Mail Forwarding and SPF
Today, a year and a half after we started hard filtering on SPF, a new problem: our mail server was rejecting genuine email from us because we had an SPF record.
"How?!" you ask.
Well thereby hangs a tale. My dad has a BT Internet account for his broadband but we host his domain and email address, forwarding email for him to his BT Internet mailbox. This works fine ... well, until his PC starts to die under the weight of cruft that has ended up on there due to a combination of dubious people and his innocence of the dangers of the Internet. It was while looking into this that I discovered that he was reading his email via POP so it only existed on his PC.
Luckily my nephew, who's a lot closer to Dad geographically than me, managed to recover his PC without any loss of data but in the meantime I decided it was time to start hosting his email on our server and switch him to IMAP to access it so that it stays there.
Now although 99% of his email goes to the email address we set up for him he still needs to read email to his @btinternet.com email address, rare though that is (I suspect it's pretty much 100% from BT now) so I told BT via their control panel to forward email to his real email address.
Super. That should work then ...
No. What happened was that I mailed his @btinternet.com email address, it was forwarded by BT back to our server for delivery, and we bounced it as it failed SPF. Our SPF record says we only send email from our servers and here was an email where the envelope said it was from me but the originating SMTP server was BT.
This is a known issue and is discussed in the SPF FAQ where it says that:
(the forwarder) [so BT in this case] will have to switch from forwarding, where the envelope sender is preserved, to remailing, where the envelope sender is changed.
but notes that:
If your forwarding runs through a commercial service like pobox.com, you shouldn't have to do anything. They have to change with the times, and perform the above rewriting automatically for you.
Weeell, sadly not in the case of BT. I did have an online chat with one of their guys. The only suggestion he had was to do it client side "from outlook".
Luckily there is a solution. It's not very elegant but it does work: you whitelist BT's SMTP server in SPF checking. It's easy to do. You simply edit
/etc/postfix-policyd-spf-python/policyd-spf.conf and add BT's IP address to the
Whitelist config option.
The biggest catch to this is that it's relying on IP address (220.127.116.11 it seems) to identify BT's server. I'm worried that they might have more than one. It also might change in future ... to IPv6 maybe.
|Tags: family, internet, linux, spam||Written 10/04/18|
You can follow these posts on Twitter at @Wibblings