On Tue, 22 Mar 2011, jon1234 wrote:
From where do they get that bounce message? From a host internal to your
network or from hosts out on the Internet?
The bounce message is only when they send certain domains that are external
to our network.
Shall I assume you meant to say "send _to_ certain domains"?
If that's coming from an internal MTA, I'd suggest that MTA doesn't
believe your Exchange server is a legitimate source for mail from your
domain. If that's coming from external MTA(s) then others on the public
Internet apparently don't believe your public IP address is a
legitimate source for mail from your domain. Do you publish SPF
information or use Domainkeys? Has your public MTA's internet IP
address changed recently?
AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our SPF
records gives
"The TXT records found for your domain are:
v=spf1 ip4:202.44.190.48/28 ~all
SPF records should also be published in DNS as type SPF records.
No type SPF records found.
Checking to see if there is a valid SPF record.
Found v=spf1 record for afnsecurity.com:
v=spf1 ip4:202.44.190.48/28 ~all "
the external IP of the exchange server is 202.44.190.49.. could this be the
cause? If so why would only certain domains be giving the error?
Because not everyone rejects on SPF fail. Additionally, your SPF is set to
soft fail, so mail _shouldn't_ be rejected outright on an SPF failure,
but may be depending on site policy.
To verify that I understand correctly: your outbound IP address is
dynamic? Are you confident that the IP addresses you can be assigned will
be covered by 202.44.190.48/28? If you got assigned and IP outside that
range your mail would suddenly fail SPF.
One of the problems with SPF is it breaks trivial forwarding. Is it
possible that the mail sent to those domains is being forwarded and the
forwarder isn't properly handling the necessary modifications to pass SPF?
Do the rejects include enough trace information to show whether the mail
is coming into the rejecting MTA from an IP address covered by your SPF
range?
Very likely you have two options:
(1) Contact the rejecting sites and ask them why they are rejecting on
soft fail (assuming the trace shows an MTA between you and the rejecting
MTA), or
(2) stop publishing an SPF record.
As a verification you might consider temporarily suspending your SPF
record or changing it to +all and see if the rejects stop.
This isn't related to SA. If SA scoring was causing the reject the MTA
would probably say something about the message being spammy. You might get
better help on a mailing list dedicated to SPF issues.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The third basic rule of firearms safety:
Keep your booger hook off the bang switch!
-----------------------------------------------------------------------
7 days until the M1911 is 100 years old - and still going strong!
