From: Scott Kitterman (postfixkitterman.com)
Date: Tue Sep 25 2007 - 14:45:23 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday 25 September 2007 14:59, Milosz SZOT wrote:
> Hi,
>
> I have two Postfix relays with amavis/spamassassin/clamav, running fine
> They serve as front mail servers for an Exchange server, which is on the
> internal network, and must not be accessed directly from the Internet
> They relay mails from Exchange to the Internet, and they receive mails
> from the Internet, which they pass to Exchange.
>
> I’ve set SPF policies on each of my DNS domains, as this :
>
> ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’
>
> As I’m testing the whole thing, i’ve set my MX records to :
>
> relay1.mydomain.com (10)
> relay2.mydomain.com (20)
> exchange.mydomain.com (30)
>
> It works fine, and I am moving to the next step : to delete
> exchange.mydomain.com from the MX records
> So I configured Exchange to forward all the outcoming mails to the 2
> relays, which works fine ; the 2 relays are forwarding the incoming
> mails to the exchange server, as planned
>
> But when I’ve deleted, for a test, exchange.mydomain.com from MX records
> on one of my domains, the outcoming mails, despite being forwarded by
> the relays, were refused because my recipient’s mail server did SPF
> checks and gave me a 550 error « SPF check failed: w.x.y.z.is not
> authorized to send in the name of "mydomain.com". »
>
> It appears that w.x.y.z is my Exchange’s IP, the one which resolves from
> exchange.mydomain.com
>
> It’s the hostname I’ve assigned in Exchange options, which only appears
> in the headers Postfix first inserts when forwarding the mail : «
> Received: from exchange.mydomain.com (unknown [192.168.0.5]) by
> relay1.mydomain.com (Postfix) »
>
> Because I need to supress exchange.mydomain.com from my MX records, I
> need to be clean and compliant, and I don’t know which is the best
> solution :
>
> - to add exchange.mydomain.com to the spf records
> - to delete all the headers referring to the internal LAN forwarding
> with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show in
> the headers my internal IP adressing either)
> - to change Exchange’s configuration (the hostname needs be resolvable ;
> exchange.mydomain.com gives SPF errors, changing it to
> relay1.mydomain.com breaks the relays, because the mails are looping in
> Postifx)
> - whatever solution you have
>
> The obvious solution is to add the exchange server to the spf records,
> it will work fine on SPF enabled servers… but if i delete it from the MX
> records, i don’t know how many mail servers WITHOUT spf will refuse my
> mails because exchange.mydomain.com is not a MX
>
> I’ve read a lot of how-tos about implementing postfix as a relay since
> i’ve worked on this project for several weeks, followed the classic
> architecture, but i’ve never heard about problems like this one
> So I need your help to find the best way to fix the problem, because I
> can’t afford to lose mails : all my firm’s employees mainly rely on mail
> for communications between them/with business associates
>
If the outbound messages are passing through your Postfix relays as you say,
you are correct that remote servers should not be rejecting the mail based on
the IP of the Exchange server due to SPF.

Please provide the details of the rejection messages and your Postfix log
entries showing the messages passing through one of the Postfix servers.

I don't recall having seen this type of problem before, so if it's one sender
you're having problems with, they may be misconfigured somehow.

Scott K

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]