Bounced emails from Mail Boxes accounts

Need help? Ask here.

Moderator: Moderators

sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Bounced emails from Mail Boxes accounts

Post by sgrayban »

I'm getting bounced emails being sent from my "Mail Boxes" account.
This is the mail system at host mail2.rollernet.us.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<abuse[at]x>: host mta1.borgnet.us[71.32.15.193] said: 550 5.7.1 Rejected due to SPF policy for sender sgrayban[at]rollermail.us (in reply to end of DATA command)
-- Scott
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

How is it being sent? The SPF record for "rollermail.us" only lists 208.79.240.5 as a permitted sender.
Technical Support support@rollernet.us
Roller Network LLC
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

Headers from sent email.....
Received: from mail2.rollernet.us (localhost [127.0.0.1])
by mail2.rollernet.us (Postfix) with ESMTP id 69F1C304C472
for <abuse[at]borgnet.us>; Fri, 12 Sep 2008 19:15:44 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail2.rollernet.us
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE
autolearn=disabled version=3.2.5
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [208.79.240.5])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail2.rollernet.us (Postfix) with ESMTP
for <abuse[at]borgnet.us>; Fri, 12 Sep 2008 19:15:44 -0700 (PDT)
Received: from smtpauth.rollernet.us (localhost.localdomain [127.0.0.1])
by smtpauth.rollernet.us (Postfix) with ESMTP id 8E361594002
for <abuse[at]borgnet.us>; Fri, 12 Sep 2008 19:15:41 -0700 (PDT)
Received: from borgnet.us (www.borgnet.us [71.32.15.193]) (using TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate
requested) (Authenticated sender: sgrayban[at]rollermail.us) by
smtpauth.rollernet.us (Postfix) with ESMTP for <abuse[at]borgnet.us>;
Fri, 12 Sep 2008 19:15:38 -0700 (PDT)
Looks like "smtpauth.rollernet.us" is throwing out its "localhost" as the real domain with the IP 127.0.0.1. That's what I see when I look at the headers which is what SPF is rejecting on.
-- Scott
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

Our complete mail log of this....
Sep 13 02:16:05 borgnet milter-greylist: m8D2Flg8008551: skipping greylist because address 208.79.241.2 is whitelisted, (from=<sgrayban[at]rollermail.us>, rcpt=<abuse[at]borgnet.us>, addr=208.79.241.2)
Sep 13 02:16:05 borgnet sendmail[8551]: m8D2Flg8008551: from=<sgrayban[at]rollermail.us>, size=2430, class=0, nrcpts=1, msgid=<48CB224A.7080105@rollermail.us>, proto=ESMTP, daemon=IPv4, relay=mail2.rollernet.us [208.79.241.2]
Sep 13 02:16:05 borgnet sendmail[8551]: m8D2Flg8008551: Milter add: header: X-Virus-Scanned: ClamAV version 0.94, clamav-milter version 0.94 on borgnet.us
Sep 13 02:16:05 borgnet sendmail[8551]: m8D2Flg8008551: Milter add: header: X-Virus-Status: Clean
Sep 13 02:16:06 borgnet sendmail[8551]: m8D2Flg8008551: Milter insert (1): header: X-SenderID: Sendmail Sender-ID Filter v0.2.14 mta1.borgnet.us m8D2Flg8008551
Sep 13 02:16:06 borgnet sendmail[8551]: m8D2Flg8008551: Milter insert (1): header: Authentication-Results: mta1.borgnet.us from=sgrayban[at]rollermail.us; sender-id=fail (NotPermitted); spf=fail (NotPermitted)
Sep 13 02:16:06 borgnet sendmail[8551]: m8D2Flg8008551: Milter: data, reject=550 5.7.1 Rejected due to SPF policy for sender sgrayban@rollermail.us
Sep 13 02:16:06 borgnet sendmail[8551]: m8D2Flg8008551: to=<abuse[at]borgnet.us>, delay=00:00:01, pri=32430, stat=Rejected due to SPF policy for sender sgrayban[at]rollermail.us
-- Scott
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Technically, SPF only works on direct MTA connections, not on hops further down the line unless your MTA or filter package has the ability to ignore certain layers of headers. In this case, the SPF fail result was most likely because your filter expected to find the IP for mail2.rollernet.us in the SPF record for rollermail.us, but it won't because mail2 is not a designated originating server.

The 127.0.0.1 headers you see when mail passes through our system is the filtering mechanism reconnecting to itself in order to do real-time filtering.
Technical Support support@rollernet.us
Roller Network LLC
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

208.79.241.2 should be in your SPF records if you are going to follow RFC properly.
-- Scott
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

No, because mail2.rollernet.us is forbidden from originating messages. It is relay-only. If you can point out the section of the RFC that requires this we'll consider it.
Technical Support support@rollernet.us
Roller Network LLC
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

SPF specifically asks if any email is to be relayed through another server it *MUST* be included -- see http://old.openspf.org/wizard.html -- and since your mailboxes are considered a relay since you offer that service you must include 208.79.241.2 in the SPF.
-- Scott
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

The servers mail/mail2 do not send mail. Send a message to a gmail or yahoo account and check the headers.
Technical Support support@rollernet.us
Roller Network LLC
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

RollerNetSupport wrote:No, because mail2.rollernet.us is forbidden from originating messages. It is relay-only. If you can point out the section of the RFC that requires this we'll consider it.
I just did. SPF requires even RELAY IP's to be included. Originating and relay are not the same.
-- Scott
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

The servers mail/mail2 are not relaying for the the SMTP AUTH server.
Technical Support support@rollernet.us
Roller Network LLC
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Why are you trying to check SPF on your server when you aren't accepting connections directly? You should not be checking SPF when all mail will appear to be coming from our servers. SPF checks only work properly if you accept directly, not behind a relay. This will cause any SPF check to fail, not just ours.
Technical Support support@rollernet.us
Roller Network LLC
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

Not all email is coming from your server -- Only certain domains are like borgnet.us other domains I have here do not use rollernet.
-- Scott
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Then you can prove this to yourself: send a message from the hosted mail box to another domain. It'll come back as SPF "pass".

There really isn't much we can do; you're doing something that is known to break SPF. If you like, we can send an email from hotmail.com which has SPF records (but in "softfail") and you should see a "softfail" from hotmail. If what you're tryng to get us to do is correct, and the relay of a domain should be in that domain's SPF records, how would we get hotmail.com to add our mail servers to their SPF? (The correct answer is we have no business being in hotmail's SPF records.)

The openspf.org website explicitly covers your situation with us handing off mail in the middle and how it won't work:
Processing SPF policies at the border

SPF is designed to work at the border of your network. Some server, which you may not know, is contacting your server. Can you trust it? An SPF policy designates (or not!) that server as an authorized source for email from $domain.

Now consider what happens if you process an SPF policy somewhere else in your network. For example: one host receives all mail and then relays it to a central mail server. Should you process SPF policies on that central mail server, it will see your other host as the source. Chances are this other host is not authorized by someone else's SPF policy!

Example:

user@example.com sends his mail via mailhost.example.com and this host is authorized in example.com's SPF policy (v=spf1 a:mailhost.example.com -all).

Your organization receives mail at mailhost.receiver.example (your MX server). Maybe it looks at example.com's SPF record, finds that mailhost.example.com is authorized, and all is well.

Then the message is relayed to mailcentral.receiver.example; if this server looks at the SPF record again, the sending host will be mailhost.receiver.example which is not authorized!

http://www.openspf.org/FAQ/Common_receiver_mistakes
Technical Support support@rollernet.us
Roller Network LLC
sgrayban
Posts: 60
Joined: Wed Jul 12, 2006 9:53 am

Post by sgrayban »

I disagree with your logic and how you are wanting to twist the SPF RFC but its your network and I will not use your mailbox service anymore since its broken.
-- Scott
Locked