Results 1 to 4 of 4

Thread: Remote SPF validation issue: internal forward e-mail with SRS + dedicated domain IPs

  1. #1
    Join Date
    Oct 2006
    Posts
    48

    Remote SPF validation issue: internal forward e-mail with SRS + dedicated domain IPs

    My exim.conf version is 4.5.12 from August 15, 2018. My exim.variables.conf.custom contains:

    Code:
    ignore_bounce_errors_after=1d
    timeout_frozen_after=5d
    hostlist relay_hosts=localhost
    domainlist relay_domains=lsearch;/etc/virtual/domains : localhost
    tls_verify_certificates = ${if exists {/etc/exim/$received_ip_address.cacert} {/etc/exim/$received_ip_address.cacert}}
    tls_certificate = ${if exists {/etc/exim/$received_ip_address.cert} {/etc/exim/$received_ip_address.cert} {/etc/exim.cert}}
    tls_privatekey = ${if exists {/etc/exim/$received_ip_address.key} {/etc/exim/$received_ip_address.key} {/etc/exim.key}}
    log_selector = \
      +incoming_interface \
      +delivery_size \
      +sender_on_delivery \
      +received_recipients \
      +received_sender \
      +smtp_confirmation \
      +subject \
      +smtp_incomplete_transaction \
      -dnslist_defer \
      -host_lookup_failed \
      -queue_run \
      -rejected_header \
      -retry_defer \
      -skip_delivery \
      +arguments
    (domainlist relay_domains and log_selector are manually commented out in exim.conf .)

    I have easy spam fighter in place but I don't think it matters.

    Setup

    My server #server# has a main shared IP address #A#.

    Let's say I have a two users:

    #john# who owns a domain example.com with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #B#.
    #jane# who owns a domain example.net with a let's encrypt SSL certificate. This user is set up with a single, dedicated IP address, #C#.

    The variables custom settings above are symbolic links that point towards the correct certificate for example.com and example.net. This is all working fine.

    The following DNS records are in place - I believe these are the defaults and I didn't change anything in the past and then forgot about it (they are analogous for both users):

    Code:
    example.com.	TXT	"v=spf1 a mx ip4:#A# ~all"
    example.com.	MX	10 mail
    mail	A	#B#
    smtp	A	#B#
    #john# has created a forwarder john@example.com which points at example@gmail.com .
    #jane# has her own e-mail address, jane@example.net.

    Problem

    The owner of jane@example.net wants to send an e-mail to john@example.com . Jane's e-mail client connects to smtp.example.net on IP address #C#, no problem so far. Here's a real log of one such interaction:

    Code:
    2019-01-24 14:44:25 1gmgEz-0003DU-HZ <= jane@example.net H=([100.99.61.173]) [...] I=[#C#]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=plain:jane@example.net S=10930 id=31F97EF0-B5C7-4A0E-AA6C-E4CF9FDE2A9E@example.net T="Re: Test" from <jane@example.net> for jane@example.net john@example.com
    2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003DU-HZ
    2019-01-24 14:44:25 cwd=/tmp 4 args: /usr/sbin/exim -oMr spam-scanned -bS
    2019-01-24 14:44:25 1gmgEz-0003Dc-Na <= jane@example.net U=mail P=spam-scanned S=11344 id=31F97EF0-B5C7-4A0E-AA6C-E4CF9FDE2A9E@example.net T="Re: Test" from <jane@example.net> for jane@example.net john@example.com
    2019-01-24 14:44:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gmgEz-0003Dc-Na
    2019-01-24 14:44:25 1gmgEz-0003Dc-Na => jane <jane@example.net> F=<jane@example.net> R=virtual_user T=dovecot_lmtp_udp S=11697 C="250 2.0.0 <jane@example.net> hRSJOEnPSVyrIgAA7QZeHQ Saved"
    2019-01-24 14:44:26 1gmgEz-0003Dc-Na => example@gmail.com <john@example.com> F=<jane@example.net> SRS=<SRS0=gCk9iK=QA=example.net=jane@example.com> R=lookuphost T=remote_smtp S=12411 H=gmail-smtp-in.l.google.com [173.194.76.26] I=[#C#] X=TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256 CV=yes C="250 2.0.0 OK 1548341066 s13si70195169wrv.406 - gsmtp"
    2019-01-24 14:44:26 1gmgEz-0003Dc-Na Completed
    2019-01-24 14:44:26 1gmgEz-0003DU-HZ => jane <jane@example.net> F=<jane@example.net> R=spamcheck_director T=spamcheck S=11284
    2019-01-24 14:44:26 1gmgEz-0003DU-HZ -> john <john@example.com> F=<jane@example.net> R=spamcheck_director T=spamcheck S=11284
    2019-01-24 14:44:26 1gmgEz-0003DU-HZ Completed
    Exim is identifying itself to gmail as SRS0=gCk9iK=QA=example.net=jane@example.com . So what does gmail have to say about that?

    Received-SPF: softfail (google.com: domain of transitioning srs0=gck9ik=qa=example.net=jane@example.com does not designate #C# as permitted sender) client-ip=#C#;

    gmail is right - Only #B# and #A# can send on behalf of example.com, as seen above. Is there any way to fix this without extensive manual setup for every user? (I have several more with this setup.)

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,729
    Hello,

    Disable SRS (globally), or use Sieve rules with Dovecot to redirect emails (per user).

  3. #3
    Join Date
    Oct 2006
    Posts
    48
    What is disabling SRS supposed to accomplish? Either SPF checks fail and DMARC fails, or if there is no DMARC the spam score gets ridiculously worse and security is compromised for the recipient; in either case, the outcome is undesirable. Sieve doesn't seem to be compatible with the premise of "without extensive manual setup for every user".

    Is there a real exim solution that could be implemented in DirectAdmin to fix this for everyone? A way to change the outgoing IP address for the forwarder call? Perhaps a way to tell it to perform the forwarding through an external connection to the same instance of exim?

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,729
    We had to disable SRS on one of servers of a customer for forwarders to work in a case when an original sender uses DKIM to sign an email:

    - sender with DKIM -> Da server (forwarder) -> Destination server


    In your case with disabled SRS the outgoing IP (at least I'd expect it) should match the allowed in SPF.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •