Postfix unable to recieve email from some senders.

 Postfix unable to recieve email from some senders.

You may run into a problem with Postfix when you are not getting a message from a few senders, but receiving messages from everyone else.  It is likely that you have SPF checker enabled in Postfix’s main.cf config file and the senders have malformed, or incomplete SPF records.  What is happening is that Postfix is rejecting these messages with malformed or incomplete SPF records.

In main.cf config file the parameter for the SPF Checker is: 
smtpd_recipient_restrictions using the check_policy_service unix:private/spfcheck 

 An example from my /etc/postfix/main.cf:

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/spfcheck

I have two examples that show email being rejected due to malformed/incomplete SPF records.

  • The first is just a rejection due to not having the correct spf record set.
  • The second however is using Outlook Exchange Protection, which has a spf  entry that needs to be set in the SPF record.


Example 1:

john@badsender.com at IP x.x.x.x is not able to send email to person@domain.org address on the server my-server.

Example Log:

  • my-server postfix/smtp[1133]: 77947A4098E: to=<person@domain.org>, relay=mx00.1and1.com[74.x.x.x]:25, delay=2, delays=1/0.01/0.22/0.79, dsn=5.0.0, status=bounced (host mx00.1and1.com[x.x.x.x] said: 550-Requested action not taken: mailbox unavailable 550 invalid DNS MX or A/AAAA resource record (in reply to MAIL FROM command)) 
 
 
First thing check to make sure Postfix SPF checks is setup, I ran the following command and got the result shown: 
 
my-server# egrep ^smtpd_recipient_restrictions /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/spfcheck
 
 
Make sure the ip the domain it is mailing from is on or associated with the spf record.
 
my-server# dig domain.com TXT +short
"v=spf1 +a include:spf.serverdata.net ~all" 
 
In this case it isn't, so lets see if the ip is in that spf record they fed back to us. 
(I removed portions of the ip addresses as a courtesy to my example.)
 
my-server# dig spf.serverdata.net TXT +short
"v=spf1 ip4:64.x.0.0/18 ip4:162.x.x.0/22 ip4:199.x.x.0/21 ip4:206.x.164.0/22 ip4:162.x.192.0/22 ip4:66.x.34.16/28 ip4:205.x.223.32/28 ip4:185.x.212.0/22 ip4:103.x.140.0/23 ip4:69.x.229.0/24"
 
The ip address which the original message was sent is not shown on that spf record. 
 We should grab the whois information and try to find out who owns it, and if they have any specified spf records:
 
whois x.x.x.x
 
For this example, this IP is part of Intermedia, and I then googled 'intermedia spf records', according to https://kb.intermedia.net/article/1010 , the admins of domain.com need to add include:spf.intermedia.net to their SPF record, so it should look like this:
 
v=spf1 +a include:spf.serverdata.net include:spf.intermedia.net ~all 
 
Now the ip's are in both of those spf record groups and can send email to this server.  
 
 
 

Example 2:

I ran into a similar problem that I think really needs to be shared. 
This was rejected going through their mail server then through Outlook Exchange Protection. 
This is being rejected because it's going through Outlook's outbound filters and it's arriving from *.outbound.protection.outlook.com hosts which are not on their SPF record:  
Lets say the senders domain is bobsfood.com.
 
 

Example log:

  • Sep 8 07:20:11 myserver postfix/smtpd[22056]: connect from 
    mail-BLAH.outbound.protection.outlook.com[x.x.x.x]
 
  • Sep  8 07:20:12 myserver policyd-spf[22333]: Pass; identity=helo; client-ip=x.x.x.x; helo=gcc01-BLAH.outbound.protection.outlook.com; envelope-from=person@bobsfood.com; receiver=me@weasy.net
 
  • Sep  8 07:20:12 myserver policyd-spf[22333]: Softfail; identity=mailfrom; client-ip=x.x.x.x; helo=gcc01-BLAH-obe.outbound.protection.outlook.com; envelope-from=person@bobsfood.com; receiver=me@weasy.net
 
  • Sep  8 07:20:12 myserver postfix/smtpd[22056]: NOQUEUE: reject: RCPT from mail-blah.outbound.protection.outlook.com[x.x.x.x]: 550 5.7.1 <jim@weasy.net>: Recipient address rejected: Message rejected due to: domain owner discourages use of this host. Please see http://www.openspf.net/Why?s=mfrom;id=person@bobsfood.com;ip=x.x.x.x;r=jim@weasy.net; from=<person@bobsfood.com> to=<jim@weasy.net> proto=ESMTP helo=<gcc01-BLAH-obe.outbound.protection.outlook.com>
 
  • Sep  8 07:20:12 myserver postfix/smtpd[22056]: disconnect from mail-blah.outbound.protection.outlook.com[23.103.200.135]
 
 

Current SPF record that is incomplete and does not allow  outlook to send this my-server mail:

 
my-server# dig bobsfood.com TXT +short
"v=spf1 a mx ip4:x.x.x.x mx:mail2.bobsfood.com ~all"
 
 You would need to add the spf.protection.outlook.com address to the includes list in the SPF record:
 
The SPF record for bobsfood.com should be updated as follows (note the ip is his server ip):
 v=spf1 a mx ip4:x.x.x.x include:spf.protection.outlook.com mx:mail2.bobsfood.com ~all
 
 
 

This article is related in part to my article on how to whitelist ip/hostnames in rbl_override.

http://weasy.net/2016/09/08/how-do-i-whitelist-hostsip-addresses-in-postfix/

 
 

jim has written 83 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>