Back to Community Threads
1
Email forwarded out of SmarterMail failing SPF
Question asked by Tina Cline - 10/2/2014 at 10:55 AM
Answered
We have made no changes that I am aware of but suddenly all email that is either forwarded out of our SmarterMail system (or forwarded because SmarterMail is the gateway mail server before Exchange) is failing SPF checks.
The SPF checks appear that they are reading the header as the original sender domain, but with our IP address (the IP of the SmarterMail server).  This might not be a new problem, but with increased weight on filters for SPF, it is becoming an large issue now.
 
Example:  Someone@gmail.com (Gmail IP Address)sends an email to our client at SmarterMail@ourSMserver.com  (Our SmarterMail IP Address)
The SmarterMail@ourSMserver.com client has set his account to auto forward to his Yahoo account.
Yahoo is rejecting the message as it says that Someone@gmail.com does not have permission to send from the SmarterMail IP address (SPF Fail)
 
This especially hurts our clients that use our SmarterMail system for SPAM checks before it sends down to their Exchange server.  Even their local Exchange server is seeing the message and comparing the original sender domain with our SM IP address and failing SPF.
Is there some setting we are missing in SmarterMail or the Declude headers to help correct this?
 
Any thoughts are appreciated.
Thanks!

6 Replies

Reply to Thread
1
Bruce Barnes Replied
10/2/2014 at 12:08 PM
Marked As Answer
To resolve this, you need to Enable SRS to REWRITE HEADERS with updated SPF information when forwarding messages.
 
This will ensure that the SPF is picked up for the domain and an additional HEADER line is inserted to enable the SRS
 
"SRS - To enable or disable SRS (the ability for the mail server to re-write the senders email address so that forwarded messages pass SPF checks) for mail, select the appropriate option from the list."
 
To do this, login as the SmarterMail ADMIN and go to SECURITY ===> ANTISPAM ====> OPTIONS and ENABLE SRS
 
Enable SRS to REWRITE HEADERS with updated SPF information when forwarding messages
Enable SRS to REWRITE HEADERS with updated SPF information when forwarding messages
 
For more information on SRS header rewrites, see the section on SRS in the OPEN SPF website, at:
 
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Tina Cline Replied
10/2/2014 at 12:29 PM
 
I actually read that in your Smartermail AntiSpam document online and did implement it earlier this week, but it still seems to be occurring. I can see the forwarding messages in the spool with gmail or yahoo saying they are temporarily rejecting for high volume of SPAM from our WAN IP address..... Specifically, Yahoo is rejecting a message originally sent from a Yahoo address to our SM client, who in turn forwards to his Yahoo account. Yahoo response is 554 5.7.9 Message not accepted for Policy reasons (usually meaning DKIM, SPF or DMARC issues). If SmarterMail is forwarding the message correctly, it should be looking only at the original Yahoo sender - or am I wrong?
1
Bruce Barnes Replied
10/2/2014 at 12:40 PM
Try sending a message to MAILTEST@UNLOCKTHEINBOX.COM from the e-mail address which is causing the forwarding issue.
 
Login as the SmarterMail admin, impersonate the account, and send a test message.
 
You'll have to stay logged in long enough to wait for the response, but Henry's testing server should help you diagnose any issues you might have with that particular domain or user's account.
 
Remember to uncheck the FORWARD box on the user's account when you do that.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Tina Cline Replied
10/10/2014 at 10:54 AM
Got a new one based on this info.  We started SRS and it seemed to help, but now I have a specific email hoster that is rejecting email with 550 Unable to Relay when SRS is turned on.  I turn it off and they can get the email.
An email is sent to info@ourdomain.com.  The email is set to forward to 4 emails address on 2 different domains outside of SmarterMail.  For 1 domain it makes it.  For the other we get the 550 Unable to Relay bounce.
That makes no sense now!  UGH
1
Bruce Barnes Replied
10/12/2014 at 12:28 PM
What does MAILTEST@UNLOCKTHEINBOX.COM  say about your SPF record?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Tina Cline Replied
10/13/2014 at 6:32 AM
Bingo - that was the issue. SPF correct now.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
SPF - In Simple TermsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
SmarterMail and Network Address Translation (NAT)SmarterMail > Troubleshooting
DMARC - In Simple TermsSmarterMail > Antispam and Antivirus