Accept Emails from an Upstream SMTP Server

[MarkLFT]

We scan all incoming emails on an upstream mailing service. We need to be able to whitelist the IP address of that service.

Currently emails from that server are bounced in the DA server, with the message:

SMTP error from remote mail server after RCPT TO:<name@localdomain>: 550-SPF: <ipaddress> is not allowed to send mail from <senderdomain>

The upstream server is defined as an mx record for the local domain, with the spf record including the mx key.

But as the sender domain is not the local domain, the spf record has no effect.

 

[Richard G]

with the spf record including the mx key.

What do you mean included in the MX key? The MX and SPF are seperate records.

However, it seems it sends mail not from hostname but from ip, if I read your errorline correctly. In that case the ip should be included in the SPF record.
And if the mail is resend by your server, then you server's ip should be included.

 

[MarkLFT]

What do you mean included in the MX key? The MX and SPF are seperate records.

I mean the DNS text record for the spf includes the value mx, so by default it will know about all defined mx servers.
But as I wrote, it is complaining that the upstream MX server is not authorised to send on behalf of the remote domain, not our domain. For example, we are receiving emails on our domain, abc.com. We are receiving an email from a person on domain 123.com, the upstream SMTP Server is on address x.x.x.x, our DA SMTP is on IP address z.z.z.z.
The error message is saying that x.x.x.x is not authorised to send emails on behalf of domain 123.com, which is correct, it is not. Which is why I need to whitelist the IP address of the upstream SMTP server, so we can receive emails from all domains.

 

[Richard G]

Something must be wrong somewhere, because an uplink smtp should not check if he itself is allowed to send mail, unless he also has an instant forward present to external domain or something. Very strange things.

I mean the DNS text record for the spf includes the value mx,

Yes, but mostly this is the with A MX or something like that, in the SPF record.
The SPF is complaining about the ip address, not about the domain, which is why I suggested to add the ip address.

Anyway, since it's a bit of a complex situation I can't be of help to figure out where exactly it's going wrong with masked stuff.

You should be able to whitelist things in the /etc/virtual directory in any of these files:
whitelist_domains
whitelist_from
whitelist_hosts
whitelist_hosts_ip
whitelist_senders

I suggest you try whitelist_hosts_ip and whitelist_domains (or more as you see fit).
And ofcourse restart exim afterwards.