Topic: SPR Record blocking outgoing mail

[bosco555]

Hi all, (SME server 9)

Because of spoofing, I had to change an spf record from:

v=spf1 a mx a:mail.company.com ~all

to:

v=spf1 a mx a:mail.company -all

However after changing the ~(soft fail) to the "-" I can't send emails out from the local network and get the following:

Remote host said: 550 SPF - forgery: company: Sender is not authorized by default to use 'user@company' in 'mfrom' identity (mechanism '-all' matched)

#### Actually all SME servers reject outgoing mail when the SPF record has a hard fail...Why is that??

thanks all

[mmccarn]

Does one of the items in your SPF record translate to the public IP address of your SME server for systems outside your network (your mx record, your a record, or 'mail.company.com')?

Maybe this SPF tool would help you figure it out:
http://www.kitterman.com/spf/validate.html

[bosco555]

Hi there,

SPF record passed validation test with pySPF (Python SPF library)!

Yep it does translate to the WAN IP of the mail server, the only thing that changes is the tilde ~ when changing to a - outgoing mail stops with that message...There is no implementation of spf on these sme boxes, pretty stock standard with the new Knuddi's antispam plugin...

thanks again

[Knuddi]

I am quite sure its not SME related as the SME does not look at SPF on outgoing. Try to send a mail to 'check-auth@verifier.port25.com' and see what it comes back with. Alternatively try the  https://www.mail-tester.com/ - also a solid way to verify your settings. Lastly if all fail, then let me know the domain name and I can manually check your SPF

[Fumetto]

The TXT records found for your domain are:
v=spf1 +a +mx +ip4:37.xxx.xxx.230 +ip4:37.xxx.xxx.111 +ip4:94.xxx.xxx.95 -all

This is an SPF for one SME... have you "+a" and "+mx" and/or "+IP:xx.xx.xx..xx" in your SPF?

[bosco555]

This is an SPF for one SME... have you "+a" and "+mx" and/or "+IP:xx.xx.xx..xx" in your SPF?

Ciao Fumetto...
nope don't have a plus sign in front of anything...this is the one:
v=spf1 mx ip4:202.xx.xx.xx mx:mail.company.net.au ~all

When I do a check on http://www.kitterman.com/spf/validate.html

I get:

Results - record processed without error.

The result of the test (this should be the default result of your record) was, pass . The explanation returned was, sender SPF authorized

Whether I place "~" or "-" the test is successful, however with "-a" at the end I can't send any mail out..

thanks again

[brianr]

Do you just get no mail sent, or do you get a bounce message back from the SMEServer or somewhere else?

[bosco555]

Do you just get no mail sent, or do you get a bounce message back from the SMEServer or somewhere else?

This is what I get:
Remote host said: 550 SPF - forgery: company: Sender is not authorized by default to use 'user@company' in 'mfrom' identity (mechanism '-all' matched)

thanks
gb

[Stefano]

can you describe a bit your infra? are you using SME as SMTP?

the remote host is a foreign server, not yours, right?

[bosco555]

HI Stefano,

it is an SME 9.1 is in server only mode, used as a mail server (SMTP) behind a router. It is fully updated. The only only extra is the vacation message contrib.

Yep the remote host is the receiving mail server, not mine. The funny thing is that is you put a soft fail "~a", then everything works perfectly, with a hard fail "-a" I receive that message, (NDR) from all outgoing mail.

I checked MX/A/PTR records and everything is OK..

thanks
gb

[Stefano]

maybe a silly question but.. are you sure you're not using a smarthost?

[bosco555]

Hi Stefano,

nope, the SME box/es are doing the work of delivering/receiving email..

thanks

[Fumetto]

...however with "-a" at the end I can't send any mail out..

Hope you want write "-all"...

Try this SPF:
v=spf1 +mx +a +ip4:202.xx.xx.xx -all

Need a DNS setting; servername.domain.tld need to be resolved as 202.xx.xx.xx, default MX on DNS records need to be 202.xx.xx.xx and/or servername.domain.tld. After that everything should work perfectly.

If not, pls,

...let me know the domain name and I can manually check your SPF

[bosco555]

Ciao Fumetto..sorry my bad.. I meant "-all"...
I will try with the + signs
All the DNS settings resolve to the IP address...
thanks again...

[Stefano]

take a look here:
https://bugs.contribs.org/show_bug.cgi?id=9871

maybe you're in the same situation..