From: mouss (mlist.onlyfree.fr)
Date: Tue Sep 25 2007 - 16:09:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Milosz SZOT wrote:
> Hi,
>
> I have two Postfix relays with amavis/spamassassin/clamav, running fine
> They serve as front mail servers for an Exchange server, which is on the
> internal network, and must not be accessed directly from the Internet
> They relay mails from Exchange to the Internet, and they receive mails
> from the Internet, which they pass to Exchange.
>
> I’ve set SPF policies on each of my DNS domains, as this :
>
> ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’
>
> As I’m testing the whole thing, i’ve set my MX records to :
>
> relay1.mydomain.com (10)
> relay2.mydomain.com (20)
> exchange.mydomain.com (30)
>
> It works fine, and I am moving to the next step : to delete
> exchange.mydomain.com from the MX records
> So I configured Exchange to forward all the outcoming mails to the 2
> relays, which works fine ; the 2 relays are forwarding the incoming
> mails to the exchange server, as planned
>
> But when I’ve deleted, for a test, exchange.mydomain.com from MX records
> on one of my domains, the outcoming mails, despite being forwarded by
> the relays, were refused because my recipient’s mail server did SPF
> checks and gave me a 550 error « SPF check failed: w.x.y.z.is not
> authorized to send in the name of "mydomain.com". »
>

show the (unaltered) rejection text in postfix logs.

> It appears that w.x.y.z is my Exchange’s IP, the one which resolves from
> exchange.mydomain.com
>
> It’s the hostname I’ve assigned in Exchange options, which only appears
> in the headers Postfix first inserts when forwarding the mail : «
> Received: from exchange.mydomain.com (unknown [192.168.0.5]) by
> relay1.mydomain.com (Postfix) »
>
> Because I need to supress exchange.mydomain.com from my MX records, I
> need to be clean and compliant, and I don’t know which is the best
> solution :
>
> - to add exchange.mydomain.com to the spf records
> - to delete all the headers referring to the internal LAN forwarding
> with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show in
> the headers my internal IP adressing either)

SPF has nothing to do with received headers. if someone is checking
these headers, he has a broken setup.

anyway:
/^(Received: from exchangeheloname \(exchangerdns \[exhangeip\]\) by
yourservername \(Postfix\) .*)/
        REPLACE X-$1

will replace Received: by X-Received:, thus avoiding broken filters
issues, but keeping the info in case you need it.

if you want to hide the private infos, adjust the expression. for example

/^Received: from (exchangehloname) \(exchangerdns \[exchangeip\]\) (by
yoruservername \(Postfix\) .*)/
        REPLACE X-Received: from private.local (private.local [10.1.2.3]) $2

> - to change Exchange’s configuration (the hostname needs be resolvable ;
> exchange.mydomain.com gives SPF errors, changing it to
> relay1.mydomain.com breaks the relays, because the mails are looping in
> Postifx)
> - whatever solution you have
>
> The obvious solution is to add the exchange server to the spf records,
> it will work fine on SPF enabled servers… but if i delete it from the MX
> records, i don’t know how many mail servers WITHOUT spf will refuse my
> mails because exchange.mydomain.com is not a MX
>
> I’ve read a lot of how-tos about implementing postfix as a relay since
> i’ve worked on this project for several weeks, followed the classic
> architecture, but i’ve never heard about problems like this one
> So I need your help to find the best way to fix the problem, because I
> can’t afford to lose mails : all my firm’s employees mainly rely on mail
> for communications between them/with business associates
>
> Thanks a lot !
>
> A Mr Venema’s long date fan ;-)
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]