2

Hello Folks!

I am in trouble and hope you can help!

I have been using my VPS (ubuntu 14.04) with exim4/dovecot for years now without problems. One common use is to receive mail from a gmx.de address (to an alias on my domain) and let it be distributed by the alias setting to some web.de addresses and also to addresses on my domain.

The way it should be is: ORIGIN -> ALIAS@MYDOMAIN -> (DEST1, DEST2,...)

Since yesterday, this "alias forwarding" does not work anymore. This is the typical exim log:

2016-05-25 18:12:59 1b5bQZ-0000KU-Kl <= ORIGIN@gmx.de H=mout.gmx.net [212.227.15.18] P=esmtp S=51309 id=ID@mail.gmx.com
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl ** DEST1@web.de <ALIAS@MYDOMAIN.de> R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<ORIGIN@gmx.de> SIZE=53021: host mx-ha03.web.de [212.227.15.17]: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner.
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl ** DEST2@web.de <ALIAS@MYDOMAIN.de> R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<ORIGIN@gmx.de> SIZE=53021: host mx-ha03.web.de [212.227.15.17]: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner.
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl ** DEST3@web.de <ALIAS@MYDOMAIN.de> R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<ORIGIN@gmx.de> SIZE=53021: host mx-ha03.web.de [212.227.15.17]: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner.
2016-05-25 18:13:00 1b5bQZ-0000Kl-Ud <= <> R=1b5bQZ-0000KU-Kl U=Debian-exim P=local S=53469
2016-05-25 18:13:00 1b5bQZ-0000KU-Kl Completed

The same happens if I test it with a web.de address as ORIGIN, whereas a gmail address or one from MYDOMAIN work just fine as ORIGIN.

Important is that it seems to be only a problem of the aliasing. I can send mails from e.g. web.de to ADDRESS@MYDOMAIN and vice versa.

My MX points to the right spot (obviously, because it used to work for a long time now) and I have checked that my IP and DOMAIN are not in the spamhouse of web.de/gmx.de.

Any suggestions are highly welcome!!

Best, Bb

user6384786
  • 29
  • 1
  • 3

3 Answers3

4

GMX seems to have switched to strict SPF checking just yesterday (2016-05-25), and this breaks e-mail forwarding. This is a long-standing problem with SPF, I don't know whether GMX realizes that they are rejecting a huge number of legitimate e-mails by this stupid decision.

Hans-Martin Mosner
  • 796
  • 6
  • 12
  • I also just realized, that GMX enabled thestrict checking on 2016-05-25. I got it back working with the SRS configuration by @Holger Schinzel – Dennis May 27 '16 at 17:08
  • As I can't comment on the post by L.Gleim below, I'll do it here. I'd agree that SPF is able to eliminate spam with spoofed sender addresses, but it is by far not the only or most effective thing to eliminate spam. Greylisting, blocking unauthenticated access from dynamic IPs, DNS-based blocklists work much better, especially since a sizable portion of spam does not have spoofed sender (and is therefore immune against SPF). In addition, when monitored well and complemented by proper whitelisting, those have a pretty low false positive rate. – Hans-Martin Mosner May 28 '16 at 16:55
  • This is official now: http://www.heise.de/newsticker/meldung/United-Internet-verschaerft-Spam-Bekaempfung-3225281.html – Dennis Jun 02 '16 at 13:54
2

As pointed out by Hans-Martin SPF breaks email forwarding as explained here. This is however not at all a stupid decision as it is basically the only thing able to effectively eliminate SPAM.

Fixing this requires that you configure SRS (Sender Rewriting Scheme).

To quote from the postsrsd README:

Imagine your server receives a mail from alice@example.com that is to be forwarded. If example.com uses the Sender Policy Framework to indicate that all legit mails originate from their server, your forwarded mail might be bounced, because you have no permission to send on behalf of example.com. The solution is that you map the address to your own domain, e.g. SRS0+xxxx=yy=example.com=alice@yourdomain.org (forward SRS). If the mail is bounced later and a notification arrives, you can extract the original address from the rewritten one (reverse SRS) and return the notification to the sender. You might notice that the reverse SRS can be abused to turn your server into an open relay. For this reason, xxxx and yy are a cryptographic signature and a time stamp. If the signature does not match, the address is forged and the mail can be discarded.

Setting up postsrsd on Debian 8 (should be very much the same on Ubuntu):

# Dependencies.
sudo apt-get install unzip cmake

# Download and extract source code from GitHub.
cd /tmp
curl -L -o postsrsd.zip https://github.com/roehling/postsrsd/archive/master.zip
unzip postsrsd.zip

# Build and install.
cd postsrsd-master
cmake -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

# Start services
sudo systemctl enable postsrsd 
sudo service postsrsd start

# Reconfigure Postfix
sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
sudo postconf -e "sender_canonical_classes = envelope_sender"
sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
sudo postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
sudo postfix reload
L. Gleim
  • 21
  • 4
  • Hi and thank you for the detailed answer! If I understand correctly, this solution will work with postfix only. Is there a way to do with exim or do I have to switch over to postfix? – user6384786 May 27 '16 at 09:31
  • For exim check out https://github.com/Exim/exim/wiki/SRS or https://www.assembla.com/wiki/show/file_sender/Configuring_SRS_with_Exim_%28Debian_and_Ubuntu%29 – L. Gleim May 29 '16 at 07:44
1

It seems GMX switched on strict SPF checking recently which cause forwarding mails to fail. You'll see something like this in the mail.log

 to=<mailaddress@gmx.de>, orig_to=<mailaddress@mydomain.com>, relay=mx00.emig.gmx.net[212.227.15.9]:25, delay=0.15, delays=0/0.02/0.12/0.01, dsn=5.0.0, status=bounced (host mx00.emig.gmx.net[212.227.15.9] said: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner. 550 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=127.0.0.10&c=spf (in reply to MAIL FROM command))

Like L. Gleim pointed out, SRS and installing postsrsd is the solution.

There is a PPA for Ubuntu available as well, so Ubuntu installation can be accomplished by

sudo add-apt-repository ppa:roehling/latest
sudo apt-get update
sudo apt-get install postsrsd

sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
sudo postconf -e "sender_canonical_classes = envelope_sender"
sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
sudo postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
sudo postfix reload

This made forwarding mails to GMX possible again for me.

Holger Schinzel
  • 11
  • 2