Koozali.org: home of the SME Server

SPF fail for a supplier

Offline Drifting

  • ****
  • 431
  • +0/-0
SPF fail for a supplier
« on: July 11, 2017, 10:57:20 PM »
Hi, excuse any typo's trying to write this on an iPhone.

Home server for some reason does not like email from our estate agent.
See here:-
fail:
   asupplier.com: Sender is not authorized by default to use
   'email@asupplier.com' in 'mfrom' identity (mechanism '-all'
matched)
   (in reply to end of DATA command)
<details.txt>
<mime-attachment>

Thought I had turned off all spf? Confused as to why it is being rejected?
Not possible to remote in and look, so any suggestions on the above welcome.

Paul
Infamy, Infamy, they all have it in for me!

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: SPF fail for a supplier
« Reply #1 on: July 12, 2017, 02:00:33 PM »
Well, that's because your supplier asked for this email to be rejected. To be more complete, they have published an SPF policy in their public DNS zone (we could check the exact policy if you gave the real domain name, but here we can't). Anyway, this policy lists the servers allowed to emit emails using their domain as sender. The policy also tells to reject any email which is not comming from one of the allowed servers (this is what the -all is for). Looks like you are receiving an email from an server which is not allowed, so your SME is correctly rejecting it.
C'est la fin du monde !!! :lol:

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: SPF fail for a supplier
« Reply #2 on: July 12, 2017, 02:20:05 PM »
Well, that's because your supplier asked for this email to be rejected. To be more complete, they have published an SPF policy in their public DNS zone (we could check the exact policy if you gave the real domain name, but here we can't). Anyway, this policy lists the servers allowed to emit emails using their domain as sender. The policy also tells to reject any email which is not comming from one of the allowed servers (this is what the -all is for). Looks like you are receiving an email from an server which is not allowed, so your SME is correctly rejecting it.

Hi, thanks for the reply. I was trying to protect the innocent. :-) And I thought for a moment that perhaps I had done something wrong on the SME server. I really must get round to having a read up on SPF and SME on this matter. Not really had a lot of time darting round the country of late.
The company in question is hawksfordjames.com

Paul.
Infamy, Infamy, they all have it in for me!

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: SPF fail for a supplier
« Reply #3 on: July 12, 2017, 07:04:02 PM »
Hi, thanks for the reply. I was trying to protect the innocent. :-) And I thought for a moment that perhaps I had done something wrong on the SME server. I really must get round to having a read up on SPF and SME on this matter. Not really had a lot of time darting round the country of late.
The company in question is hawksfordjames.com

Paul.

at the moment I am writting these lines : No valid SPF record found of either type TXT or type SPF.

so either they have been warned and removed them or we bark at trees ;)

anyway the most frequent issue with a SPF record set as -all is a user trying to send the email through their ISP smtp server isntead of their MX (
0 hawksfordjames.com) or any A or cname valid in their dns.

they can workaround this by adding the domain of their provider to the list of accepted senders, or to configure their client phone / laptop to send it throught their correct smtp service

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: SPF fail for a supplier
« Reply #4 on: July 12, 2017, 07:06:13 PM »
Well, the domain hawksfordjames.com doesn't exists, so there's a typo somewhere ;-)
C'est la fin du monde !!! :lol:

Offline JohnG

  • ***
  • 88
  • +0/-0
Re: SPF fail for a supplier
« Reply #5 on: July 12, 2017, 08:07:47 PM »
I'm presuming it's hawkesfordjames.com. The current ip for mail.hawkesfordjames.com seems to fall within the correct range that's in the spf.

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: SPF fail for a supplier
« Reply #6 on: July 12, 2017, 09:07:57 PM »
Yes, my typo.

Infamy, Infamy, they all have it in for me!

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: SPF fail for a supplier
« Reply #7 on: July 13, 2017, 08:36:31 AM »
So, here's the SPF entry of this domain:
Code: [Select]
v=spf1 a mx mx:mail.hawkesfordjames.com ip4:212.113.198.192/26 ip6:2a01:5400:1:2::/64 -all"

Which means, only thoe IP/networks are allowed to send emails in their name:
  • 212.113.198.220
  • 212.113.198.216
  • 212.113.198.192/26
  • 2a01:5400:1:2::/64 (this one doesn't concern you as SME has no IPv6 support yet)

You can check in qpsmtpd logs from where you received the email, but most likely from a different IP
C'est la fin du monde !!! :lol:

Offline Drifting

  • ****
  • 431
  • +0/-0
Re: SPF fail for a supplier
« Reply #8 on: July 13, 2017, 04:24:11 PM »
Thank you Daniel for the help with this one. As soon as I am back home and off this iPhone I will check it out.

Paul.
Infamy, Infamy, they all have it in for me!