586-05:00 pmgserver postfix/smtpd[6328]: NOQUEUE: reject: RCPT from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]: 554 5.7.1 <userabc@domain.com>: Recipient address rejected: Rejected by SPF: 104.47.57.177 is not a designated mailserver for mail%40forum.openwrt.org (context mfrom, on pochta2.local.domain); from=<mail@forum.openwrt.org> to=<userabc@domain.com> proto=ESMTP helo=<NAM11-DM6-obe.outbound.protection.outlook.com>
2023-07-23T18:29:55.392680-05:00 pmgserver postfix/smtpd[6328]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "userabc@domain.com" from client "mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177]"
2023-07-23T18:29:55.448906-05:00 pmgserver postfix/smtpd[6328]: disconnect from mail-dm6nam11lp2177.outbound.protection.outlook.com[104.47.57.177] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

Looking at the original received email at hotmail.com it does show the validated ip from openwrt.org's spf record, but appears on this redirect message that got lost and it's doing the validation against the redirecting server's ip.
 
I guess this is expected - the forward you created seems to 'bounce' the e-mail (meaning it reuses the original envelope-addresses) - so mail-dm6nam11lp2177.outbound.protection.outlook.com sends the mail
with MAIL FROM mail@forum.openwrt.org
and this does not pass the SPF test (since forum.openwrt.org does not list outlook in its spf)

You have the following options:
* configure the mail-forward to send the mails with your local recipient as envelope-address (mail resending instead of mail forwarding)
* add all potentiell sending IPs of this forwarded address (I guess a prettly large set of IPs from microsoft) to the Mail Proxy whitelist (GUI->Configuration->Mail Proxy->Whitelist)
* disable the SPF checking in the Mail Proxy Options

I hope this helps!
 
Thank you for the reply.

The first option would be ideal, but this is microsoft. It doesn't give many options. I will see about setting up a "rule" (filter in hotmail) to forward instead of redirecting. That should hopefully keep the envelope intact.
 
Last edited:
Just wanted to confirm the above.

Setting up an actual forwarding rule rather than using the forward option appears to have solved the issue. Both are forwarding target email addr. I suspect the "bad" is doing (or not doing) something to the headers.

Good
1690419436200.png


Bad
1690419471085.png
 
Just wanted to confirm the above.

Setting up an actual forwarding rule rather than using the forward option appears to have solved the issue. Both are forwarding target email addr. I suspect the "bad" is doing (or not doing) something to the headers.
Thanks for coming back to share how you solved this!
I'm sure this will help others who also want to set something similar up!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!