6

I have a mail server "example.com" which forwards all emails with recipient "me@example.com" to "me@gmail.com". My mail server runs Postfix and it uses the virtual_alias_maps mechanism to perform the forwarding. I also have SPF records installed for "example.com":

v=spf1 a include:aspmx.googlemail.com ~all

The problem is, whenever someone delivers mail to "me@example.com", Gmail validates the example.com SPF records against example.com's IP address! I thought it's supposed to validate against the original sender's IP address.

For example, I'm on my laptop on my home Internet connection. I connect to example.com's mail server as follows:

$ telnet example.com 25
20 example.com ESMTP Postfix (Debian/GNU)
HELO my-laptop.local
250 example.com
MAIL FROM:<me@gmail.com>
250 2.1.0 Ok
RCPT TO:<me@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: me@gmail.com
To: me@example.com
Subject: test

test
.
250 2.0.0 Ok: queued as CE5F42200F9

Now when I open that mail in Gmail and view its source, I see the following headers:

Delivered-To: me@gmail.com
Received: by 10.231.219.195 with SMTP id hv3csp61494ibb;
        Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Received: by 10.229.135.5 with SMTP id l5mr2360326qct.5.1342257358291;
        Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Return-Path: <me@gmail.com>
Received: from example.com [EXAMPLE.COM's IP ADDRESS HERE]
        by mx.google.com with ESMTP id u9si4262071qcv.89.2012.07.14.02.15.58;
        Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Received-SPF: neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of me@gmail.com) client-ip=[EXAMPLE.COM's IP ADDRESS HERE];
Authentication-Results: mx.google.com; spf=neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of me@gmail.com) smtp.mail=me@gmail.com
Date: Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Message-Id: <500138ce.c995e50a.6e4a.ffffd12aSMTPIN_ADDED@mx.google.com>
Received: from my-laptop.local ([LAPTOP's IP ADDRESS HERE])
    by example.com (Postfix) with SMTP id CE5F42200F9
    for <me@example.com>; Sat, 14 Jul 2012 09:15:44 +0000 (UTC)
From: me@gmail.com
To: me@example.com
Subject: test

As you can see in Received-SPF and Authentication-Results, the SPF records are being validated against [EXAMPLE.COM's IP ADDRESS] instead of [LAPTOP's IP ADDRESS].

Why does this happen, and how do I fix this problem?

Hongli Lai
  • 2,112
  • 4
  • 22
  • 27
  • This is the correct behavior. There's no point in checking the laptop's IP address -- that wouldn't check if the mail was sent through the correct server. (The laptop's IP address tells you nothing about whether it's user is authorized to use `@example.com` email addresses.) – David Schwartz Jul 14 '12 at 09:31

1 Answers1

10

google [or anyone else] will validate spf agains the ip address they see connecting to them. in that case it'll be ip address of your postfix server; you cannot fix it - it's by design....

by design spf has an 'issue' with forwarding unless message is 'repackaged' and sender address rewritten to the one of forwarder.

pQd
  • 29,561
  • 5
  • 64
  • 106
  • How do I set up SRS in Postfix? After a few Google searches I've only found a bunch of 2008 articles that tell me Postfix doesn't support it. – Hongli Lai Jul 14 '12 at 09:49
  • sorry i know only as much as googling for postfix srs returns. – pQd Jul 14 '12 at 09:55
  • There is a guide here: http://blog.phusion.nl/2012/09/10/mail-in-2012-from-an-admins-perspective/ - Although that didn't solve the issue for me – troelskn Aug 20 '13 at 13:55
  • Correction - It did work. See full details here: http://serverfault.com/questions/532298/why-is-google-rejecting-mails-forwarded-from-my-postfix-server – troelskn Aug 20 '13 at 18:46