Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: bosco555 on October 21, 2016, 08:20:48 AM
-
Hi all, (SME server 9)
Because of spoofing, I had to change an spf record from:
v=spf1 a mx a:mail.company.com ~all
to:
v=spf1 a mx a:mail.company -all
However after changing the ~(soft fail) to the "-" I can't send emails out from the local network and get the following:
Remote host said: 550 SPF - forgery: company: Sender is not authorized by default to use 'user@company' in 'mfrom' identity (mechanism '-all' matched)
#### Actually all SME servers reject outgoing mail when the SPF record has a hard fail...Why is that??
thanks all
-
Does one of the items in your SPF record translate to the public IP address of your SME server for systems outside your network (your mx record, your a record, or 'mail.company.com')?
Maybe this SPF tool would help you figure it out:
http://www.kitterman.com/spf/validate.html
-
Hi there,
SPF record passed validation test with pySPF (Python SPF library)!
Yep it does translate to the WAN IP of the mail server, the only thing that changes is the tilde ~ when changing to a - outgoing mail stops with that message...There is no implementation of spf on these sme boxes, pretty stock standard with the new Knuddi's antispam plugin...
thanks again
-
I am quite sure its not SME related as the SME does not look at SPF on outgoing. Try to send a mail to 'check-auth@verifier.port25.com' and see what it comes back with. Alternatively try the https://www.mail-tester.com/ - also a solid way to verify your settings. Lastly if all fail, then let me know the domain name and I can manually check your SPF
-
The TXT records found for your domain are:
v=spf1 +a +mx +ip4:37.xxx.xxx.230 +ip4:37.xxx.xxx.111 +ip4:94.xxx.xxx.95 -all
This is an SPF for one SME... have you "+a" and "+mx" and/or "+IP:xx.xx.xx..xx" in your SPF?
-
This is an SPF for one SME... have you "+a" and "+mx" and/or "+IP:xx.xx.xx..xx" in your SPF?
Ciao Fumetto...
nope don't have a plus sign in front of anything...this is the one:
v=spf1 mx ip4:202.xx.xx.xx mx:mail.company.net.au ~all
When I do a check on http://www.kitterman.com/spf/validate.html
I get:
Results - record processed without error.
The result of the test (this should be the default result of your record) was, pass . The explanation returned was, sender SPF authorized
Whether I place "~" or "-" the test is successful, however with "-a" at the end I can't send any mail out..
thanks again
-
Do you just get no mail sent, or do you get a bounce message back from the SMEServer or somewhere else?
-
Do you just get no mail sent, or do you get a bounce message back from the SMEServer or somewhere else?
This is what I get:
Remote host said: 550 SPF - forgery: company: Sender is not authorized by default to use 'user@company' in 'mfrom' identity (mechanism '-all' matched)
thanks
gb
-
can you describe a bit your infra? are you using SME as SMTP?
the remote host is a foreign server, not yours, right?
-
HI Stefano,
it is an SME 9.1 is in server only mode, used as a mail server (SMTP) behind a router. It is fully updated. The only only extra is the vacation message contrib.
Yep the remote host is the receiving mail server, not mine. The funny thing is that is you put a soft fail "~a", then everything works perfectly, with a hard fail "-a" I receive that message, (NDR) from all outgoing mail.
I checked MX/A/PTR records and everything is OK..
thanks
gb
-
maybe a silly question but.. are you sure you're not using a smarthost?
-
Hi Stefano,
nope, the SME box/es are doing the work of delivering/receiving email..
thanks
-
...however with "-a" at the end I can't send any mail out..
Hope you want write "-all"...
Try this SPF:
v=spf1 +mx +a +ip4:202.xx.xx.xx -all
Need a DNS setting; servername.domain.tld need to be resolved as 202.xx.xx.xx, default MX on DNS records need to be 202.xx.xx.xx and/or servername.domain.tld. After that everything should work perfectly.
If not, pls,
...let me know the domain name and I can manually check your SPF
-
Ciao Fumetto..sorry my bad.. I meant "-all"...
I will try with the + signs
All the DNS settings resolve to the IP address...
thanks again...
-
take a look here:
https://bugs.contribs.org/show_bug.cgi?id=9871
maybe you're in the same situation..