Sendmail relaying failing SPF check

[kjpetrie]

I have a client who uses a tiscali mailbox and forward e-mails sent to him at his domain to his mailbox using sendmail. It seems Tiscali, along with other providers are now rejecting mail which fails SPF, which means SPF-friendly forwarding must be used.

How do I set up sendmail to forward with the necessary rewriting?

Here is a log entry showing the rejection taking place:

Mar 22 17:18:26 mailin milter-greylist: x2MHIP6k048903: Sender IP 143.126.211.20 and address <aaaa@bbbb> are SPF-compliant, bypassing greylist
Mar 22 17:18:26 mailin sm-mta[48903]: x2MHIP6k048903: from=<aaaa@bbbb>, size=2595, class=0, nrcpts=1, msgid=<38aaa8dd-bce6-632e-30cf-0ff6e33fae8c@bbbb>, bodytype=8BITMIME, proto=ESMTP, daemon=IPv4, relay=lares.culture.fr [143.126.211.20]
Mar 22 17:18:26 mailin sm-mta[48903]: x2MHIP6k048903: Milter add: header: X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (mail.myserver [127.0.1.3]); Fri, 22 Mar 2019 17:18:26 +0000 (GMT)
Mar 22 17:18:26 mailin sm-mta[48905]: STARTTLS=client, relay=mx.tiscali.co.uk., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Mar 22 17:18:28 mailin sm-mta[48905]: x2MHIP6k048903: to=<xxxx@yyyy>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32595, relay=mx.tiscali.co.uk. [62.24.139.42], dsn=5.0.0, stat=Service unavailable

 

[SirDice]

You're not forwarding, you're relaying.

 

[kjpetrie]

Thanks. I've changed the title to reflect that. I'm afraid I'm not an expert on SMTP terminology, so I probably don't really grasp the difference between forwarding and relaying. I do know that in order to deliver mail to the correct recipient in another domain I now need to use the Sender Rewriting Scheme in case the recipient MTA checks SPF.

I've not been able to find much online information on the subject. Perhaps there is somewhere to look but search engines don't seem very good these days at finding technical information, being more configured to push products instead.

I know I need to set this up, but can find no documentation on how to configure sendmail to do it.

 

[obsigna]

In the case of the SMTP client (i.e. the sender) you don’t need to install anything. You would need to store the SPF information in the DNS record of the domain of the e-mail address which you want the peer to accept.

For example my mail domain is @obsigna.com, and it’s DNS record got:
host -tTXT obsigna.com
obsigna.com descriptive text "v=spf1 a:projectstore.net include:_spf.strato.com -all"

This asks the receivers to allow e-mails from @obsigna.com via the outgoing SMTP servers projectstore.net and strato.com.

That said, I am not yet convinced, that your problem is SPF related.

 

[usdmatt]

So do emails to their domain come into Sendmail, then get forwarded to Tiscali?

If so then Tiscali will by default see emails coming from your Sendmail server, but with the original sender's email address. If the original sender has an SPF record, then it's unlikely it lists your Sendmail server as a valid source for their domain.

This is where SPF can get a bit ugly. The standard fix for this is something called SRS -

1. Email comes into your server from sender @ domain1.com.
   If domain1.com has SPF, then the SPF record should list the server this message came from.
2. Before forwarding, you change the envelope sender address to something like srs0=domain1.com=sender @ domain2.com
   (The address actually gets a bit more complicated than this but there are milters for it)
3. You then forward the email on to the new recipient.
   They see the email coming from your server, which probably isn't listed in the SPF record for domain1.com, but should be listed for domain2.com
4. (Bonus step). If the email ends up getting returned for any reason, it bounces back to the SRS address above which delivers it back to domain2.com. This should point back to the Sendmail server, at which point the SRS milter should pull out the original sender (this is why the original sender is part of the SRS address), and send the bounce back on to sender @ domain1.com.

Even then it doesn't really work that well which is probably why major hosts like gmail & outlook.com still have a soft fail (~all) in their SPF records.

Of course the error you're getting from Tiscali is just "service unavailable", which as mentioned doesn't necessary mean an SPF issue. This is a fairly generic error. The ideal would be to find out from Tiscali why their server returned that error, but I suspect that's a non-starter.

 

[kjpetrie]

Yes, I know, but as the bounce message says:

----- The following addresses had permanent fatal errors -----
<xxxx@yyyy>
(reason: 552 5.2.0 7NoIhgAw8NrGQ SPF Check Failed (TT603))

----- Transcript of session follows -----
... while talking to mx.tiscali.co.uk.:
>>> DATA
<<< 552 5.2.0 7NoIhgAw8NrGQ SPF Check Failed (TT603)
554 5.0.0 Service unavailable

I think it's safe to assume that the service is unavailable for the given reason.

I know I need SRS. What I'm asking is how to set sendmail up to use it.

 

[usdmatt]

Hmm, well searching for Sendmail SRS doesn't seem to bring up much...

No help whatsoever, but one of the reasons I decided to move to Postfix (which I'm very happy with) was that there seemed to be far more guides and help online for it. On top of that, stuff like srs/tls/filtering/auth is just a damn sight easier in the first place.

 

[pos]

SRS works. It has to rewrite in the mail header.... There are a few tools to help. But it is not recommended. Find other solutions. Like SirDice said.. you are relaying so the mail is send on to the target with the original sender, but from a new IP. That breaks SPF.

An MTA do relay
An MUA do forward

If you have a decent web mail, set up a forward in it to the new mailbox. Then if will be sent on with the from adress from the forwarding mailbox and therefor wont break SPF anymore.

 

[kjpetrie]

Thank you for clarifying the terminology. However, I'm not using webmail or providing it. My customer just wants to receive mail sent to his domain at his Tiscali mailbox. My server is the MX for the domain.
I therefore need a means of relaying it to him.
If there's a better way than SRS I'd be interested to know it. Otherwise, I need to get sendmail to use SRS.

Given that sendmail is the native MTA in FreeBSD I'm a little surprised no one here seems to know how to do that.

Or are you saying an MTA can't rewrite headers?

 

[pos]

SRS need rewriting of the mail if relaying to go around the SPF record check. But you could always add the relaying mail server to the sender domains SPF record. Then it should work with no modification.

 

[usdmatt]

SRS need rewriting of the mail if relaying to go around the SPF record check. But you could always add the relaying mail server to the sender domains SPF record. Then it should work with no modification.

I briefly considered that option until realising that the sender domain is going to be any and every domain that sends an email to the customer.

 

[pos]

I briefly considered that option until realising that the sender domain is going to be any and every domain that sends an email to the customer.

usdmatt Yes You are correct. I did not read the earlier post good enough heeh.
kjpetrie So the reasonable options are...
- SRS rewriting at the relaying party, i.e you - https://www.libsrs2.org/srs/srs.pdf
- Use a MUA forward (for example in a webmail or so. Then there will be a new sender. email..)
- At Tiscali web account (if there is such), look to see if there is a POP fetch or similar to get from other mailbox directly
- Change MX to Tiscali mail server directly (probably not what you want here as you hold the service)