http://wiki.qmailtoaster.com/index.php/SPF
On 10/29/2021 10:12 AM, st...@keptprivate.com wrote:
Hi,
I've been dealing with this SPF related problem, for one of my user's,
for about a month. I didn't really understand all the particulars
about SPF going into this and I feel like now I do. SPF itself seems
to be in a mid-state between abandoned and falling out of use. Most
information you find on line hasn't been updated since before 2015 and
you find many dead links and sites referenced that no longer work.
Take a look at "spf.trusted-forwarder.org" for example... which still
serves up an SPF txt record of "*v=spf1 -all" but has no other
information to be found.*
I would like to suggest that the qmailtoaster docs be changed to
suggest relaxing the SPF restrictions by suggesting a domain SPF
record ending in "~all" and an spfbehavior file of something less than
3 (the current default).
I have users who use forwarding services and the default settings
caused significant headaches for them by causing delivery issues for
(seemingly) random senders.
Mail was getting through only from other domains with SPF records
ending in "~all". It seems to me that if Google can end their SPF
record with "~all" that it is probably a best practice today. On the
receiving side, spfbehavior of 1 makes sure no emails are rejected.
(This is of greatest importance with automated emails from banks, etc.
where there is no "person" to see and react to a rejected email.)
Of course I understand that this defeats the purpose of SPF, but it
seems SPF is dying and falling from use anyway and has become only one
component of an anti-spam strategy.
At the very least, I hope this email can help others who run into this
problem, and I want to thank others on this list who jumped in to help
when I reached out.
Steve
October 26, 2021 8:29 PM, st...@keptprivate.com wrote:
Setting the spfbehavior file to 1, did resolve the problem!
I can see the SPF fail in the headers of messages that used to be
rejected.
I had tried to whitelist the IPs of the forwarding servers and
expected that would have resolved the problem, but is the SPF
rejection happening before the SpamAssassin whitelist? I still
don't understand why some forwarded messages work and some don't.
It seems like a bug somewhere.
October 22, 2021 11:06 AM, st...@keptprivate.com wrote:
I haven't heard results yet. The strange thing is my server
wasn't rejecting everything from the forwarding service. I
could send emails from google and yahoo accounts and they were
delivered. The headers in those messages indicated SPF and
dkim passed. I tried white listing the alumni mx servers in
Spamassassin and that also didn't help (but I'm not sure where
that falls in the processing order). This user's problems with
the forwarding service seemed to start when I made some
upgrades to my servers, but oddly, the problems weren't just
with this email account. They were getting rejected emails
from another account they have. We've tried to get support
from the email forwarding company, but they have not been able
to provide additional information and maintain that it's a
problem with my server. I really didn't intend to have spf
rejection happening, so it's best that's off now if it is
going to interfere with this type of delivery.
I also didn't intend to leave that email addresses in my
original message. :-( Is there any way to get it edited out? I
sent the messages from my phone and I guess I hadn't scrolled
down all the way. Doh!
Steve
Sent with a Spark <https://sparkmailapp.com/source?from=signature>
On Oct 22, 2021, 4:58 AM -0700, Angus McIntyre
<an...@pobox.com>, wrote:
Hmm, re-reading this, I may have got mixed up and given
you slightly
unhelpful advice.
I think the part about changing the value in
'/var/qmail/control/spfbehavior' is still good.
But because 'pobox.com' featured in your bounce message, I
assumed that
your user had a POBox address and that the message was
being forwarded
from a 'pobox.com' forwarding host.
Re-reading the transcript, I think that might not be the
case, and that
you're actually getting mail forwarded from
'alumni.princeton.edu'.
So what's happening is that a message from 'b...@zzz.net'
is being sent
to 'blahb...@alumni.princeton.edu', 'blahblah' has their
account there
configured to forward to 'blahb...@yourserver.com', and so
'alumni.princeton.edu' is trying to send the message on to
'yourserver.com'.
qmail running on 'yourserver.com' sees that
'alumni.princeton.edu'
doesn't have authorization to send on behalf of 'zzz.net'
and rejects
the message as an SPF Fail. 'alumni.princeton.edu' then
injects a
failure message with that expired URL referencing POBox's
handy-dandy
"why did my message fail SPF?" explanatory page that no
longer exists
and bounces the message back to sender.
Sorry for the confusion. Long story short, the issue is
still the same:
your server is set to reject on SPF Fail, and if you want
to change that
behavior, you can probably do so by editing
'/var/qmail/control/spfbehavior'. But the forwarder
involved is
'alumni.princeton.edu' and _they_ are the ones generating
an outdated
and misleading error message.
Angus
st...@keptprivate.com wrote on 10/21/21 9:52 PM:
Thanks for looking at the problem and suggesting this.
I'm starting to question my ability to read, because I
swear I read that spfbehavior of 3 was soft-fail
(kicks self)! I'm testing now to see if setting it to
1 fixes it.
Steve
October 21, 2021 2:55 PM, "Angus McIntyre"
<an...@pobox.com> wrote:
At the risk of being That Guy who goes "it works
fine for me" ... it
works fine for me.
That is to say, I'm a POBox user and a
qmailtoaster user, and pobox.com
is able to deliver to my QMT domain without
problems. So we know that it
_can_ work.
pobox.com shouldn't be -- AFAIK -- checking SPF at
this point. If I
understand correctly what is happening, mail is
coming in that with an
'alumni.princeton.edu' address in the 'From' line,
POBox is passing it
on to _your_ server, and it's at this point that
your server is checking
the 'From' line ('alumni.princeton.edu') and the
IP address it's getting
mail from (POBox's mailhost) and finding that the
POBox mailhost isn't a
permitted sender for 'alumni.princeton.edu'.
So I think it's your host that's telling POBox
"You aren't authorized to
send mail for this address, so I'm rejecting it."
Have you checked '/var/qmail/control/spfbehavior'
on your server to see
what it's set to? If it's 3 or above, you'll get a
rejection on SPF
failures. You might want to drop it to 1 and
restart your server.
If that isn't the issue, I'm not quite sure what
to suggest. It doesn't
help that the 'why.html' page that POBox reference
isn't available. I
might open a ticket with them about that.
Angus
st...@keptprivate.com wrote on 10/21/21 1:38 PM:
PS: In the error message, my server, the
receiving domain, is aaa.com
Sent with a Spark
<https://sparkmailapp.com/source?from=signature>
On Oct 21, 2021, 10:25 AM -0700,
st...@keptprivate.com, wrote:
Hi,
I have a user who uses a forwarding service.
Some of their emails appear to be failing.
I've tried everything I
can think to try, relaxing SPF, white listing
the forwarding server
IPs, etc.
Has anyone else run into this? It seems to me
that the issue is
between the sending server and the forwarding
service. The error
below is all I have to go on. I'm using
Qmail-1.03-3.3.1 with
Spamassassin spamdyke etc.
----- The following addresses had permanent
fatal errors -----
x...@alumni.yyy.edu
<https://mailto:thin...@alumni.princeton.edu>
(reason: 550
See
http://spf.pobox.com/why.html?sender=b...@zzz.net&ip=140.180.220.103&receiver=mail1.aaa.com
<http://spf.pobox.com/why.html?sender=b...@zzz.net&ip=140.180.220.103&receiver=mail1.aaa.com>
(#5.7.1))
----- Transcript of session follows -----
... while talking to mail1.aaa.com
<https://mail1.aaa.com>.:
DATA
550
See
http://spf.pobox.com/why.html?sender=b...@zzz.net&ip=140.180.220.103&receiver=mail1.aaa.com
<http://spf.pobox.com/why.html?sender=b...@zzz.net&ip=140.180.220.103&receiver=mail1.aaa.com>
(#5.7.1)
550 5.1.1 x...@alumni.yyy.edu
<https://mailto:thin...@alumni.princeton.edu>
... User unknown
503 RCPT first (#5.5.1)
Has anyone run into this before who could pass
along a clue?
Steve
Sent with a Spark
<https://sparkmailapp.com/source?from=signature>
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
