NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-09

Re: 2 postfix boxes as frontservers for MS Exchange, spf problems

From: Milosz SZOT (miloszadoc.fr)
Date: Thu Sep 27 2007 - 05:00:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, as asked, i provide you the details :

I’ve replaced my contacts domain by « mycontact.com » and his IP by «
a.b.c.d », it’s a well-known company in France, as well as mine =)

Reminder : Exchange’s internal IP is 192.168.0.5 and external IP is w.x.y.z

The delivery report :

Reporting-MTA: dns; relay1.mydomain.com

X-Postfix-Queue-ID: CE9BE52C097

X-Postfix-Sender: rfc822; memydomain.com

Arrival-Date: Mon, 24 Sep 2007 14:45:31 +0200 (CEST)

Final-Recipient: rfc822; someonemycontact.com

Original-Recipient: rfc822;someonemycontact.com

Action: failed

Status: 5.7.1

Remote-MTA: dns; mx.mycontact.com

Diagnostic-Code: smtp; 550 5.7.1 SPF check failed: w.x.y.z is not

authorized to send in the name of "mydomain.com".

The log :

Sep 24 14:36:20 relay2 postfix/smtpd[32629]: connect from
unknown[192.168.0.5]

Sep 24 14:36:20 relay2 postfix/qmgr[9813]: 9C87652C09F:
from=<memydomain.com>, size=6430, nrcpt=1 (queue active)

Sep 24 14:36:20 relay2 postfix/smtpd[942]: disconnect from
localhost[127.0.0.1]

Sep 24 14:36:26 relay2 spamd[1297]: spamd: clean message (-4.4/9.0) for
spamd:1002 in 5.9 seconds, 6217 bytes.

Sep 24 14:36:26 relay2 spamd[1297]: spamd: result: . -4 -
ALL_TRUSTED,BAYES_00,HTML_MESSAGE
scantime=5.9,size=6217,user=spamd,uid=1002,required_score=9.0,rhost=localhost,raddr=127.0.0.1,rport=40408,mid=<E348E0FBCE092D41885F862EA61474A7A968ADexchange.MYDOMAIN>,bayes=0.000000,autolearn=ham

Sep 24 14:36:28 relay2 postfix/pickup[32626]: 7C6D952C08E: uid=1002
from=<memydomain.com>

Sep 24 14:36:28 relay2 postfix/cleanup[890]: 7C6D952C08E:
message-id=<E348E0FBCE092D41885F862EA61474A7A968ADexchange.MYDOMAIN>

Sep 24 14:36:28 relay2 postfix/smtpd[857]: 7F2E952C09C:
client=localhost[127.0.0.1]

Sep 24 14:36:28 relay2 postfix/cleanup[881]: 7F2E952C09C:
message-id=<CB8EF1A898422C4AB6C14A3AA7DF1BE6DA349Aexchange.MYDOMAIN>

Sep 24 14:36:28 relay2 postfix/pipe[860]: 9C87652C09F:
to=<someonemycontact.com>, relay=spamassassin, delay=11,
delays=2.1/1.2/0/7.8, dsn=2.0.0

, status=sent (delivered via spamassassin service)

Sep 24 14:36:28 relay2 postfix/qmgr[9813]: 9C87652C09F: removed

Sep 24 14:36:28 relay2 spamd[885]: spamd: clean message (-4.4/9.0) for
spamd:1002 in 7.4 seconds, 18386 bytes.

Sep 24 14:36:28 relay2 spamd[885]: spamd: result: . -4 -
ALL_TRUSTED,BAYES_00,HTML_MESSAGE
scantime=7.4,size=18386,user=spamd,uid=1002,required_score=9.0,rhost=localhost,raddr=127.0.0.1,rport=40410,mid=<BA91009042D0C649A7BC49988ED7DB86B18FD6exchange.MYDOMAIN>,bayes=0.000000,autolearn=ham

Sep 24 14:36:28 relay2 postfix/smtpd[857]: disconnect from
localhost[127.0.0.1]

Sep 24 14:36:35 relay2 postfix/smtpd[942]: connect from localhost[127.0.0.1]

Sep 24 14:36:35 relay2 postfix/smtpd[942]: A28B352C081:
client=localhost[127.0.0.1]

Sep 24 14:36:35 relay2 postfix/cleanup[986]: A28B352C081:
message-id=<E348E0FBCE092D41885F862EA61474A7A968ADexchange.MYDOMAIN>

Sep 24 14:36:37 relay2 postfix/qmgr[9813]: A28B352C081:
from=<memydomain.com>, size=7033, nrcpt=1 (queue active)

Sep 24 14:36:37 relay2 postfix/smtpd[942]: disconnect from
localhost[127.0.0.1]

Sep 24 14:36:37 relay2 amavis[1011]: (01011-04-3) Passed CLEAN,
<memydomain.com> -> <someonemycontact.com>, Message-ID:
<E348E0FBCE092D4188

5F862EA61474A7A968ADexchange.MYDOMAIN>, mail_id: sq6WbKPj+706, Hits:
-4.398, queued_as: A28B352C081, 3559 ms

Sep 24 14:36:37 relay2 postfix/smtp[854]: 7C6D952C08E:
to=<someonemycontact.com>, relay=127.0.0.1[127.0.0.1]:10024,
conn_use=3, delay=10, delays=2/4.8/0/3.6, dsn=2.6.0, status=sent (250
2.6.0 Ok, id=01011-04-3, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok:
queued as A28B352C081)

Sep 24 14:36:37 relay2 postfix/qmgr[9813]: 7C6D952C08E: removed

Sep 24 14:36:38 relay2 postfix/smtp[1010]: A28B352C081:
to=<someonemycontact.com>, relay=mx.mycontact.com[a.b.c.d]:25,
delay=2.4, delays=1.6/0/0.17/0.6, dsn=5.7.1, status=bounced (host
mx.mycontact.com[a.b.c.d] said: 550 5.7.1 SPF check failed: w.x.y.z is
not authorized to send in the name of "mydomain.com". (in reply to RCPT
TO command))

As far as I see, my logs doesn’t report any misconfiguration, if not
conceptual

If it appears that my recipient’s mail servers are misconfigured, I’ll
have 3 choices :

- contact the administrator and report him the problem

- configure the relays so Postfix doesn’t insert headers related to LAN,
from where comes outbound mail

- leave exchange.mydomain.com in the MX record (really … it’s not an
option lol)

Thanks,

Milosz SZOT

>On Tuesday 25 September 2007 21:45, Scott Kitterman wrote:

>If the outbound messages are passing through your Postfix relays as you
say, you are correct that remote servers should not be rejecting the
mail based >on the IP of the Exchange server due to SPF.

>Please provide the details of the rejection messages and your Postfix
log entries showing the messages passing through one of the Postfix servers.

>I don't recall having seen this type of problem before, so if it's one
sender you're having problems with, they may be misconfigured somehow.

>Scott K

> >On Tuesday 25 September 2007 14:59, Milosz SZOT wrote:

> > Hi,

> >

> > I have two Postfix relays with amavis/spamassassin/clamav, running

> > fine They serve as front mail servers for an Exchange server, which is

> > on the internal network, and must not be accessed directly from the

> > Internet They relay mails from Exchange to the Internet, and they

> > receive mails from the Internet, which they pass to Exchange.

> >

> > I’ve set SPF policies on each of my DNS domains, as this :

> >

> > ‘v=spf1 mx a:miscserver1.mydomain.com a:miscserver2.mydomain.com –all’

> >

> > As I’m testing the whole thing, i’ve set my MX records to :

> >

> > relay1.mydomain.com (10)

> > relay2.mydomain.com (20)

> > exchange.mydomain.com (30)

> >

> > It works fine, and I am moving to the next step : to delete

> > exchange.mydomain.com from the MX records So I configured Exchange to

> > forward all the outcoming mails to the 2 relays, which works fine ;

> > the 2 relays are forwarding the incoming mails to the exchange server,

> > as planned

> >

> > But when I’ve deleted, for a test, exchange.mydomain.com from MX

> > records on one of my domains, the outcoming mails, despite being

> > forwarded by the relays, were refused because my recipient’s mail

> > server did SPF checks and gave me a 550 error « SPF check failed:

> > w.x.y.z.is not authorized to send in the name of "mydomain.com". »

> >

> > It appears that w.x.y.z is my Exchange’s IP, the one which resolves

> > from exchange.mydomain.com

> >

> > It’s the hostname I’ve assigned in Exchange options, which only

> > appears in the headers Postfix first inserts when forwarding the mail

> > : «

> > Received: from exchange.mydomain.com (unknown [192.168.0.5]) by

> > relay1.mydomain.com (Postfix) »

> >

> > Because I need to supress exchange.mydomain.com from my MX records, I

> > need to be clean and compliant, and I don’t know which is the best

> > solution :

> >

> > - to add exchange.mydomain.com to the spf records

> > - to delete all the headers referring to the internal LAN forwarding

> > with the HEADER_CHECKS Postfix’ feature (i don’t like Postfix to show

> > in the headers my internal IP adressing either)

> > - to change Exchange’s configuration (the hostname needs be resolvable

> > ; exchange.mydomain.com gives SPF errors, changing it to

> > relay1.mydomain.com breaks the relays, because the mails are looping

> > in

> > Postifx)

> > - whatever solution you have

> >

> > The obvious solution is to add the exchange server to the spf records,

> > it will work fine on SPF enabled servers… but if i delete it from the

> > MX records, i don’t know how many mail servers WITHOUT spf will refuse

> > my mails because exchange.mydomain.com is not a MX

> >

> > I’ve read a lot of how-tos about implementing postfix as a relay since

> > i’ve worked on this project for several weeks, followed the classic

> > architecture, but i’ve never heard about problems like this one So I

> > need your help to find the best way to fix the problem, because I

> > can’t afford to lose mails : all my firm’s employees mainly rely on

> > mail for communications between them/with business associates

> >

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]