Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 4 subscribers
  • Views 4407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP proxy SPF checks and backup MX?

dswartz

I had an extended (24 hour outage) on my home broadband, and several inbound emails ended up bouncing.  I set up a couple of backup MX servers at an outside provider, and tested by bringing down the SMTP proxy, then sending a couple of test emails to my home address.  Waited a few minutes, and brought it back up.  The emails bounced back to my sending email address (at work), with a 550 error.  Looking at the logs, I can see it is complaining that one of the backup MX servers doesn't have permission to send from that domain.  For the moment, I have just disabled the SPF checking in the proxy.  Is there a way to exempt the N backup MX servers from this check?



This thread was automatically locked due to age.
Parents
  • +1

    This took awhile to figure out, but UTM did exactly what you asked it to do.   Let me work through an example to illustrate the point.

    • A message from sender@fromdomain.com to you@todomain.com is diverted to server1.hostingservice.com, where the message is stored and queued for redelivery.
    • You never configured sender1.hostingservice.com as a trusted forwarder in UTM.
    • Your system comes back on line and server1.hostingservice.com begins to empty its queue of saved mail.
    • Your UTM checks to see if server1.hostingservice.com is in the SPF record for sender@fromdomain.com, and it fails.
    • Since you have UTM configured to block messages that fail SPF, the message is blocked.

    Normally, you want any device that is an MX server for you to be configured in the trusted forwarder list.   In this case, the hosting service probably has lots of servers, so it may not have been feasible (or safe) to configure all of their servers as trusted forwarders.   Disabling SPF for the time needed to empty the queue was probably the safest course of action.

  • 0 in reply to DouglasFoster

    Just to make sure I have this right: in the SMTP config, I add an exception called 'Backup MX servers', and click the following checkboxes: 'RBL checks / RDNS/Helo checks / Greylisting / BATV / SPF check'.  I then add a new network group containing the names of the 3 hosts service backup MX servers.  Correct?

  • 0 in reply to dswartz

    In Doug's post above, he commented, "You never configured sender1.hostingservice.com as a trusted forwarder in UTM."  Rather than create the Exception, why not start with ‘Upstream Hosts/Networks’ on the’Relaying’ tab - you can always add Exceptions if you see messages being blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to dswartz

    In Doug's post above, he commented, "You never configured sender1.hostingservice.com as a trusted forwarder in UTM."  Rather than create the Exception, why not start with ‘Upstream Hosts/Networks’ on the’Relaying’ tab - you can always add Exceptions if you see messages being blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML