1

Topic: whitelist spf check by ip

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
I'm struggling to find a place inside iredmail configuration where to whitelist ip address of backup mx:
I need primary mx (iredmail) avoid spf check for emails arriving directly at backup mx server and relayed by backup mx to primary mx; those messages are sent to primary with backup mx ip address and spf check could fail.
I know that spf check are done by Spamassassin but only for scoring emails.
Can you help me please?
Thank you
Best regards
Stefano

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by ralph 2018-09-08 02:28:27)

Re: whitelist spf check by ip

Do you have a specific case that this is failing?

If your backup mx is listed in your DNS mx record, it would pass the SPF check if your SPF record includes "mx."

Also, I just migrated to a new server and temporarily set up my old server as a backup mx (without the old server setup as an mx in DNS record) relaying to the new server and this worked without any whitelisting in out-of-the-box iRedMail on the same version/OS you're using.

3

Re: whitelist spf check by ip

Hi Ralph,
thank for reply. I'm in the phase of testing Iredmail. At present I managed a primary and a backup mx for us and many customers both based on linux with Postfix, Greylist and postfix-policyd-spf-python (also Dovecot, Clamav, Spamassassin and Squirrelmail on primary). I've noted that when someone writes to one of our email accounts and that message gets managed by backup mx, backup mx checks spf and if all ok, then relay to primary mx; but primary mx sees backup mx ip address as sender so spf check could fail. So in actual production, I've put backup mx ip address into the whitelist of postfix-policyd-spf-python in order to avoid primary do the check on spf (already checked by backup mx).
My point of view is from the receving and managing incoming emails. It seems to me that you are speaking abount emails sent by me.
Please help me.
Thank you


ralph wrote:

Do you have a specific case that this is failing?

If your backup mx is listed in your DNS mx record, it would pass the SPF check if your SPF record includes "mx."

Also, I just migrated to a new server and temporarily set up my old server as a backup mx (without the old server setup as an mx in DNS record) relaying to the new server and this worked without any whitelisting in out-of-the-box iRedMail on the same version/OS you're using.

4

Re: whitelist spf check by ip

If you're concerned about the SPF check failing from your backup mx, simply include the backup mx record in your DNS zone.

For example, if your SPF record contains the "mx" mechanism like this:

"v=spf1 a mx -all"

And your DNS zone includes your primary and backup mx:
MX 10 primary.example.com
MX 20 backup.example.com

Then the SPF check will pass.

http://www.openspf.org/SPF_Record_Syntax wrote:

All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.

See http://www.openspf.org/SPF_Record_Syntax

5

Re: whitelist spf check by ip

Ralph, the problem is with incoming emails for which I check SPF records so it is useless modify spf records of my managed domains. My primary and backup mx check external domain spf records over which I have no control.
For each incoming email my servers check spf record of that incoming email and in case that email gets delìvered first to my backup mx, then ip address of my backup mx will appear to my primary as client sender.
Please, read this article which is exactly my case:
http://www.openspf.org/FAQ/Common_receiver_mistakes
section "Processing SPF policies at the border"

Anyway I'd like to know if Iredmail allow ip address whitelist regarding spf just as requested by the section "Processing SPF policies at the border"
Thnak you

6

Re: whitelist spf check by ip

There's probably a dozen or so ways to whitelist a server. The way that works best for you probably depends on your configuration.

In a vanilla iRedMail installation, I've been dealing with an SPF fail that is coming from iredapd in smtpd_recipient_restrictions.

I tried every which way to whitelist the "offending" server in iredapd by using wblist_admin, MYNETWORKS, etc. but the SPF fail continues.

I finally worked around the issue by moving permit_mynetworks above the iredapd service in smtpd_recipient_restrictions in postfix main.cf and adding the relay server to mynetworks in main.cf.

This might work for you in your case, or you may need to reorder other restrictions you're using if the SPF fail happens during another part of the process.

7

Re: whitelist spf check by ip

ralph wrote:

I finally worked around the issue by moving permit_mynetworks above the iredapd service in smtpd_recipient_restrictions in postfix main.cf and adding the relay server to mynetworks in main.cf.

You should list the IP in 2 files:

- Postfix /etc/postfix/main.cf, parameter "mynetworks =".
- iRedAPD /opt/iredapd/settings.py, parameter "MYNETWORKS =" (warning: it's value is a python list).

I believe this solution should fix Stefano's issue too.

Moving "permit_mynetworks" above iredapd in main.cf will bypass iRedAPD services, this way you get no outbound throttling/whitelist/blacklists/etc.

8

Re: whitelist spf check by ip

Hi,
thank you both ZhangHuangbin and Ralph for support.
Regarding SPF problem, solution by ZhangHuangbin worked.

The exact same solution should work also in order to send without authentication, according to this link:
https://forum.iredmail.org/topic12573-a … twork.html
but below there is what happens:
sendemail -f myname@iredmaindomain -t someotheraddress@domain -u "test" -m "test" -s myiredmailserver:587
sendemail[13866]: WARNING => The recipient <someotheraddress@domain> was rejected by the mail server, error follows:
sendemail[13866]: WARNING => Received:    554 5.7.1 <unknown[x.y.w.z]>: Client host rejected: Access denied
srv23 sendemail[13866]: ERROR => Exiting. No recipients were accepted for delivery by the mail server.

From a linux server I try to send a message through Iredmail server configured as from the link and ZhangHuangbin suggestion (for spf problem) having added linux ip server x.y.w.z to iredapd and main.cf but iredmail refuses to send.
Any ideas?

Thank you



ZhangHuangbin wrote:
ralph wrote:

I finally worked around the issue by moving permit_mynetworks above the iredapd service in smtpd_recipient_restrictions in postfix main.cf and adding the relay server to mynetworks in main.cf.

You should list the IP in 2 files:

- Postfix /etc/postfix/main.cf, parameter "mynetworks =".
- iRedAPD /opt/iredapd/settings.py, parameter "MYNETWORKS =" (warning: it's value is a python list).

I believe this solution should fix Stefano's issue too.

Moving "permit_mynetworks" above iredapd in main.cf will bypass iRedAPD services, this way you get no outbound throttling/whitelist/blacklists/etc.

9

Re: whitelist spf check by ip

I need the original Postfix log on iRedMail server for troubleshooting.

10

Re: whitelist spf check by ip

Hi,

Here is the log:
Sep 16 18:50:26 mail postfix/submission/smtpd[8892]: connect from unknown[x.y.w.z]
Sep 16 18:50:26 mail postfix/submission/smtpd[8892]: Anonymous TLS connection established from unknown[x.y.w.z]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 16 18:50:27 mail postfix/submission/smtpd[8892]: NOQUEUE: reject: RCPT from unknown[x.y.w.z]: 554 5.7.1 <unknown[x.y.w.z]>: Client host rejected: Access denied; from=<SOMENAME@myiredmaildomain> to=<SOMENAME@gmail.com> proto=ESMTP helo=<srv23>
Sep 16 18:50:27 mail postfix/submission/smtpd[8892]: lost connection after RCPT from unknown[x.y.w.z]
Sep 16 18:50:27 mail postfix/submission/smtpd[8892]: disconnect from unknown[x.y.w.z] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5

In /etc/postfix/main.cf the sending ip x.y.w.z is listed in mynetwork.
The same ip is listed also in /opt/iredapd/libs/default_settings.py -> MYNETWORKS = ['x.y.w.z']

I've used the linux cli sendemail for testing:
sendemail -f SOMENAME@myiredmaildomain -t SOMENAMEo@gmail.com -u "test" -m "test" -s mail.myiredmaildomai:587

Thank you


ZhangHuangbin wrote:

I need the original Postfix log on iRedMail server for troubleshooting.

11

Re: whitelist spf check by ip

sistemi-methislab wrote:

sendemail -f SOMENAME@myiredmaildomain -t SOMENAMEo@gmail.com -u "test" -m "test" -s mail.myiredmaildomai:587

You must send email with smtp authentication.

I suggest you send from the real sender server you want to test, it will be easier.

12

Re: whitelist spf check by ip

Hi ZhangHuangbin,
my need is trying to send without authentication from some ip addresses, so I've followed your instructions as reported in my previous posts for ip x.y.w.z to be able to send without authentication.
Why sendemail program is not the right way to test my configuration? It could be in a bash script o some other scenario and there would be the need to send without authentication.
Please help me
Thank you
Stefano

ZhangHuangbin wrote:
sistemi-methislab wrote:

sendemail -f SOMENAME@myiredmaildomain -t SOMENAMEo@gmail.com -u "test" -m "test" -s mail.myiredmaildomai:587

You must send email with smtp authentication.

I suggest you send from the real sender server you want to test, it will be easier.