Mail bounced after forward although SPF rules confirm sending rights

  • I'm referring to post https://i-mscp.net/index.php/Thread/13074-SRS-Plugin/
    But this case seems a bit different. In addition to the SRS subject I'm currently watching a special issue in the case of mail forwarding.


    Setup is as following:


    • 2 virtual servers, each with its own IP and some domains as clients.
    • Identical configurations on every machine.
    • OS: Debian Jessie, updated
    • i-MSCP: latest stable 1.4.7, any configuration left to defaults
    • MTA_SERVER => 'postfix',
    • PO_SERVER => 'dovecot',
    • SPF Plugin 1.2.0


    Few imap accounts, some mail forwarders as well as catchall are set on some domains.


    Following is the process that happens.


    1. One domain's Wordpress sends an information to the admin
    [email protected] -> [email protected]
    i. e. from VM1 to VM2
    result of mailtransfer OK so far


    2. Recepient server SSS.info has set a forward on wpadmin02
    Tries to proceed forwarding
    "[email protected]" -> [email protected]
    i. e. from VM2 back to VM1
    Where only by chance DDD.net is located again on VM1
    Rejected.


    Part of mail message is:


    Code
    1. This is the mail system at host VM2.DDD.net.I'm sorry to have to inform you that your message could notbe delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You candelete your own text from the attached returned message. The mail system<[email protected]> (expanded from <[email protected]>): host VM1.DDD.net[IP VM1] said: 550 5.7.1 <[email protected]>: Recipient address rejected: Please see http://www.openspf.net/Why?s=mfrom;id=webmaster%40BBB.org;ip=IP VM2;r=VM1.DDD.net (in reply to RCPT TO command)


    3. Whole Message is submitted to [email protected] as bounced mail
    This is, what I received.


    Analyzing:


    Now the curious fact, wether related to SRS or not and in difference to bounced mails by providers like gmx.net or web.de:


    SPF txt entries in any mentioned domain is as follows


    "v=spf1 ip4:[IP adress or net range of VM1] ip4:[IP adress or net range of VM2] +a +mx ~all"


    That means, any domain is allowed to send from each VM.
    The correct configuration is confirmed by SPF website. :exclamation:



    Code
    1. DDD.net rejected a message that claimed an envelope sender address of [email protected].
    2. VM1.DDD.net received a message from VM2.DDD.net (IP...) that claimed an envelope sender address of [email protected].
    3. The domain BBB.org has authorized VM2.DDD.net (IP...) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.


    Current possible solutions:
    :idea:

    • I could create imap accounts for some purposes. Here: for WP Admin contact.
    • Trying to avoid forwarding generally, as concerning the SRS problems, this is a growing reason for bounced mails as SPF gets more implemented
    • One may think, that the reason is not related to forwarding in general but in forwarding as result of a catchall. I'm forwarding several catchalls to one general catchall address, which works fine so far. May be I have to recreate catchall adresses for each domain seperately again.

    This post is intended foremost as a report and I myself will keep an eye on that. Looking for other solutions. :?: As far as today I dindn't found some.

  • This "will follow..." was a bit too enthusiastic. Sorry for that. =O To investigate this behaviour I have to wait for an occurrence of this problem and examine three mail server logs. Something I currently have no time to do. Postponed into some future.


    Meanwhile I read this blogpost: https://www.heinlein-support.d…n-mail-rejects-durch-spf/


    This encoureged me to on first hand uninstall all SPF plugins, clear my DNS entries and stay with only DKIM and DMARC. If even myself on my own server can't ensure an overall working environment of SPF, I can't expect this from other admins. Only mailings between own servers where affected, not to think of bounced mails from other persons, which mostly remains unknown to me.


    A small niche for DNS entries remains. E. g. if there is an only internaly used subdomain where I don't want under any circumstances outgoing mail, I could add a "... -all". Also on a virtual server, where there is no domain at all affected with any of these SPF problems as e. g. mail forwarding, this may be activated.


    What's next?
    I will wait for some time and watch incoming mails. Are there any, which could have been bounced because of SPF usage? Are my own mails resent more and more often? Will other spam measurements keep their number small enough? If this will work, I will stay with this configuration.


    Hopefully my decision and the reasons to come to that one (part of my best practice) may help some of you :)