0

I recently set up the Docker-Mailserver for our company (v. 12.1.0). It's working well so far, except for one thing: We receive automated emails from a customer's Redmine system. These emails are not sent via the customer's official mail server, so the Spf check for incoming mails fails. Also Outlook appointments from the same customer are rejected. I need a way to set up a whitelist for these emails. But it is currently not clear to me whether the Spf check is performed by Postfix or by Rspamd. Can anyone tell me how to set up such a whitelist?

In main.cf I can find the following setting:

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated

I setup a postfix-policyd-spf.conf which contains the following (anonymized domains and IPs):

debugLevel = 1
defaultSeedOnly = 1
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
Whitelist = 172.28.0.0/16,x.y.187.36/32

Domain_Whitelist = mailxxxxxxx.com,xx.yyyyyyyy.outlook.com,some.others.com

The domain Whitelist contains the domains of the mail servers which send these mail to our receipients. I have the answer of one of these mails:

550 5.7.23 The message was rejected because of Sender Policy Framework violation -> 550 5.7.1 rejected by DMARC policy for mycustomer.de

Rejected from: ourdomain.de

Sent from: xxxxxx.erprdyy.prod.outlook.com

What can I do to receive those mails? Thanks in advance for any insights.

MM

5
  • It's DMARC that's failing. You would need an exception for that, probably in the OpenDMARC configuration. But those are things that should really be addressed on the sender's side. Commented Oct 10, 2023 at 10:12
  • @EsaJokinen: Thanks for your answer. The dmarc record of the customer is v=DMARC1; p=reject; pct=100; fo=1; ri=3600; rua=mailto:[email protected]; ruf=mailto:[email protected]; There is not much they can alter. They follow a company-wide rule. The company IT think, that they get more mail security for incoming mails with their rules and don't understand, that their rules affect outgoing mail also, since our mail server is checking the rules also. Their spf is v=spf1 ip4:x.y.187.36/32 include:mail*******.com include:***somemoreincludes -all
    – mmytx
    Commented Oct 10, 2023 at 13:05
  • The DMARC policy is fine, but the test fails because there's no passing & aligned SPF or DKIM. They should either add this source to their SPF record if it's aligned, or start DKIM signing these messages. Commented Oct 10, 2023 at 21:21
  • @EsaJokinen: As far as the outlook appointments are concerned, MS says, they should add include:spf.protection.outlook.com into their SPF. That's what they did, but it doesn't work anyway.
    – mmytx
    Commented Oct 11, 2023 at 13:08
  • This is the source in the Microsoft Documentation which says that they must include spf.protection.outlook.com
    – mmytx
    Commented Oct 11, 2023 at 13:14

0

You must log in to answer this question.

Browse other questions tagged .