Loading ...
Sorry, an error occurred while loading the content.

2 postfix boxes as frontservers for MS Exchange, spf problems

Expand Messages
  • Milosz SZOT
    Hi, I have two Postfix relays with amavis/spamassassin/clamav, running fine They serve as front mail servers for an Exchange server, which is on the internal
    Message 1 of 8 , Sep 25, 2007
    • 0 Attachment
      Hi,

      I have two Postfix relays with amavis/spamassassin/clamav, running fine
      They serve as front mail servers for an Exchange server, which is on the
      internal network, and must not be accessed directly from the Internet
      They relay mails from Exchange to the Internet, and they receive mails
      from the Internet, which they pass to Exchange.

      I’ve set SPF policies on each of my DNS domains, as this :

      ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’

      As I’m testing the whole thing, i’ve set my MX records to :

      relay1.mydomain.com (10)
      relay2.mydomain.com (20)
      exchange.mydomain.com (30)

      It works fine, and I am moving to the next step : to delete
      exchange.mydomain.com from the MX records
      So I configured Exchange to forward all the outcoming mails to the 2
      relays, which works fine ; the 2 relays are forwarding the incoming
      mails to the exchange server, as planned

      But when I’ve deleted, for a test, exchange.mydomain.com from MX records
      on one of my domains, the outcoming mails, despite being forwarded by
      the relays, were refused because my recipient’s mail server did SPF
      checks and gave me a 550 error « SPF check failed: w.x.y.z.is not
      authorized to send in the name of "mydomain.com". »

      It appears that w.x.y.z is my Exchange’s IP, the one which resolves from
      exchange.mydomain.com

      It’s the hostname I’ve assigned in Exchange options, which only appears
      in the headers Postfix first inserts when forwarding the mail : «
      Received: from exchange.mydomain.com (unknown [192.168.0.5]) by
      relay1.mydomain.com (Postfix) »

      Because I need to supress exchange.mydomain.com from my MX records, I
      need to be clean and compliant, and I don’t know which is the best
      solution :

      - to add exchange.mydomain.com to the spf records
      - to delete all the headers referring to the internal LAN forwarding
      with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show in
      the headers my internal IP adressing either)
      - to change Exchange’s configuration (the hostname needs be resolvable ;
      exchange.mydomain.com gives SPF errors, changing it to
      relay1.mydomain.com breaks the relays, because the mails are looping in
      Postifx)
      - whatever solution you have

      The obvious solution is to add the exchange server to the spf records,
      it will work fine on SPF enabled servers… but if i delete it from the MX
      records, i don’t know how many mail servers WITHOUT spf will refuse my
      mails because exchange.mydomain.com is not a MX

      I’ve read a lot of how-tos about implementing postfix as a relay since
      i’ve worked on this project for several weeks, followed the classic
      architecture, but i’ve never heard about problems like this one
      So I need your help to find the best way to fix the problem, because I
      can’t afford to lose mails : all my firm’s employees mainly rely on mail
      for communications between them/with business associates

      Thanks a lot !

      A Mr Venema’s long date fan ;-)
    • Scott Kitterman
      ... If the outbound messages are passing through your Postfix relays as you say, you are correct that remote servers should not be rejecting the mail based on
      Message 2 of 8 , Sep 25, 2007
      • 0 Attachment
        On Tuesday 25 September 2007 14:59, Milosz SZOT wrote:
        > Hi,
        >
        > I have two Postfix relays with amavis/spamassassin/clamav, running fine
        > They serve as front mail servers for an Exchange server, which is on the
        > internal network, and must not be accessed directly from the Internet
        > They relay mails from Exchange to the Internet, and they receive mails
        > from the Internet, which they pass to Exchange.
        >
        > I’ve set SPF policies on each of my DNS domains, as this :
        >
        > ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’
        >
        > As I’m testing the whole thing, i’ve set my MX records to :
        >
        > relay1.mydomain.com (10)
        > relay2.mydomain.com (20)
        > exchange.mydomain.com (30)
        >
        > It works fine, and I am moving to the next step : to delete
        > exchange.mydomain.com from the MX records
        > So I configured Exchange to forward all the outcoming mails to the 2
        > relays, which works fine ; the 2 relays are forwarding the incoming
        > mails to the exchange server, as planned
        >
        > But when I’ve deleted, for a test, exchange.mydomain.com from MX records
        > on one of my domains, the outcoming mails, despite being forwarded by
        > the relays, were refused because my recipient’s mail server did SPF
        > checks and gave me a 550 error « SPF check failed: w.x.y.z.is not
        > authorized to send in the name of "mydomain.com". »
        >
        > It appears that w.x.y.z is my Exchange’s IP, the one which resolves from
        > exchange.mydomain.com
        >
        > It’s the hostname I’ve assigned in Exchange options, which only appears
        > in the headers Postfix first inserts when forwarding the mail : «
        > Received: from exchange.mydomain.com (unknown [192.168.0.5]) by
        > relay1.mydomain.com (Postfix) »
        >
        > Because I need to supress exchange.mydomain.com from my MX records, I
        > need to be clean and compliant, and I don’t know which is the best
        > solution :
        >
        > - to add exchange.mydomain.com to the spf records
        > - to delete all the headers referring to the internal LAN forwarding
        > with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show in
        > the headers my internal IP adressing either)
        > - to change Exchange’s configuration (the hostname needs be resolvable ;
        > exchange.mydomain.com gives SPF errors, changing it to
        > relay1.mydomain.com breaks the relays, because the mails are looping in
        > Postifx)
        > - whatever solution you have
        >
        > The obvious solution is to add the exchange server to the spf records,
        > it will work fine on SPF enabled servers… but if i delete it from the MX
        > records, i don’t know how many mail servers WITHOUT spf will refuse my
        > mails because exchange.mydomain.com is not a MX
        >
        > I’ve read a lot of how-tos about implementing postfix as a relay since
        > i’ve worked on this project for several weeks, followed the classic
        > architecture, but i’ve never heard about problems like this one
        > So I need your help to find the best way to fix the problem, because I
        > can’t afford to lose mails : all my firm’s employees mainly rely on mail
        > for communications between them/with business associates
        >
        If the outbound messages are passing through your Postfix relays as you say,
        you are correct that remote servers should not be rejecting the mail based on
        the IP of the Exchange server due to SPF.

        Please provide the details of the rejection messages and your Postfix log
        entries showing the messages passing through one of the Postfix servers.

        I don't recall having seen this type of problem before, so if it's one sender
        you're having problems with, they may be misconfigured somehow.

        Scott K
      • mouss
        ... show the (unaltered) rejection text in postfix logs. ... SPF has nothing to do with received headers. if someone is checking these headers, he has a broken
        Message 3 of 8 , Sep 25, 2007
        • 0 Attachment
          Milosz SZOT wrote:
          > Hi,
          >
          > I have two Postfix relays with amavis/spamassassin/clamav, running fine
          > They serve as front mail servers for an Exchange server, which is on the
          > internal network, and must not be accessed directly from the Internet
          > They relay mails from Exchange to the Internet, and they receive mails
          > from the Internet, which they pass to Exchange.
          >
          > I’ve set SPF policies on each of my DNS domains, as this :
          >
          > ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’
          >
          > As I’m testing the whole thing, i’ve set my MX records to :
          >
          > relay1.mydomain.com (10)
          > relay2.mydomain.com (20)
          > exchange.mydomain.com (30)
          >
          > It works fine, and I am moving to the next step : to delete
          > exchange.mydomain.com from the MX records
          > So I configured Exchange to forward all the outcoming mails to the 2
          > relays, which works fine ; the 2 relays are forwarding the incoming
          > mails to the exchange server, as planned
          >
          > But when I’ve deleted, for a test, exchange.mydomain.com from MX records
          > on one of my domains, the outcoming mails, despite being forwarded by
          > the relays, were refused because my recipient’s mail server did SPF
          > checks and gave me a 550 error « SPF check failed: w.x.y.z.is not
          > authorized to send in the name of "mydomain.com". »
          >

          show the (unaltered) rejection text in postfix logs.

          > It appears that w.x.y.z is my Exchange’s IP, the one which resolves from
          > exchange.mydomain.com
          >
          > It’s the hostname I’ve assigned in Exchange options, which only appears
          > in the headers Postfix first inserts when forwarding the mail : «
          > Received: from exchange.mydomain.com (unknown [192.168.0.5]) by
          > relay1.mydomain.com (Postfix) »
          >
          > Because I need to supress exchange.mydomain.com from my MX records, I
          > need to be clean and compliant, and I don’t know which is the best
          > solution :
          >
          > - to add exchange.mydomain.com to the spf records
          > - to delete all the headers referring to the internal LAN forwarding
          > with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show in
          > the headers my internal IP adressing either)

          SPF has nothing to do with received headers. if someone is checking
          these headers, he has a broken setup.

          anyway:
          /^(Received: from exchangeheloname \(exchangerdns \[exhangeip\]\) by
          yourservername \(Postfix\) .*)/
          REPLACE X-$1

          will replace Received: by X-Received:, thus avoiding broken filters
          issues, but keeping the info in case you need it.

          if you want to hide the private infos, adjust the expression. for example

          /^Received: from (exchangehloname) \(exchangerdns \[exchangeip\]\) (by
          yoruservername \(Postfix\) .*)/
          REPLACE X-Received: from private.local (private.local [10.1.2.3]) $2




          > - to change Exchange’s configuration (the hostname needs be resolvable ;
          > exchange.mydomain.com gives SPF errors, changing it to
          > relay1.mydomain.com breaks the relays, because the mails are looping in
          > Postifx)
          > - whatever solution you have
          >
          > The obvious solution is to add the exchange server to the spf records,
          > it will work fine on SPF enabled servers… but if i delete it from the MX
          > records, i don’t know how many mail servers WITHOUT spf will refuse my
          > mails because exchange.mydomain.com is not a MX
          >
          > I’ve read a lot of how-tos about implementing postfix as a relay since
          > i’ve worked on this project for several weeks, followed the classic
          > architecture, but i’ve never heard about problems like this one
          > So I need your help to find the best way to fix the problem, because I
          > can’t afford to lose mails : all my firm’s employees mainly rely on mail
          > for communications between them/with business associates
          >
          > Thanks a lot !
          >
          > A Mr Venema’s long date fan ;-)
          >
          >
          >
        • Jorey Bump
          ... None. An MX record is used to designate a destination only, it has nothing to do whatsoever with origin. Anyone who would reject mail that doesn t
          Message 4 of 8 , Sep 25, 2007
          • 0 Attachment
            Milosz SZOT wrote, at 09/25/2007 02:59 PM:

            > The obvious solution is to add the exchange server to the spf records,
            > it will work fine on SPF enabled servers… but if i delete it from the MX
            > records, i don’t know how many mail servers WITHOUT spf will refuse my
            > mails because exchange.mydomain.com is not a MX

            None. An MX record is used to designate a destination only, it has
            nothing to do whatsoever with origin. Anyone who would reject mail that
            doesn't originate from an MX is terribly misguided.
          • Milosz SZOT
            Hi, as asked, i provide you the details : I’ve replaced my contacts domain by « mycontact.com » and his IP by « a.b.c.d », it’s a well-known company in
            Message 5 of 8 , Sep 27, 2007
            • 0 Attachment
              Hi, as asked, i provide you the details :

              I’ve replaced my contacts domain by « mycontact.com » and his IP by «
              a.b.c.d », it’s a well-known company in France, as well as mine =)

              Reminder : Exchange’s internal IP is 192.168.0.5 and external IP is w.x.y.z

              The delivery report :

              Reporting-MTA: dns; relay1.mydomain.com

              X-Postfix-Queue-ID: CE9BE52C097

              X-Postfix-Sender: rfc822; me@...

              Arrival-Date: Mon, 24 Sep 2007 14:45:31 +0200 (CEST)

              Final-Recipient: rfc822; someone@...

              Original-Recipient: rfc822;someone@...

              Action: failed

              Status: 5.7.1

              Remote-MTA: dns; mx.mycontact.com

              Diagnostic-Code: smtp; 550 5.7.1 SPF check failed: w.x.y.z is not

              authorized to send in the name of "mydomain.com".

              The log :

              Sep 24 14:36:20 relay2 postfix/smtpd[32629]: connect from
              unknown[192.168.0.5]

              Sep 24 14:36:20 relay2 postfix/qmgr[9813]: 9C87652C09F:
              from=<me@...>, size=6430, nrcpt=1 (queue active)

              Sep 24 14:36:20 relay2 postfix/smtpd[942]: disconnect from
              localhost[127.0.0.1]

              Sep 24 14:36:26 relay2 spamd[1297]: spamd: clean message (-4.4/9.0) for
              spamd:1002 in 5.9 seconds, 6217 bytes.

              Sep 24 14:36:26 relay2 spamd[1297]: spamd: result: . -4 -
              ALL_TRUSTED,BAYES_00,HTML_MESSAGE
              scantime=5.9,size=6217,user=spamd,uid=1002,required_score=9.0,rhost=localhost,raddr=127.0.0.1,rport=40408,mid=<E348E0FBCE092D41885F862EA61474A7A968AD@...>,bayes=0.000000,autolearn=ham

              Sep 24 14:36:28 relay2 postfix/pickup[32626]: 7C6D952C08E: uid=1002
              from=<me@...>

              Sep 24 14:36:28 relay2 postfix/cleanup[890]: 7C6D952C08E:
              message-id=<E348E0FBCE092D41885F862EA61474A7A968AD@...>

              Sep 24 14:36:28 relay2 postfix/smtpd[857]: 7F2E952C09C:
              client=localhost[127.0.0.1]

              Sep 24 14:36:28 relay2 postfix/cleanup[881]: 7F2E952C09C:
              message-id=<CB8EF1A898422C4AB6C14A3AA7DF1BE6DA349A@...>

              Sep 24 14:36:28 relay2 postfix/pipe[860]: 9C87652C09F:
              to=<someone@...>, relay=spamassassin, delay=11,
              delays=2.1/1.2/0/7.8, dsn=2.0.0

              , status=sent (delivered via spamassassin service)

              Sep 24 14:36:28 relay2 postfix/qmgr[9813]: 9C87652C09F: removed

              Sep 24 14:36:28 relay2 spamd[885]: spamd: clean message (-4.4/9.0) for
              spamd:1002 in 7.4 seconds, 18386 bytes.

              Sep 24 14:36:28 relay2 spamd[885]: spamd: result: . -4 -
              ALL_TRUSTED,BAYES_00,HTML_MESSAGE
              scantime=7.4,size=18386,user=spamd,uid=1002,required_score=9.0,rhost=localhost,raddr=127.0.0.1,rport=40410,mid=<BA91009042D0C649A7BC49988ED7DB86B18FD6@...>,bayes=0.000000,autolearn=ham

              Sep 24 14:36:28 relay2 postfix/smtpd[857]: disconnect from
              localhost[127.0.0.1]

              Sep 24 14:36:35 relay2 postfix/smtpd[942]: connect from localhost[127.0.0.1]

              Sep 24 14:36:35 relay2 postfix/smtpd[942]: A28B352C081:
              client=localhost[127.0.0.1]

              Sep 24 14:36:35 relay2 postfix/cleanup[986]: A28B352C081:
              message-id=<E348E0FBCE092D41885F862EA61474A7A968AD@...>

              Sep 24 14:36:37 relay2 postfix/qmgr[9813]: A28B352C081:
              from=<me@...>, size=7033, nrcpt=1 (queue active)

              Sep 24 14:36:37 relay2 postfix/smtpd[942]: disconnect from
              localhost[127.0.0.1]

              Sep 24 14:36:37 relay2 amavis[1011]: (01011-04-3) Passed CLEAN,
              <me@...> -> <someone@...>, Message-ID:
              <E348E0FBCE092D4188

              5F862EA61474A7A968AD@...>, mail_id: sq6WbKPj+706, Hits:
              -4.398, queued_as: A28B352C081, 3559 ms

              Sep 24 14:36:37 relay2 postfix/smtp[854]: 7C6D952C08E:
              to=<someone@...>, relay=127.0.0.1[127.0.0.1]:10024,
              conn_use=3, delay=10, delays=2/4.8/0/3.6, dsn=2.6.0, status=sent (250
              2.6.0 Ok, id=01011-04-3, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
              queued as A28B352C081)

              Sep 24 14:36:37 relay2 postfix/qmgr[9813]: 7C6D952C08E: removed

              Sep 24 14:36:38 relay2 postfix/smtp[1010]: A28B352C081:
              to=<someone@...>, relay=mx.mycontact.com[a.b.c.d]:25,
              delay=2.4, delays=1.6/0/0.17/0.6, dsn=5.7.1, status=bounced (host
              mx.mycontact.com[a.b.c.d] said: 550 5.7.1 SPF check failed: w.x.y.z is
              not authorized to send in the name of "mydomain.com". (in reply to RCPT
              TO command))

              As far as I see, my logs doesn’t report any misconfiguration, if not
              conceptual

              If it appears that my recipient’s mail servers are misconfigured, I’ll
              have 3 choices :

              - contact the administrator and report him the problem

              - configure the relays so Postfix doesn’t insert headers related to LAN,
              from where comes outbound mail

              - leave exchange.mydomain.com in the MX record (really … it’s not an
              option lol)

              Thanks,

              Milosz SZOT

              >On Tuesday 25 September 2007 21:45, Scott Kitterman wrote:

              >If the outbound messages are passing through your Postfix relays as you
              say, you are correct that remote servers should not be rejecting the
              mail based >on the IP of the Exchange server due to SPF.

              >

              >Please provide the details of the rejection messages and your Postfix
              log entries showing the messages passing through one of the Postfix servers.

              >

              >I don't recall having seen this type of problem before, so if it's one
              sender you're having problems with, they may be misconfigured somehow.

              >

              >Scott K

              > >On Tuesday 25 September 2007 14:59, Milosz SZOT wrote:

              > > Hi,

              > >

              > > I have two Postfix relays with amavis/spamassassin/clamav, running

              > > fine They serve as front mail servers for an Exchange server, which is

              > > on the internal network, and must not be accessed directly from the

              > > Internet They relay mails from Exchange to the Internet, and they

              > > receive mails from the Internet, which they pass to Exchange.

              > >

              > > I’ve set SPF policies on each of my DNS domains, as this :

              > >

              > > ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’

              > >

              > > As I’m testing the whole thing, i’ve set my MX records to :

              > >

              > > relay1.mydomain.com (10)

              > > relay2.mydomain.com (20)

              > > exchange.mydomain.com (30)

              > >

              > > It works fine, and I am moving to the next step : to delete

              > > exchange.mydomain.com from the MX records So I configured Exchange to

              > > forward all the outcoming mails to the 2 relays, which works fine ;

              > > the 2 relays are forwarding the incoming mails to the exchange server,

              > > as planned

              > >

              > > But when I’ve deleted, for a test, exchange.mydomain.com from MX

              > > records on one of my domains, the outcoming mails, despite being

              > > forwarded by the relays, were refused because my recipient’s mail

              > > server did SPF checks and gave me a 550 error « SPF check failed:

              > > w.x.y.z.is not authorized to send in the name of "mydomain.com". »

              > >

              > > It appears that w.x.y.z is my Exchange’s IP, the one which resolves

              > > from exchange.mydomain.com

              > >

              > > It’s the hostname I’ve assigned in Exchange options, which only

              > > appears in the headers Postfix first inserts when forwarding the mail

              > > : «

              > > Received: from exchange.mydomain.com (unknown [192.168.0.5]) by

              > > relay1.mydomain.com (Postfix) »

              > >

              > > Because I need to supress exchange.mydomain.com from my MX records, I

              > > need to be clean and compliant, and I don’t know which is the best

              > > solution :

              > >

              > > - to add exchange.mydomain.com to the spf records

              > > - to delete all the headers referring to the internal LAN forwarding

              > > with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show

              > > in the headers my internal IP adressing either)

              > > - to change Exchange’s configuration (the hostname needs be resolvable

              > > ; exchange.mydomain.com gives SPF errors, changing it to

              > > relay1.mydomain.com breaks the relays, because the mails are looping

              > > in

              > > Postifx)

              > > - whatever solution you have

              > >

              > > The obvious solution is to add the exchange server to the spf records,

              > > it will work fine on SPF enabled servers… but if i delete it from the

              > > MX records, i don’t know how many mail servers WITHOUT spf will refuse

              > > my mails because exchange.mydomain.com is not a MX

              > >

              > > I’ve read a lot of how-tos about implementing postfix as a relay since

              > > i’ve worked on this project for several weeks, followed the classic

              > > architecture, but i’ve never heard about problems like this one So I

              > > need your help to find the best way to fix the problem, because I

              > > can’t afford to lose mails : all my firm’s employees mainly rely on

              > > mail for communications between them/with business associates

              > >
            • Scott Kitterman
              ... FWIW, I agree your recipient is misconfigured. I ve seen similar reject messages that were equally incorrect before, so I d be curious to know what
              Message 6 of 8 , Sep 27, 2007
              • 0 Attachment
                On Thursday 27 September 2007 06:00, Milosz SZOT wrote:

                > As far as I see, my logs doesn’t report any misconfiguration, if not
                > conceptual
                >
                > If it appears that my recipient’s mail servers are misconfigured, I’ll
                > have 3 choices :
                >
                > - contact the administrator and report him the problem
                >
                > - configure the relays so Postfix doesn’t insert headers related to LAN,
                > from where comes outbound mail
                >
                > - leave exchange.mydomain.com in the MX record (really … it’s not an
                > option lol)

                FWIW, I agree your recipient is misconfigured. I've seen similar reject
                messages that were equally incorrect before, so I'd be curious to know what
                implementation it is that gets this wrong.

                Option 4:

                Add the external IP of the Exchange server to your SPF record:

                ip4:a.b.c.d

                "v=spf1 mx ip4:a.b.c.d a:linmutprd1.nextedia.com a:www.e-ventory.fr
                a:cache.adoc.fr -all"

                Scott K
              • mouss
                ... lesquelles ?-) ... try adding the IPs of the relay servers explicitely (ip4:w.x.y.z) and see if this helps. it is possible that the recipient domain has
                Message 7 of 8 , Sep 27, 2007
                • 0 Attachment
                  Milosz SZOT wrote:
                  > Hi, as asked, i provide you the details :
                  >
                  > I’ve replaced my contacts domain by « mycontact.com » and his IP by «
                  > a.b.c.d », it’s a well-known company in France, as well as mine =)

                  lesquelles ?-)

                  >
                  > Reminder : Exchange’s internal IP is 192.168.0.5 and external IP is w.x.y.z
                  >

                  try adding the IPs of the relay servers explicitely (ip4:w.x.y.z) and
                  see if this helps. it is possible that the recipient domain has dns
                  lookup issues, or has a broken spf config.
                • Milosz SZOT
                  Thanks for your answer, ... I ll add the exchange server in the spf for every domain i control, today ... reject messages that were equally incorrect before,
                  Message 8 of 8 , Oct 1, 2007
                  • 0 Attachment
                    Thanks for your answer,

                    > Add the external IP of the Exchange server to your SPF record
                    I'll add the exchange server in the spf for every domain i control, today

                    > FWIW, I agree your recipient is misconfigured. I've seen similar
                    reject messages that were equally incorrect before, so I'd be curious to
                    know what implementation it is that gets this wrong.

                    I guess i won't know what implementation is used, because it's a
                    customer, so i don't imagine me giving a phone to them to tell them
                    their mail filters are faulty, it's a big customer, and it's a somewhat
                    large company =/

                    I have one more question :
                    if i delete my exchange server from the spf so everything is relayed in
                    and out by the 2 postfixes, is there any chance to be considered as
                    spammer, for mail servers not using spf ?
                    I mean misconfigured old mail servers checking MX records, and looking
                    in the headers, and maybe checking my exchange server because it is the
                    original sender in my headers ?

                    It's my first "true" mail server and i don't want to take any risks

                    Thanks anyway !

                    Milosz SZOT
                  Your message has been successfully submitted and would be delivered to recipients shortly.