Can't send mails with SNM (Mailserver)

It’s me again with another NixOS mail server problem.

I configured the mail server exactly as described in the documentation.
Receiving emails works fine. The problem is the sending. The mails only seem to go out when sending, but they don’t arrive and after ~1 day the message comes that the mails cannot be delivered.
The output of journalctl -fu postfix gives the following result:

May 18 19:44:31 nb-main postfix/smtpd[1078575]: connect from[XX.XX.XX.XX]
May 18 19:44:31 nb-main postfix/smtpd[1078575]: Anonymous TLS connection established from[XX.XX.XX.XX]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
May 18 19:44:31 nb-main policyd-spf[1078581]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see;;ip=xx.xx.xx.xx;r=<UNKNOWN>
May 18 19:44:31 nb-main postfix/smtpd[1078575]: NOQUEUE: reject: RCPT from[xx.xx.xx.xx]: 550 5.7.23 <>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see;;ip=xx.xx.xx.xx;r=<UNKNOWN>; from=<> to=<> proto=ESMTP helo=<>
May 18 19:44:31 nb-main postfix/smtpd[1078575]: disconnect from[xx.xx.xx.xx] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7

(I anonymized the IPs)
As I read that there is an SPF error in the DNS entries.
I have already tested various SPF entries but none worked. (currently: v=spf1 ip6:xxxx:xxx:xxxx:xxxx:: ~all)

someone an idea?

So as the message says, this is an SPF issue and not related to nixos as such.

Without the full SPF record (and therefore domain and the IPs) it’s impossible to say how your SPF record is misconfigured.

1 Like

Almost one year later, I found this post because I had similar issues. This is NOT a misconfigured SPF record. This is your email client not properly authenticating to the SMTP server, so your SNM sees the message as an incoming one, checks your connection against the sender’s SPF records (YOUR spf records), and finds that the IP of your apple device (with the EMail client) does NOT match the SPF record (which it shouldn’t, as the Emails for your account should come from your SNM server, not your client device).

How can you know that this is the case? Well, the “Message rejected” log entry comes from “policyd-spf”, which gets invoked for incoming email to your mailserver, not for outgoing mail.

In my case, I had thunderbird as an email client, and for some reason, it did not apply some of my SMTP settings right away, but only after I restarted thunderbird. Then, it properly authenticated to the SNM SMTP-server, and the SNM did not invoke the SPF checks, because it automatically permits all emails via authenticated SMTP connections.

So for everyone finding this thread like me, make sure your email client is authenticating correctly.

Sorry for the late answer. In my case it was a wrong SPF entry.

1 Like