1 Topic by ralph

  • ralph
  • Member
  • Offline
  • Registered: 2015-09-17
  • Posts: 17

Topic: CHECK_SPF_IF_LOGIN_MISMATCH = True

============ REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have a web server which sends mail as an e-mail user on a domain hosted by my iRedMail server. This works well, unless the e-mail recipient is also on the iRedMail server. In this case, it fails with this message in maillog and iredapd.log:

REJECT SMTP AUTH is required for users under this sender domain

Searched through the forums on how to allow this specific case and found this setting to add to /opt/iredapd/settings.py:

CHECK_SPF_IF_LOGIN_MISMATCH = True

If my understanding is correct, this should cause iredapd to accept e-mail from senders hosted on the local server but sent by another server allowed by the SPF record (in this case, the "a" record matches).

It works with ipv4, but seems to be failing with ipv6 for me. I get this in iredapd.log:

INFO [SPF] IP <removed ipv6 address> is NOT listed in DNS SPF record of domain removed-domain.com, treated as disallowed server.

Looks like I can alter the SPF record to include the ipv6 address to make this work, but shouldn't it match without doing that?

http://www.openspf.org/SPF_Record_Syntax wrote:

All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead.

Thanks for your help,
ralph

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: CHECK_SPF_IF_LOGIN_MISMATCH = True

Is this IP listed in SPF record?

3 Reply by ralph

  • ralph
  • Member
  • Offline
  • Registered: 2015-09-17
  • Posts: 17

Re: CHECK_SPF_IF_LOGIN_MISMATCH = True

Not specifically.

SPF record is 

v=spf1 a mx ~all

The server getting the SPF fail is in the A and AAAA record.

ipv6:
maillog:

Sep  8 19:37:28 server1 postfix/smtpd[26679]: NOQUEUE: reject: RCPT from server2[<removed ipv6 address>]: 554 5.7.1 <email@server2.com>: Recipient address rejected: SMTP AUTH is required for users under this sender domain; from=<email@server2.com> to=<email@server2.com> proto=ESMTP helo=<server1.com>

iredapd.log:

2018-09-08 19:37:28 INFO [SPF] IP <removed ipv6 address> is NOT listed in DNS SPF record of domain server2.com, treated as disallowed server.
2018-09-08 19:37:28 INFO [<removed ipv6 address>] RCPT, email@server2.com -> email@server2.com, REJECT SMTP AUTH is required for users under this sender domain [sasl_username=, sender=email@server2.com, client_name=server1.com, reverse_client_name=server1.com, helo=server1.com, encryption_protocol=, process_time=0.1260s]

When the connection happens over ipv4, the mail goes through as expected.

Is iredapd checking the aaaa record when the connection happens over ipv6? I know I could add the ipv6 address manually to the SPF record, but since it works with ipv4 it just feels like something else is wrong.

For now I have added the ipv6 address to mynetworks in postfix main.cf and moved permit_mynetworks above iredapd policy service in smtpd_recipient_restrictions. I would much rather be able to "whitelist" the ipv6 address properly in iredapd.

Thanks,
ralph

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: CHECK_SPF_IF_LOGIN_MISMATCH = True

- What's your real domain name?
- What's the output of command "dig -t a <domain>"?

Ideally, the "dig -t a <domain>" command should return both A and CNAME, no need to query CNAME separately. that means current iRedAPD code should get the AAAA/CNAME IP addresses too.

5 Reply by ralph

  • ralph
  • Member
  • Offline
  • Registered: 2015-09-17
  • Posts: 17

Re: CHECK_SPF_IF_LOGIN_MISMATCH = True

When I query with dig -t a domain.com, I get only the ipv4 record.
When I query with dig -t aaaa domain.com, I get only the ipv6 record.

I was able to fix this problem, however by specifying the server's ipv4 and ipv6 addresses in the MYNETWORKS variable in settings.py. I did not have the "MYNETWORKS" variable in all caps, which is why it didn't work the first time I tried this.

Thanks,
ralph