Description
I have a postfix/spf misconfiguration.
I have a YunoHost handling mydomain.org (DNS and SMTP/IMAP)
I have superdomain.com registered at gandi, and I let the MX records with the mail server from gandi and on the superadmin.com admin console, I created a mailbox which basically forward every incoming email to myname.superadmin.com@mydomain.org
and then, I received a : http://www.openspf.org/Why?s=mfrom;id=bounce%2Ba6360a.8e06-myname%3Dsuperdomain.com%40slack.com;ip=12.13.14.15;r=10.0.3.1;
This was an invitation to slack for that mailbox (myname@superdomain.com) which was forwarded to myname.superdomain.com@mydomain.org
The log is :
/var/log/mail.log.1:Sep 17 15:58:26 yunaufs postfix/smtpd[24656]: NOQUEUE: reject: RCPT from relay5-d.mail.gandi.net[217.70.183.197]: 550 5.7.1 <mynam
/var/log/mail.log.1:Sep 17 15:58:26 yunaufs postfix/smtpd[24656]: NOQUEUE: reject: RCPT from relay5-d.mail.gandi.net[217.70.183.197]: 550 5.7.1 <myname.superdomain.com@mydomain.org> : Recipient address rejected: Please see http://www.openspf.org/Why?s=mfrom;id=bounce%2Ba6360a.8e06-myname%3Dsuperdomain.com%40slack.com;ip=12.13.14.15;r=10.0.3.1; from=<bounce%2Ba6360a.8e06-myname=superdomain.com@slack.com to=<myname.superdomain.com@mydomain.org> proto=ESMTP helo=<relay5-d.mail.gandi.net>
The 10.0.3.1 is the YunoHost server (running in a LXC, with all ports forwarded to that LXC)
Question
What misconfiguration is it? Do I need to update SPF on my server to allow the email to come? Or is it a postfix configuration ?
Constraints by domain
The only things I can do on superdomain.com is to edit DNS record, and to which address to redirect the email. I can't control the way it handles the envelope and forwarding. But I do have full control on the DNS (bind9) and the SMTP/greylisting/spam filter of mydomain.org
Some ideas I had
I've been using this setup for years now, but once in a while I get some errors like that who seem to be edge cases, and I would like to fix it once and for all.
I thought maybe I should just accept all the mail from relay5-d.mail.gandi.net ? Or can I limit relaying from these servers only on specific domain/email?
So if you have any insight with this. I don't really know postfix, and I don't want to mess it up and then become a spam relay because I loosened security.
Best Answer
It looks like the forwarding server is forwarding with the same envelope sender as the original mail, and therefor the mail arriving at the mydomain.org mail-server, is arriving with a @slack.com envelope sender.
And slack.com has set up an SPF record, that does not include the gandi.net mail servers. Therefor will the SPF check on the mydomain.org mail server fail.
So you will either have to try to enable SRS (Sender Rewriting Scheme) on superdomain.com (this would have changed the envelope sender of the mail to a @superdomain.com address, while still allowing bounces), or set the forward up to send as the myname@superdomain.com address, or as a last resort disable SPF check on the mydomain.org server (possibly only for mails to the address used to forward on the gandi.net server)
If you change the forward to use a superdomain.com address, you should also add an SPF record for that domain specifying which servers are allowed to send mails for that domain.