Re: started getting 550 #5.7.1 SPF unauthorized mail

Wed, 26 Oct 2022 03:29:01 -0700 

On 25/08/2022 04:41, li...@sbt.net.au wrote:

I have a simple 'mail list' where an alias 'ct...@sbt.net.au' sends email
to several recipients, that's been in use since long time.

today noticed one of these addresses started bouncing with '5.7.1 SPF
unauthorized mail' since just today:

what am I doing wrong ?

worked:

Aug 23 09:27:25 geko postfix/smtp[12957]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 23 09:27:27 geko postfix/smtp[12957]: 3119E21C52F:
to=<g...@tpg.com.au>, relay=asav.tpg.com.au[27.32.32.10]:25, delay=1.9,
delays=0.03/0/0.73/1.2, dsn=2.0.0, status=sent (250 ok:  Message 199653922
accepted)

no longer:

Aug 25 09:22:29 geko postfix/smtp[19538]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aug 25 09:22:30 geko postfix/smtp[19538]: 61DA820053B:
to=<g...@tpg.com.au>, relay=asav.tpg.com.au[27.32.32.10]:25, delay=1.9,
delays=0.08/0.02/0.74/1, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))

Aug 25 09:39:17 geko postfix/smtp[26188]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aug 25 09:39:18 geko postfix/smtp[26188]: 5C7FE2004D9:
to=<g...@tpg.com.au>, relay=asav.tpg.com.au[27.32.32.10]:25, delay=0.64,
delays=0.05/0.01/0.26/0.33, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))

looking at the log is see:

# grep 4678220053B  /var/log/maillog

Aug 25 09:38:55 geko postfix/smtpd[21733]: 4678220053B:
client=mail-me3aus01on2049.outbound.protection.outlook.com[40.107.108.49]
Aug 25 09:38:55 geko postfix/cleanup[26173]: 4678220053B:
message-id=<sy6pr01mb8444a26323ea227ec9bf1407f4...@sy6pr01mb8444.ausprd01.prod.outlook.com>
Aug 25 09:38:56 geko opendkim[930]: 4678220053B: failed to parse
authentication-results: header field
Aug 25 09:38:56 geko opendkim[930]: 4678220053B: DKIM verification successful
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B ignoring
Authentication-Results at 1 from geko.sbt.net.au
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B: SPF(mailfrom):
tld.com.au pass
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B: tld.com.au none
Aug 25 09:38:56 geko postfix/qmgr[23312]: 4678220053B:
from=<b...@tld.com.au>, size=629054, nrcpt=8 (queue active)

Aug 25 09:39:17 geko amavis[23896]: (23896-16) Passed CLEAN
{RelayedOpenRelay}, [40.107.108.49]:3695 [40.107.108.49] <b...@tld.com.au>
-> <g...@tpg.com.au>, Queue-ID: 4678220053B, Message-ID:
<sy6pr01mb8444a26323ea227ec9bf1407f4...@sy6pr01mb8444.ausprd01.prod.outlook.com>,
mail_id: ecrv8dP6h0oa, Hits: -1.712, size: 629477, queued_as: 5C7FE2004D9,
4939 ms

Aug 25 09:39:17 geko postfix/smtp[26175]: 4678220053B:
to=<g...@tpg.com.au>, orig_to=<ct...@sbt.net.au>,
relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=1.2/16/0.01/4.9,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 5C7FE2004D9)

Aug 25 09:44:04 geko postfix/qmgr[23312]: 4678220053B: removed
#


# grep 5C7FE2004D9  /var/log/maillog

Aug 25 09:39:17 geko postfix/smtpd[26177]: 5C7FE2004D9:
client=localhost[127.0.0.1]
Aug 25 09:39:17 geko postfix/cleanup[26173]: 5C7FE2004D9:
message-id=<sy6pr01mb8444a26323ea227ec9bf1407f4...@sy6pr01mb8444.ausprd01.prod.outlook.com>
Aug 25 09:39:17 geko postfix/qmgr[23312]: 5C7FE2004D9:
from=<b...@tld.com.au>, size=629970, nrcpt=1 (queue active)
Aug 25 09:39:17 geko amavis[23896]: (23896-16) Passed CLEAN
{RelayedOpenRelay}, [40.107.108.49]:3695 [40.107.108.49] <b...@tld.com.au>
-> <g...@tpg.com.au>, Queue-ID: 4678220053B, Message-ID:
<sy6pr01mb8444a26323ea227ec9bf1407f4...@sy6pr01mb8444.ausprd01.prod.outlook.com>,
mail_id: ecrv8dP6h0oa, Hits: -1.712, size: 629477, queued_as: 5C7FE2004D9,
4939 ms
Aug 25 09:39:17 geko postfix/smtp[26175]: 4678220053B:
to=<g...@tpg.com.au>, orig_to=<ct...@sbt.net.au>,
relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=1.2/16/0.01/4.9,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 5C7FE2004D9)
Aug 25 09:39:18 geko postfix/smtp[26188]: 5C7FE2004D9:
to=<g...@tpg.com.au>, relay=asav.tpg.com.au[27.32.32.10]:25, delay=0.64,
delays=0.05/0.01/0.26/0.33, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))
Aug 25 09:39:18 geko postfix/bounce[26219]: 5C7FE2004D9: sender
non-delivery notification: 0C96B21C52C
Aug 25 09:39:18 geko postfix/qmgr[23312]: 5C7FE2004D9: removed


mail_version = 3.7.2
SPF works by checking the SPF record for the domain specified in the mail *envelope*. If the IP from which the email has been received does not meet the SPF record criteria, it is an SPF fail. My impression is that a number of email providers (including Gmail) have become much stickier about refusing emails that fail SPF testing of late, and it seems that tpg.com.au is one of them.
When you relay an incoming mail out to your mailing list subscribers you are retaining the original mail return address in the header, but the mail is coming from your IP, not the original sender's. For this sender it will result in an SPF failure because their SPF record (tld.com.au) at the time of writing is 'v=spf1 include:spf.protection.outlook.com -all'.
A workaround is to use postsrsd which rewrites the envelope sender without changing the header From: address.

Reply via email to