2

I am using Postfix 2.11.3 on Debian 8.0

I configured Postfix to run multiple instances (3), one for each public IP connected to our server in order to balance outgoing traffic depending on the service.

I configured DKIM and SPF for all subdomains (1 subdomain for each IP), but sometimes I receive SPF and DKIM fail from GMail and other providers, and looking at the headers it looks like the receiving mailserver failed to resolve my IP.

Please check the following header for example

Delivered-To: XX@XXXX.com
Received: by 10.28.221.87 with SMTP id u84csp184407wmg;
        Fri, 5 Jun 2015 19:26:17 -0700 (PDT)
X-Received: by 10.52.116.162 with SMTP id jx2mr11374004vdb.80.1433557576885;
        Fri, 05 Jun 2015 19:26:16 -0700 (PDT)
Return-Path: <chris@hello3.much.cheap>
Received: from hello3.much.cheap ([2607:5300:60:6516::])
        by mx.google.com with ESMTP id f2si9741219vdb.2.2015.06.05.19.26.14
        for <XX@XXXX.com>;
        Fri, 05 Jun 2015 19:26:15 -0700 (PDT)
Received-SPF: permerror (google.com: domain of chris@hello3.much.cheap uses a mechanism not recognized by this client. unknown  mechanisms: )) client-ip=2607:5300:60:6516::;
Authentication-Results: mx.google.com;
       spf=permerror (google.com: domain of chris@hello3.much.cheap uses a mechanism not recognized by this client. unknown  mechanisms: )) smtp.mail=chris@hello3.much.cheap;
       dkim=pass header.i=@much.cheap;
       dmarc=pass (p=NONE dis=NONE) header.from=hello3.much.cheap
Message-Id: <55725a47.220a340a.cc4f.ffffada7SMTPIN_ADDED_MISSING@mx.google.com>
Received: from hello3.much.cheap (hello3.much.cheap [167.114.180.233])
    by hello3.much.cheap (Postfix) with ESMTP id 27F7940083
    for <XX@XXXX.com>; Fri,  5 Jun 2015 22:26:10 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=much.cheap; s=hello;
    t=1433557570; bh=z/R8LvudDLyZmOBbw+42+SG7pLmnI+4/+E4YxHqibK4=;
    h=Date:To:From:Subject:From;
    b=tJdvbP1c+me6BwXx4Qayzwvw7GR+OFd/xG+OwCqXz/YNPVhTIS56HxGxRkEvnztTr
     ClouAavusckmwXfQ5GmwjWvzVlcIZc7eT9rkBrAL8Th+2YPXNiw4k36ZDRik9lfICp
     qpvcGIhruOCE4BBQFE31j2qEDTl6qVh2D0jSAbD8=
Received: from [167.114.180.233] by hello3.much.cheap with HTTP; Fri, 05 Jun 2015 22:26:09 -0400
Date: Fri, 5 Jun 2015 22:26:10 -0400
To: XX@XXXX.com
From: Chris <chris@hello3.much.cheap>
Subject: Wonderful trip with family!
Bounces-To: chris@hello3.much.cheap

As you can see both SPF and DKIM fail because of the wrong resolved ip: 2607:5300:60:6516:: The strangest thing is that after SPF and DKIM records, google actually can see my real IP ( Received: from [167.114.180.233] by hello3.much.cheap)

The error is not constant, some times it gets the correct IP (167.114.180.233) even in the first header and all checks pass.

Please note I am not behind firewall/proxy and the related postfix instance is binded to the correct IP address

master.cf

67.114.180.233:2533     inet  n       -       n       -       -       smtpd

main.cf

myorigin = hello3.much.cheap
myhostname = hello3.much.cheap
mydomain = hello3.much.cheap
queue_directory = /var/spool/postfix-3
data_directory = /var/lib/postfix-3
multi_instance_group = outgoing
multi_instance_name = postfix-3
inet_interfaces = all
smtp_bind_address = 167.114.180.233
mynetworks = 127.0.0.0/8 167.114.64.22 167.114.180.232/29

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject


milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
multi_instance_enable = yes

smtp_generic_maps = hash:/etc/postfix-3/generic

sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps =  regexp:/etc/postfix-3/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix-3/header_check
mime_header_checks = regexp:/etc/postfix-3/header_check
header_checks = regexp:/etc/postfix-3/header_check
strict_mailbox_ownership = no

Any idea?

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
Andrea Olivato
  • 53
  • 7

2 Answers2

3

This header

Received: from hello3.much.cheap ([2607:5300:60:6516::])
        by mx.google.com with ESMTP id f2si9741219vdb.2.2015.06.05.19.26.14
        for <XX@XXXX.com>;
        Fri, 05 Jun 2015 19:26:15 -0700 (PDT)

is indicating that postfix send email to mx.google.com via IPv6. In other case, postfix will send email via IPv4.

SPF checker mx.google.com will use your IPv6 address to compare with your SPF record

v=spf1 mx a ptr include:much.cheap ~all

As you can see, IPv6 record wasn't listed in SPF record thus google warn you about failed SPF checks. Server mx.google.com doesn't wrong when resolving your IP address. It's your server who send it with IPv6.

The fix should be adding IPv6 record to your SPF.

I still don't know why postfix send email via IPv6 as you has parameter

smtp_bind_address = 167.114.180.233

Tailing maillog in verbose level might reveal the problems though.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
0

It could be related to the DNS precedence rules. The standard is solve first IPv6 and then IPv4. You can change this behavior changing the file /etc/gai.conf If you want to give priority to IPv4, uncomment the line that says:

#precedence ::ffff:0:0/96 100

Jose Raul Barreras
  • 723
  • 4
  • 12