Hey there,
today we set up the nixos-mailserver following the setup guide.
Ingoing e-mail is working fine, though when we try to send mail, we get an error that looks like:
Sending of the message failed.
An error occurred while sending mail. The mail server responded:
<ausfahrt@riseup.net>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=polygon@gaykitty.lol;ip=188.74.37.44;r=riseup.net.
Please check the message recipient "[REDACTED]" and try again.
the spf record looks like this: gaykitty.lol descriptive text "v=spf1 a:mail.gaykitty.lol -all"
Maybe someone has experienced this before or has an idea what’s going wrong here?
Would be happy about any pointers towards having a functional mailserver.
Yeah, seems like a SPF-related issue… I checked with nslookup locally and online, and using this tool to debug spf issues, and I don’t see any obvious mistake in how you configured them (also according to this doc):
However, the error message seems to mention the ip address 188.74.37.44: are you using this IP to send the email? If so no surprise it is failing as only 157.90.31.4 is allowed to send email from that domain right now.
Also, I’m thinking, DNS records take time to propagate and refresh, once you refresh your records you might need to wait some time to see it refreshed.
ah, uhm 157.90.31.4 is the ip of the server running the mail server. The other is the ip we tried to send the mail from, yeah." The dns records where actually created a while ago when i also attempted setting up the mailserver.
And how do you send the email? Is it via thunderbird or alike? I never configured an smtp server but I would expect your email to get the ip from the smtp server no? (there is maybe an option for that?)
Actually, I’m thinking: is this error sent back from riseup.net in a separate email, or do you get this error directly when you send the email? I just discovered the option mailserver.policydSPFExtraConfig, that says:
Extra configuration options for policyd-spf. This can be use
to among other things skip spf checking for some IP addresses.
So maybe your server is performing a spf check before even sending the email? What do you see in the journalctl -e logs when you send an email? I’m also curious to see what happens if you write:
I can see here a line /^X-Originating-IP:/ IGNORE that seems to drop the IP of the client sending the email… so it seems likely that you actually get this error even before sending the email, and the above config might solve the issue (but as I told you I’m not an expert when i comes to emails).
Hey, thanks for your reply. Could’ve thought of checking the logs, but there was a lot of other stuff going on. Never really fiddled with mailservers either.
Yeah, we tried sending the mail via Thunderbird and got this error before the mail even was sent, in the server logs there’s a warning about some system hostname of our isp not matching our public ip, so even with setting this spf policy the host is not authorized to send mail because of this mismatch(?(We actually have no clue how spf works))
The log looks like this:
Jan 13 22:23:51 rosa-luxemburg postfix/smtpd[1391569]: warning: hostname customer.fra-0.netz.goetel.net does not resolve to address 188.74.37.44: Name or service not known
Jan 13 22:23:51 rosa-luxemburg postfix/smtpd[1391569]: connect from unknown[188.74.37.44]
Jan 13 22:23:51 rosa-luxemburg rspamd[2808685]: <5af151>; proxy; proxy_accept_socket: accepted milter connection from /run/rspamd/rspamd-milter.sock port 0
Jan 13 22:23:51 rosa-luxemburg postfix/smtpd[1391569]: Anonymous TLS connection established from unknown[188.74.37.44]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) se
rver-digest SHA256
Jan 13 22:23:52 rosa-luxemburg policyd-spf[1391577]: : 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=polygon@gaykitty.lol;ip=188.74.37.44;r=riseup.net
Jan 13 22:23:52 rosa-luxemburg postfix/smtpd[1391569]: NOQUEUE: reject: RCPT from unknown[188.74.37.44]: 550 5.7.23 <[some email]>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http:/
/www.openspf.net/Why?s=mfrom;id=polygon@gaykitty.lol;ip=188.74.37.44;r=riseup.net; from=<polygon@gaykitty.lol> to=<[some email]> proto=ESMTP helo=<[192.168.4.20]>
Jan 13 22:23:53 rosa-luxemburg kernel: refused connection: IN=enp1s0 OUT= MAC=96:00:02:c4:67:0c:d2:74:7f:6e:37:e3:08:00 SRC=162.216.18.241 DST=157.90.31.4 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=42849 DPT=25060 WINDOW=6
5535 RES=0x00 SYN URGP=0
You might be able to solve in a dirty way your issue by using ~all or +all instead of -all, but I would be afraid to see the servers considering the emails as spam more easily + would maybe allow anyone to send emails with your name… (maybe enable DKIM & DMARK as specified in the doc to limit this issue?) but in any case might be worth to change temporarily to see what happens.
You might be able to solve in a dirty way your issue by using ~all or +all instead of -all
I’m not sure if it’s that dirty : a lot of big mail providers seem to use ~all to only mark mails instead of failing. (they also seem to allow failing messages to pass instead of respecting SPF).
ah, uhm 157.90.31.4 is the ip of the server running the mail server. The other is the ip we tried to send the mail from, yeah." The dns records where actually created a while ago when i also attempted setting up the mailserver.
Does this IP sill appear in error messages ? Since your DNS record for mail.gaykitty.lol have propagated it shouldn’t
You could also try to directly put your ip instead of domain : v=spf1 ip4:157.90.31.4 -all or v=spf1 ip4:157.90.31.4 ~all
It is hard to tell : my understanding was that server gaykitty will receive the email via SMTP and forward it to the destination, acting as an MTA server, again using SMTP. Since the spf logs are present in the gaykitty server, I was expecting the error to occur at step one, but not sure. You might be right actually, since ausfahrt@riseup appears at the beginning of the line. But then I don’t understand why riseup sees the IP of the thundermail client instead of the ip of gaykitty.
But when a server act as a MTA, like here, the server first needs to receive the email before forwarding it, so shouldn’t this setting apply here as well?
But shouldn’t the gaykitty server replace the ip of the sender with their own ip? If not, I don’t really get the point of spf if anyway all messages are flagged as spam ^^’
But shouldn’t the gaykitty server replace the ip of the sender with their own ip? If not, I don’t really get the point of spf if anyway all messages are flagged as spam ^^’
Oh, sorry, I misunderstood. I thought that the gaykitty.lol server was first deployed with one IP, then with another.
@dasPolygon is it possible to share your mailserver configuration ?
Have you tried with another mail client (to see if the thunderbird config lead to this issue) ?
Though it seems to be quite dirty indeed, looking at the headers of the mail:
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=188.74.37.39; helo=[192.168.4.20]; envelope-from=polygon@gaykitty.lol; receiver=riseup.net
[...]
Received: from [192.168.4.20] (unknown [188.74.37.39])
by mail.gaykitty.lol (Postfix) with ESMTPSA id 1D80123F2ED
for <ausfahrt@riseup.net>; Mon, 12 Feb 2024 17:30:49 +0100 (CET)
