0

We have a strange situation:

  • we receive an email with ESMTP headers in it
  • our server accepts it, it's fine
  • we import that mail in Gmail like any other emails from our boxes
  • Gmail makes SPF check which fails
  • Gmail uses our server IP address and mail sender domain to make that check (sic!)

We also have similar problem with mails between local boxes (but there Gmail uses our server domain and client's IP): Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another

Example:

Received-SPF: fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) client-ip=188.40.153.39;
Authentication-Results: mx.google.com;
   spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl
  • 188.40.153.39 is our VPS IP
  • example@msit.gov.pl is sender
  • example@webvizarts.com is receiver

More headers:

Delivered-To: example@gmail.com
Received: by 10.194.168.164 with SMTP id zx4csp522020wjb;
    Thu, 19 Feb 2015 06:26:04 -0800 (PST)
X-Received: by 10.180.219.66 with SMTP id pm2mr10333511wic.91.1424355964017;
    Thu, 19 Feb 2015 06:26:04 -0800 (PST)
Return-Path: <example@msit.gov.pl>
Received: from server.webvizarts.com  (server.webvizarts.com . [188.40.153.39])
    by mx.google.com with ESMTPS id ge6si41332059wjd.24.2015.02.19.06.26.03
    for <example@gmail.com>
    (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Thu, 19 Feb 2015 06:26:04 -0800 (PST)
Received-SPF: fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) client-ip=188.40.153.39;
Authentication-Results: mx.google.com;
   spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl
Received: from mx.msit.gov.pl ([77.252.152.34])
    by server.webvizarts.com  with esmtp (Exim 4.83)
    (envelope-from <example@msit.gov.pl>)
    id 1YOS3G-0003eP-T2
    for example@webvizarts.com; Thu, 19 Feb 2015 15:26:03 +0100
Received: from msit.gov.pl (unknown [192.168.10.30])
    by mx.msit.gov.pl (Postfix) with ESMTPS id 5BE2F3B64
    for <example@webvizarts.com>; Thu, 19 Feb 2015 15:24:48 +0100 (CET)
Received: from EX3.sport.local (192.168.10.30) by EX3.sport.local
 (192.168.10.30) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 19 Feb
 2015 15:22:45 +0100
Received: from EX3.sport.local ([fe80::b8ed:df29:c87:77d2]) by EX3.sport.local
 ([fe80::b8ed:df29:c87:77d2%15]) with mapi id 15.00.1044.021; Thu, 19 Feb 2015
 15:22:45 +0100
From: John Smith <example@msit.gov.pl>
To: Christopher Smith <example@webvizarts.com>
Subject: Re: Some sensitive subject
Thread-Topic: Some sensitive subject
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.0.102]

Obscured title, mailboxes names and people names.

We have dovecot+exim on Debian based VPS.

We look for some solution how to avoid that. Is implementation on Gmail side flawed or we can do something about it?

Edit: according to comment it's forwarding mistakefully taken as importing

Zbyszek
  • 175
  • 1
  • 10
  • 3
    Maybe you should rethink your setup. You don't *import* the mailboxes on gmail, your mailserver forwards them. You should either modify the envelope-from to a valid one (→[Sender Rewriting Scheme](https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme), [postfix-srsd](https://github.com/roehling/postsrsd) or import them via POP or IMAP. Or just host them yourself? And what's your goal anyway? – sebix Feb 20 '15 at 13:13
  • Ok, looks like you are right - in this case it's forwarding not importing. Changing setup to importing instead of forwarding (or configure for proper forwarding) should be right way to go. Add this as an answer and I will accept. – Zbyszek Feb 20 '15 at 13:24
  • possible duplicate of [Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another](http://serverfault.com/questions/669584/failed-spf-for-email-imported-to-gmail-because-of-client-ip-instead-of-servers) –  Feb 22 '15 at 17:37
  • Not a duplicate in my opinion. Here it's a mail from an external box. There it's between 2 local boxes. Here Gmail uses our server IP (misconfigured forwarding) for SPF check of senders mail. There during POP3 import Gmail uses clients IP instead our server's for SPF check. Solution for this one was found, for that one there are some workarounds now. – Zbyszek Feb 22 '15 at 17:48

1 Answers1

5

[...]
we import that mail in Gmail like any other emails from our boxes
[...]

That's wrong, as the mail headers tell as something different:

Received: from server.webvizarts.com  (server.webvizarts.com . [188.40.153.39])
    by mx.google.com with ESMTPS id ge6si41332059wjd.24.2015.02.19.06.26.03
    for <example@gmail.com>
    (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Thu, 19 Feb 2015 06:26:04 -0800 (PST)

The Emails are forwared by server.webvizarts.com to mx.google.com for example@gmail.com. Apparently without setting the envelope-from:

Authentication-Results: mx.google.com;
   spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl

Evidently the envelope's from is still example@msit.gov.pl.

I can think of three options you have here:

  1. Rewrite the envelope-from using the Sender Rewriting Scheme for example with postfix-srsd.
  2. Before sending/relaying, authenticate at gmail
  3. Push the email to Gmail's IMAP/POP3 mailboxes from your server or let them pull from your server by Gmail (I don't know which is easier)
sebix
  • 4,175
  • 2
  • 25
  • 45