Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: Drifting on July 11, 2017, 10:57:20 PM

Title: SPF fail for a supplier
Post by: Drifting on July 11, 2017, 10:57:20 PM
Hi, excuse any typo's trying to write this on an iPhone.

Home server for some reason does not like email from our estate agent.
See here:-
fail:
   asupplier.com: Sender is not authorized by default to use
   'email@asupplier.com' in 'mfrom' identity (mechanism '-all'
matched)
   (in reply to end of DATA command)
<details.txt>
<mime-attachment>

Thought I had turned off all spf? Confused as to why it is being rejected?
Not possible to remote in and look, so any suggestions on the above welcome.

Paul
Title: Re: SPF fail for a supplier
Post by: Daniel B. on July 12, 2017, 02:00:33 PM
Well, that's because your supplier asked for this email to be rejected. To be more complete, they have published an SPF policy in their public DNS zone (we could check the exact policy if you gave the real domain name, but here we can't). Anyway, this policy lists the servers allowed to emit emails using their domain as sender. The policy also tells to reject any email which is not comming from one of the allowed servers (this is what the -all is for). Looks like you are receiving an email from an server which is not allowed, so your SME is correctly rejecting it.
Title: Re: SPF fail for a supplier
Post by: Drifting on July 12, 2017, 02:20:05 PM
Well, that's because your supplier asked for this email to be rejected. To be more complete, they have published an SPF policy in their public DNS zone (we could check the exact policy if you gave the real domain name, but here we can't). Anyway, this policy lists the servers allowed to emit emails using their domain as sender. The policy also tells to reject any email which is not comming from one of the allowed servers (this is what the -all is for). Looks like you are receiving an email from an server which is not allowed, so your SME is correctly rejecting it.

Hi, thanks for the reply. I was trying to protect the innocent. :-) And I thought for a moment that perhaps I had done something wrong on the SME server. I really must get round to having a read up on SPF and SME on this matter. Not really had a lot of time darting round the country of late.
The company in question is hawksfordjames.com

Paul.
Title: Re: SPF fail for a supplier
Post by: Jean-Philippe Pialasse on July 12, 2017, 07:04:02 PM
Hi, thanks for the reply. I was trying to protect the innocent. :-) And I thought for a moment that perhaps I had done something wrong on the SME server. I really must get round to having a read up on SPF and SME on this matter. Not really had a lot of time darting round the country of late.
The company in question is hawksfordjames.com

Paul.

at the moment I am writting these lines : No valid SPF record found of either type TXT or type SPF.

so either they have been warned and removed them or we bark at trees ;)

anyway the most frequent issue with a SPF record set as -all is a user trying to send the email through their ISP smtp server isntead of their MX (
0 hawksfordjames.com) or any A or cname valid in their dns.

they can workaround this by adding the domain of their provider to the list of accepted senders, or to configure their client phone / laptop to send it throught their correct smtp service
Title: Re: SPF fail for a supplier
Post by: Daniel B. on July 12, 2017, 07:06:13 PM
Well, the domain hawksfordjames.com doesn't exists, so there's a typo somewhere ;-)
Title: Re: SPF fail for a supplier
Post by: JohnG on July 12, 2017, 08:07:47 PM
I'm presuming it's hawkesfordjames.com. The current ip for mail.hawkesfordjames.com seems to fall within the correct range that's in the spf.
Title: Re: SPF fail for a supplier
Post by: Drifting on July 12, 2017, 09:07:57 PM
Yes, my typo.

Title: Re: SPF fail for a supplier
Post by: Daniel B. on July 13, 2017, 08:36:31 AM
So, here's the SPF entry of this domain:
Code: [Select]
v=spf1 a mx mx:mail.hawkesfordjames.com ip4:212.113.198.192/26 ip6:2a01:5400:1:2::/64 -all"

Which means, only thoe IP/networks are allowed to send emails in their name:

You can check in qpsmtpd logs from where you received the email, but most likely from a different IP
Title: Re: SPF fail for a supplier
Post by: Drifting on July 13, 2017, 04:24:11 PM
Thank you Daniel for the help with this one. As soon as I am back home and off this iPhone I will check it out.

Paul.