This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP proxy SPF checks and backup MX?

I had an extended (24 hour outage) on my home broadband, and several inbound emails ended up bouncing.  I set up a couple of backup MX servers at an outside provider, and tested by bringing down the SMTP proxy, then sending a couple of test emails to my home address.  Waited a few minutes, and brought it back up.  The emails bounced back to my sending email address (at work), with a 550 error.  Looking at the logs, I can see it is complaining that one of the backup MX servers doesn't have permission to send from that domain.  For the moment, I have just disabled the SPF checking in the proxy.  Is there a way to exempt the N backup MX servers from this check?



This thread was automatically locked due to age.
Parents
  • This took awhile to figure out, but UTM did exactly what you asked it to do.   Let me work through an example to illustrate the point.

    • A message from sender@fromdomain.com to you@todomain.com is diverted to server1.hostingservice.com, where the message is stored and queued for redelivery.
    • You never configured sender1.hostingservice.com as a trusted forwarder in UTM.
    • Your system comes back on line and server1.hostingservice.com begins to empty its queue of saved mail.
    • Your UTM checks to see if server1.hostingservice.com is in the SPF record for sender@fromdomain.com, and it fails.
    • Since you have UTM configured to block messages that fail SPF, the message is blocked.

    Normally, you want any device that is an MX server for you to be configured in the trusted forwarder list.   In this case, the hosting service probably has lots of servers, so it may not have been feasible (or safe) to configure all of their servers as trusted forwarders.   Disabling SPF for the time needed to empty the queue was probably the safest course of action.

  • Thanks!  Just to be clear, I'm aware this was working as designed.  I was trying to make sure I understood what the alternatives were.  I will add their 4 backup MX servers to the trusted list.  The only downside is that anti-spam checks that are based on the RBL and HELO and such will not be effective for messages delivered via the backups.  I'll have to monitor this and make sure no-one is abusing the MX priorities to circumvent these checks.

Reply
  • Thanks!  Just to be clear, I'm aware this was working as designed.  I was trying to make sure I understood what the alternatives were.  I will add their 4 backup MX servers to the trusted list.  The only downside is that anti-spam checks that are based on the RBL and HELO and such will not be effective for messages delivered via the backups.  I'll have to monitor this and make sure no-one is abusing the MX priorities to circumvent these checks.

Children
  • You also have to worry about messages from other clients of that hosting service.

    I have heard that spammers sometimes send messages to the lowest-priority MX, in hopes that it is the oldest and has the weakest defenses.   It would be interesting to test that theory, by configuring the hosting service servers to not forward anything until you review it.   Will it work as a spam trap?

    Of course, this assumes that your primary MX has sufficient performance so that the primary MX is never busied-out and forcing traffic to the backup.

  • Unfortunately, I have no control over the backup servers - there is a big switch: on or off :)  That said, this is a home/lab/family setup, and the load on the main server is pretty low...

  • Very strange.  Balfson posted about using upstream provider settings instead, but that post is showing as 'under moderation' for some reason.  Anyway, I hadn't been aware of that option.  I made that change and am monitoring...

  • Yeah - I meant to edit that post, but I hit the report as abuse selection - not the first time I've done that and likely not the last!

    UPDATE: My ghost post has been brought back to life above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, their /24 is now in my upstream host list.  Thanks!