ASSP performs SPF check on mail it forwarded itself

Question

So I set up ASSP and it seems to work because I'm getting mail. Yay.

But it's performing some strange SPF checks. Some domains can't send me mail, and receive an error message back.

In it is a link that says:

skerit@mydomain.be received a message from static.1.1.1.1.clients.your-server.de (1.1.1.1) from a mail server claiming to be original.oserver.be

The 1.1.1.1 ip is, in this example, the IP address of the server ASSP is running on. So it does the SPF check after it forwards the mail, or something like it.

Has anyone seen this before?

Here's some more config info on postfix & assp:

postfix -n output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination =
myhostname = original.oserver.be
mynetworks = all
myorigin = /etc/mailname
policy-spf_time_limit = 3600s
procmail_destination_recipient_limit = 1
readme_directory = no
recipient_delimiter = +
smtp_sasl_mechanism_filter = plain, login
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy-spf
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy-spf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 1012000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = procmail
virtual_uid_maps = static:5000

Here's ASSP maillog:

Nov-26-14 14:53:09 m1-09989-06885 [Worker_1] 188.93.97.14 <skerit@external.be> info: found message size announcement: 1.94 kByte
Nov-26-14 14:53:09 m1-09989-06885 [Worker_1] 188.93.97.14 <skerit@external.be> to: skerit@oserver.be [SMTP Error] 550 5.7.1 <skerit@oserver.be>: Recipient address rejected: Message rejected due to: domain owner discourages use of this host. Please see http://www.openspf.net/Why

That's strange because usually forwarding doesn't go through ASSP (again). Please edit the question, add some info such as (1) relevant maillog/assp log when this event happened (2) output of command `postconf -n` — masegaloeh, Nov 26 '14 at 13:43
Done. I'm not saying it's going through ASSP again, it's more **like** it's doing that. — Jelle De Loecker, Nov 26 '14 at 13:56

score 1 · Accepted Answer · answered Nov 26 '14 at 18:32

1

I'm sorry: mea culpa.

Postfix ALSO still had an SPF policy in place, and since ASSP added a new address it failed. The policy has been removed and everything is working fine.

answered Nov 26 '14 at 18:32

Jelle De Loecker

1,055
6
16
29

ASSP performs SPF check on mail it forwarded itself

1 Answers1