Policyd-spf with Postfix returns 550 spf fail - not authorized

Question

This has me rather confused. I've checked my dns, postfix configurations etc...and it all seems fine. And, it works. I can send to gmail etc... and my spf, dkim and dmarc records all pass.

The issue is this:

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, permit_auth_destination, 
reject_unauth_destination, check_policy_service unix:private/policyd-spf

works fine. Because policyd-spf doesn't check any emails from my domain. But let's say I want it to check all emails so I set it up as:

smtpd_recipient_restrictions = reject_unauth_destination, check_policy_service unix:private/policyd-spf

that's when I get the spf fail - not authorized issue. But...if I set it up as:

smtpd_recipient_restrictions = reject_unauth_destination

Postfix has no problems sending emails from my domain and sending to gmail etc...works as expected.

I read through https://www.rfc-editor.org/rfc/rfc7208.html trying to figure it out, and thought maybe it was the helo as when I send using outlook the helo defaults to my account name. So in /etc/postfix-policyd-spf-python/policyd-spf.conf I added HELO_reject = No_Check as per https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html And that didn't fix it. My mx record is:

@               IN  MX        10      mail.example.com.

My spf record is:

@                IN        TXT   ( "v=spf1 ip4:255.255.255.255 -all" )

And in postfix main.cf I have:

smtpd_banner = $mydomain ESMTP (Ubuntu)
mydomain = example.com
myhostname = mail.example.com
myorigin = $mydomain

because the machinename is just example

Maybe I'm just missing the obvious here?

Here's what the log says:

policyd-spf[2599481]: Config: {'debugLevel': 5, 'HELO_reject': 'No_Check', 'Mail_From_reject': 'Fail', 'PermError_reject': 'False', 'TempError_Defer': 'False', 'skip_addresses': '127.0>
policyd-spf[2599481]: Cached data for this instance: []
policyd-spf[2599481]: skip_addresses enabled.
policyd-spf[2599481]: _get_resultcodes: scope: mfrom, Reject_Not_Pass_Domains: None, helo_policy: No_Check, mfrom_policy: Fail
policyd-spf[2599481]: Scope mfrom unused results: ['Pass', 'None', 'Neutral', 'Softfail', 'Temperror', 'Permerror']
policyd-spf[2599481]: mfrom policy true results: actions: {'defer': [], 'reject': ['Fail'], 'prepend': ['Pass', 'None', 'Neutral', 'Softfail', 'Temperror', 'Permerror']} local {'local_>
policyd-spf[2599481]: spfcheck: pyspf result: "['Fail', 'SPF fail - not authorized', 'mailfrom']"
policyd-spf[2599481]: Fail; identity=mailfrom; client-ip=10.0.0.1; helo=accountname; envelope-from=hostmaster@example.com; receiver=<UNKNOWN>
policyd-spf[2599481]: Action: None: Text: None Reject action: 550 5.7.23

Is it rejecting it because my ip differs from that of the server? Which would make sense in a way. But if that is the case then is it even possible to check the spf record for mail from your domain when one of your users sends an email? Because if(as I'm sure almost everyone does) connects to the mail server from their home ip, which will obviously be a different one then the mail server has, the spf check looks up the domain, gets the ip of the authorized servers, and then compares those to your ip, which fails? A weird edge case I'm sure.

Answer 1

As you can see from the logs, your mail is seen by policyd as originating from private IP address 10.0.0.1.

Obviously, this address fails the SPF check for domain example.com (or whatever the real domain is).

This is as expected.

What is the point of SPF? On your server, you use it to check authorisation of incoming mail. The client IP must be authorised to send mail for the envelope sender domain.

It does not make sense to check SPF for outgoing mail. Mail submitted on your server usually originates from a local or private IP address, which would never pass the SPF check for your domain.