Reputation: 599
Configure SPF, MX and Postfix for sending email from SMTP relay
After searching for a while and reading a lot of examples, cases and/or answer on Google and Stackoverflow, I didn't find a solution for my problem. I'm more and more confused with the notion of SPF and relay, so I'm asking my question here hoping to receive a proper answer and understand once for ever !
In summary :
- I have a current main server with a mailserver installed on it (postfix + dovecot + vimbadmin), on domain exampleA.com.
- I have a new server for a new website, with a new domain exampleB.com.
My goal is that all the emails of the new website (XXXX[AT]exampleB.com) have to be sent & received using the main server.
Knowing that the mainserver has to send the emails of exampleB.com, I modified the SPF entry of exampleB.com to allow the main server to send emails of exampleB.com.
The mails are sent OK and I receive the emails OK, but when I look the original sources of email in Gmail :
Return-Path: <root@FQDN_NEW_SERVER>
Received: from mail.exampleA.com (FQDN_MAIN_SERVER [IP_MAIN_SERVER])
by mx.google.com with ESMTPS id f64si6392532wma.52.2016.05.20.04.59.06
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 20 May 2016 04:59:06 -0700 (PDT)
Received-SPF: neutral (google.com: IP_MAIN_SERVER is neither permitted nor denied by best guess record for domain of root@FQDN NEW SERVER) client-ip=IP MAIN SERVER;
Authentication-Results: mx.google.com;
spf=neutral (google.com: IP MAIN SERVER is neither permitted nor denied by best guess record for domain of root@FQDN NEW SERVER) smtp.mailfrom=root@IP MAIN SERVER
Received: from FQDN NEW SERVER (REVERSEDNS_NEW_SERVER [IP_NEW_SERVER])
by mail.exampleA.com (Postfix) with ESMTPA id 67C8C60421;
Fri, 20 May 2016 13:59:06 +0200 (CEST)
Received: by FQDN_NEW_SERVER (Postfix, from userid 0)
id A1949A07AB; Fri, 20 May 2016 13:58:57 +0200 (CEST)
I'm getting more and more confused which SPF I have to modify, and which MX is pointing to who..
Edit : It seems that I have a connection timed out when my main server tries to connect to my new server on port 25, but with telnet it seems ok..
Edit2 : I know that my DNS and my Reverse DNS are not the same.. My server is an instance in a public cloud, and I can't change my reverse since it's configured in the virtual router.
Edit3 : I have this error in the main server postfix logs :
May 20 16:25:40 ns33rgdrg4 postfix/smtpd[2956]: NOQUEUE: reject_warning: RCPT from csikxdqzdqzdqzdqzdqzress.com[IP_NEW_SERV]: 450 4.1.7 <root@FQDN_NEW_SERVER>: Sender address rejected: unverified address: connect to FQDN_NEW_SERV[IP_NEW_SERV]:25: Connection timed out; from=<root@FQDN_NEW_SERV> to=<[email protected]> proto=ESMTP helo=<FQDN_NEW_SERV>
Here is the current configuration of servers :
Server Main
Dovecot + Postfix configured
Domain : exampleA.com
DNS :
- exampleA.com. MX mail.exampleA.com
- mail.exampleA.com A IP_MAIN_SERVER
- exampleA.com. SPF "v=spf1 a mx ptr include:spf4.newsletterpartner.net ~all"
New server
Postfix installed, normally why relayhost = mail.exampleA.com
Domain : exampleB.com
DNS :
- exampleB.com. MX mail.exampleA.com
- exampleB.com. SPF "v=spf1 mx:mail.exampleA.com mx:exampleA.com include:mail.exampleA.com include:exampleA.com ~all"
The MX of my new domain is pointing to the MX of my main server (I don't know if it is the good thing to do)
Here is the a part of the new server /etc/postfix/main.cf :
myhostname = FQDN_NEW_SERVER
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
relayhost = mail.exampleA.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
We can see that the new server has his postfix relayhost pointing to the MX of my mainserver.
I don't know if the MX of my new server has to point to himself (knowing that its own postfix has a relayhost configured), or if it has to be configured directly to the main server which will send the emails.
NB : I have this error : No SPF records found for mail.exampleA.com when I check with a website looking for MX and SPF, but exampleA.com has a MX, not mail.exampleA.com
It's driving me crazy for days now... Thanks in advance for your little helps guys :)
Regards,
Julien Q.
Upvotes: 1
Views: 5293
Answers (2)
Reputation: 599
Ok I think it is finally solved thanks to you @henry !
In the file /etc/postfix/main.cf, myorigin was /etc/mailname, which was my FQDN.
Since Google was checking, as he says, a "record for domain of root@FQDN_NEW_SERVER", I though he had to check root@DOMAIN, and not FQDN. Google was also saying "IP_MAIN_SERVER is neither permitted nor denied by guest" so instead of putting the MX main server in my new server SPF, I put the main server IP in IPV4.
I changed myorigin from FQDN_NEW_SERVER to DOMAIN_NEW_SERVER instead, and specified my relayhost IPV4 in my new server SPF. After checking with your method AND gmail, everything seems OK now !
So here is the final configuration of my infrastructure.
Main server, Relay SMTP
Dovecot + Postfix configured
Domain : exampleA.com
DNS :
- exampleA.com. MX mail.exampleA.com
- mail.exampleA.com A IP_MAIN_SERVER
- exampleA.com. SPF "v=spf1 a mx ptr include:spf4.newsletterpartner.net ~all"
New server, forwarding emails to the main server
Domain : exampleB.com
DNS :
- exampleB.com. MX mail.exampleA.com
- exampleB.com. SPF "v=spf1 ip4:IP_MAIN_SERVER -all"
New server /etc/postfix/main.cf
myhostname = FQDN_NEW_SERVER
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#myorigin = /etc/mailname <-- OLD CONF with FQDN_NEW_SERVER in
myorigin = exampleB.com
mydestination =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
relayhost = mail.exampleA.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
Gmail original sources
Received: from MX_MAIN_SERVER (FQDN_MAIN_SERVER [IP_MAIN_SERVER])
by mx.google.com with ESMTPS id s5si18916426wme.105.2016.05.16.02.06.09
for <FROM_EMAIL_ADDRESS>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 16 May 2016 02:06:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of RECEIVER_EMAIL_ADDRESS designates IP_MAIN_SERVER as permitted sender) client-ip=IP_MAIN_SERVER;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of RECEIVER_EMAIL_ADDRESS designates IP_MAIN_SERVER as permitted sender) smtp.mailfrom=FROM_EMAIL_ADDRESS
Hoping it can help someone else than me.
Thanks again guys !
Julien Q.
Upvotes: 5
Reputation: 3013
I think you made a typo, can you please confirm..
Domain : exampleB.com DNS : - exampleB.com. MX mail.exampleA.com - exampleA.com. SPF "v=spf1 mx:mail.exampleA.com mx:exampleA.com include:mail.exampleA.com include:exampleA.com ~all"
On the bottom I think ExampleA.com. should read ExampleB.com.
And your SPF record should read
"v=spf1 mx ~all"
Since your MX record is mail.exampleA.com, that's all you have to specify in your SPF.
Your timeout issue I think might be related to DoveCot, DoveCot has a long connection time associated to it 18+ seconds. I'm not a linux person, so I really can't point you where to look for timeout settings.
Instead of testing with gmail you can test by sending an email to [email protected] all basic authentication results are displayed (SPF, DKIM, Etc.)
Upvotes: 1
Related Questions
- Virtualmin Cloudflare SPF does not designate permitted sender hosts
- Consistently getting None (no SPF record) even when SPF record is defined
- Email header with multiple received fields: How can this happen and can this be used to fight SPAM
- SPF pass on Google and fail on Outlook
- my mail is being sent to Google's spam folder
- How to send gitlab emails with different domains for postfix, smtp and mail relay
- SPF - DNS TXT, SMTP RELAY Woes
- Configure SPF and DNS Reverse