1 Topic by frank.daeuble

  • frank.daeuble
  • Member
  • Offline
  • Registered: 2013-10-14
  • Posts: 37

Topic: sender-ip for outgoing relay

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Deployed with iRedMail Easy or the downloadable installer: Installer
- Linux/BSD distribution name and version: debian7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes, with Pro
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

We are using "Sender dependent relay host" setting for several accounts wich worked fine. But now we are facing a problem with the sender-ip.
When the email is sent by an external client (authentication works fine), the spf check on the relay server fails, because it checks the IP from the external client and not the IP from iredmail Server.

Is this supposed to be so, or can I change this behavior.

Best regards
Frank

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: sender-ip for outgoing relay

On the relay server, its MTA should support SRS (Sender Rewrite Scheme):
https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

If iRedMail is the relay server, you can enable it by following this tutorial:
https://docs.iredmail.org/srs.html

3 Reply by frank.daeuble

  • frank.daeuble
  • Member
  • Offline
  • Registered: 2013-10-14
  • Posts: 37

Re: sender-ip for outgoing relay

Thank you for the information - I had a look at SRS, but I am not sure, if this helps me - or if I missed the point.
Let me describe the exact scenario:

I have a user in iredmail with outgoing relay setting to smtp-relay.gmail.com
If this user sends a email by webmail everything is fine. google accepts the email and send it out.

But when the user sends the mail by external client (Thunderbird), google refuses the email because of SPF fail: wrong client-ip (the client has no fixed IP Address, so I cannot add it to SPF record)

The point I do not understand:
If I the email is not relayed, SPF checks always the IP of the redmail server (no matter if I use webmail or external client)
But with relay, SPF checks the IP of the external client. I was thinking, that after successful athentication the sender IP would always be the IP of iremail server.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: sender-ip for outgoing relay

- Is your Thunderbird configured to use SMTP authentication to send email? If yes, it should be same as sending from webmail.

- Could you please send one more testing email with Thunderbird again, and show us full original log in Postfix log file (/var/log/maillog)? We need this for troubleshooting. You're free to replace your own domain name by something like "example.com" to hide sensitive info.

5 Reply by frank.daeuble

  • frank.daeuble
  • Member
  • Offline
  • Registered: 2013-10-14
  • Posts: 37

Re: sender-ip for outgoing relay

Yes, Thunderbird uses Authentication - we do not allow SMTP without auth.

Here is the requested log:

May 10 17:00:04 mail postfix/smtpd[26566]: connect from pXXX.dip0.t-ipconnect.de[80.XXX.22.XXX]
May 10 17:00:05 mail postfix/smtpd[26566]: 7514D6002B1: client=pXXX.dip0.t-ipconnect.de[80.XXX.22.XXX], sasl_method=PLAIN, sasl_username=fax@inside.de
May 10 17:00:05 mail postfix/cleanup[16011]: 7514D6002B1: message-id=<ef1a4dda-eb42-8844-4132-9d53b1534b0b@inside.de>
May 10 17:00:05 mail postfix/qmgr[22069]: 7514D6002B1: from=<fax@inside.de>, size=680, nrcpt=1 (queue active)
May 10 17:00:05 mail postfix/smtpd[26566]: disconnect from pXXX.dip0.t-ipconnect.de[80.XXX.22.XXX]
May 10 17:00:06 mail postfix/smtpd[16131]: 9388A600659: client=localhost[127.0.0.1]
May 10 17:00:06 mail postfix/cleanup[16011]: 9388A600659: message-id=<ef1a4dda-eb42-8844-4132-9d53b1534b0b@inside.de>
May 10 17:00:06 mail postfix/smtpd[16131]: disconnect from localhost[127.0.0.1]
May 10 17:00:06 mail postfix/qmgr[22069]: 9388A600659: from=<fax@inside.de>, size=1167, nrcpt=1 (queue active)
May 10 17:00:06 mail amavis[23430]: (23430-12) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [80.XXX.22.XXX]:50360 [80.XXX.22.XXX] <fax@inside.de> -> <email@outside.de>, Queue-ID: 7514D6002B1, Message-ID: <ef1a4dda-eb42-8844-4132-9d53b1534b0b@inside.de>, mail_id: Hk1vRW3M6nbE, Hits: -11.899, size: 680, queued_as: 9388A600659, 1002 ms
May 10 17:00:06 mail postfix/smtp[25754]: 7514D6002B1: to=<email@outside.de>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.3, delays=0.22/0/0/1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9388A600659)
May 10 17:00:06 mail postfix/qmgr[22069]: 7514D6002B1: removed
May 10 17:00:06 mail postfix/smtp[25782]: 9388A600659: to=<email@outside.de>, relay=smtp-relay.gmail.com[64.233.167.28]:25, delay=0.34, delays=0.06/0/0.13/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK  1557500406 d17sm62202wmb.34 - gsmtp)
May 10 17:00:06 mail postfix/qmgr[22069]: 9388A600659: removed

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: sender-ip for outgoing relay

If email is sent via smtp auth, the relay server (Gmail in this case) should consider the mail server as the client IP.

frank.daeuble wrote:

But when the user sends the mail by external client (Thunderbird), google refuses the email because of SPF fail: wrong client-ip (the client has no fixed IP Address, so I cannot add it to SPF record)

What's the full original error message returned by Gmail?

7 Reply by frank.daeuble

  • frank.daeuble
  • Member
  • Offline
  • Registered: 2013-10-14
  • Posts: 37

Re: sender-ip for outgoing relay

Unfortunately there is no detail error message, it says only:

Message rejected. See https://support.google.com/mail/answer/69585 for more information.

I got the info about the wrong sender IP from an message sent to another account, where it was delivered. I got following header data:

Authentication-Results: mx.google.com;
       spf=fail (google.com: domain of user@sender.tld does not designate 46.XX.63.XXX as permitted sender) smtp.mailfrom=user@sender.tld
Received-SPF: fail (google.com: domain of user@sender.tld does not designate 46.XX.63.XXX as permitted sender) client-ip=46.XX.63.XXX;
Return-Path: <user@sender.tld>
Delivered-To: account@recipient.tld
Received: from localhost (localhost [127.0.0.1]) by iredmail.server (Postfix) with ESMTP id 7E574600628 for <account@recipient.tld>; Mon,
  6 May 2019 16:26:08 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at iredmail.server
Received: from iredmail.server ([127.0.0.1]) by localhost (host.platzhirsche.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id HaE1am8mHOOr for <account@recipient.tld>; Mon,
  6 May 2019 16:26:07 +0200 (CEST)
Received: from Compaq (p2xx.dip0.t-ipconnect.de [46.XX.63.XXX]) by iredmail.server (Postfix) with ESMTPSA id C7831600319 for <account@recipient.tld>; Mon,
  6 May 2019 16:26:06 +0200 (CEST)
From: <user@sender.tld>
To: <account@recipient.tld>

So maybe it is not google relay blocking the email, but the recipient mailserver?
I was hoping, that I can adjust someting, but now I think, google changed their relay handling.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: sender-ip for outgoing relay

If no error message from Google, we cannot help troubleshoot in this case. sad