Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPF Authentication Failure for emails received #223

Open
3 tasks done
sg1888 opened this issue Jul 28, 2023 · 0 comments
Open
3 tasks done

SPF Authentication Failure for emails received #223

sg1888 opened this issue Jul 28, 2023 · 0 comments
Labels
kind/bug status/triage

Comments

@sg1888
Copy link

sg1888 commented Jul 28, 2023

Support guidelines

I've found a bug and checked that ...

  • ... the documentation does not mention anything about my problem
  • ... there are no open or closed issues that are related to my problem

Description

I recently installed AnonAddy docker - and love the service. I followed all the guides and got almost everything to work - I'm able to send and receive emails, I have TLS working, and almost everything is great - EXCEPT for a lingering SPF authentication issue that I can't seem to shake.

Whenever an email is sent to an alias email account, the SPF reflects the IP address of the email server for the original sender and NOT the IP address of my AnonAddy server. This causes the SPF to fail.

For example, If a user from Gmail sends an email to my alias myalias@mail.mydomain.com, the received SPF shows a Gmail IP and NOT the the IP of my AnonAddy server. This is causing the emails to get dumped into my junk mail box.

I've tried to modify a bunch of settings to wit's end, and can't figure out how to fix this. Am I doing something wrong?

Here is my configuration. Hoping somebody can guide me to the right direction. I have the a static IP, and my ptr records point to my IP (reverse dns works). I am using mail.myhost.com as a base email domain, as I have a different email server running on the root domain myhost.com.

Base Details

Email Domain: mail.myhost.com
AnonAddy Host: webmail.myhost.com
Server IP: 3.3.3.3 (Example)

I have TLS certs for my domain generated using .acme.sh, and have mapped the cert and key to /certs in the anonaddy container.

DNS Configuration

A Records

  • smtp -> 3.3.3.3

MX Record

  • mail -> smtp.myhost.com

DKIM Record

  • default._domainkey.mail -> v=DKIM1; k=rsa; p=<Something long>

DMARC Record

  • _dmarc.mail -> v=DMARC1; p=reject; sp=none; aspf=r; fo=1:d:s

SPF Record

  • mail -> v=spf1 mx ~all

anonaddy.env Configuration

## General System Config
TZ=America/Los_Angeles
PUID=1000
PGID=1000
MEMORY_LIMIT=256M
UPLOAD_MAX_SIZE=16M
OPCACHE_MEM_SIZE=128
REAL_IP_FROM=0.0.0.0/32
REAL_IP_HEADER=X-Forwarded-For
LOG_IP_VAR=http_x_forwarded_for


## APP Environments
APP_KEY=<redacted>
APP_DEBUG=true
# URL Of AnonAddy Install
APP_URL=https://webmail.myhost.com  # Can be whatever
ANONADDY_RETURN_PATH=bounces@mail.myhost.com
ANONADDY_ADMIN_USERNAME=anonaddy
ANONADDY_ENABLE_REGISTRATION=true
ANONADDY_DOMAIN=mail.myhost.com
#ANONADDY_ALL_DOMAINS=mail.myhost.com
ANONADDY_HOSTNAME=smtp.myhost.com
ANONADDY_DNS_RESOLVER=127.0.0.1
ANONADDY_SECRET=37WYeWU6k00WttSqedDm
ANONADDY_LIMIT=200                             # Number of emails a user can forward and reply per hour
ANONADDY_BANDWIDTH_LIMIT=1048576000            # Monthly bandwidth limit for users in bytes domains to use
ANONADDY_NEW_ALIAS_LIMIT=30                    # Number of new aliases a user can create each hour
ANONADDY_ADDITIONAL_USERNAME_LIMIT=50          # Number of additional usernames a user can add to their account

## RSPAMD Config
RSPAMD_ENABLE=true
RSPAMD_NO_LOCAL_ADDRS=true
RSPAMD_WEB_PASSWORD=oneworld

## Mail Config
MAIL_FROM_NAME=AnonAddy
MAIL_FROM_ADDRESS=anonaddy@mail.myhost.com

## Postfig Configuration
POSTFIX_DEBUG=true
POSTFIX_SMTPD_TLS=true
POSTFIX_SMTP_TLS=true

#Certs
POSTFIX_SMTPD_TLS_CERT_FILE=/certs/fullchain.pem
POSTFIX_SMTPD_TLS_KEY_FILE=/certs/privkey.pem

Anonaddy config in docker-compose.yml

  anonaddy:
    image: anonaddy/anonaddy:latest
    container_name: anonaddy
    depends_on:
      - db
      - redis
    ports:
      - target: 25
        published: 25
        protocol: tcp
    volumes:
      - "./data:/data"
      ## mydomain.com
      - "/etc/mydomains/mydomain.com/fullchain.cer:/certs/fullchain.pem:ro"     # Link to certs created by Acme.sh
      - "/etc/mydomains/mydomain.com/privkey.key:/certs/privkey.pem:ro"     # Link to key for islnt.com created by Acme.sh
    env_file:
      - "./anonaddy.env"
    environment:
      - "DB_HOST=db"
      - "DB_DATABASE=${MYSQL_DATABASE}"
      - "DB_USERNAME=${MYSQL_USER}"
      - "DB_PASSWORD=${MYSQL_PASSWORD}"
      - "REDIS_HOST=redis"
    restart: always

Expected behaviour

I expected the SPF to pass. The emails should be regenerated from AnonAddy, and the SPF should reflect the IP address of the AnonAddy server.

Actual behaviour

The SPF is failing. I ran the headers through MX toolbox, and the SPF authentication fails. The SPF reflects the IP address of the email provider of the sender. SPF alignment looks to be okay, and and DKIM alignment also looks okay.

Steps to reproduce

Described above. Anytime I receive an email sent to my alias, the email SPF authentication fails. The IP address shows the IP of Gmail (or any other provider) rather than my AnonAddy server.

Docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
  compose: Docker Compose (Docker Inc., v2.6.0)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 20.10.17
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc version: v1.1.2-0-ga916309
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.0-78-generic
 Operating System: Ubuntu 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.756GiB
 Name: lnx-docker01
 ID: R6NO:FVB5:TQV3:BO5V:A6QI:DKHL:KORH:JHFX:CYCX:XIAL:VMVR:KGFY
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

name: anonaddy
services:
  anonaddy:
    container_name: anonaddy
    depends_on:
      db:
        condition: service_started
      redis:
        condition: service_started
    environment:
      ANONADDY_ADDITIONAL_USERNAME_LIMIT: "50"
      ANONADDY_ADMIN_USERNAME: anonaddy
      ANONADDY_BANDWIDTH_LIMIT: "1048576000"
      ANONADDY_DNS_RESOLVER: 127.0.0.1
      ANONADDY_DOMAIN: mail.mydomain.com
      ANONADDY_ENABLE_REGISTRATION: "true"
      ANONADDY_HOSTNAME: smtp.mydomain.com
      ANONADDY_LIMIT: "200"
      ANONADDY_NEW_ALIAS_LIMIT: "30"
      ANONADDY_RETURN_PATH: bounces@mail.mydomain.com
      ANONADDY_SECRET: <redacted>
      APP_DEBUG: "true"
      APP_KEY: <redacted>
      APP_URL: https://webmail.mydomain.com
      DB_DATABASE: anonaddy
      DB_HOST: db
      DB_PASSWORD: anonaddy
      DB_USERNAME: anonaddy
      LOG_IP_VAR: http_x_forwarded_for
      MAIL_FROM_ADDRESS: anonaddy@mail.mydomain.com
      MAIL_FROM_NAME: AnonAddy
      MEMORY_LIMIT: 256M
      OPCACHE_MEM_SIZE: "128"
      PGID: "1000"
      POSTFIX_DEBUG: "true"
      POSTFIX_SMTP_TLS: "true"
      POSTFIX_SMTPD_TLS: "true"
      POSTFIX_SMTPD_TLS_CERT_FILE: /certs/fullchain.pem
      POSTFIX_SMTPD_TLS_KEY_FILE: /certs/privkey.pem
      PUID: "1000"
      REAL_IP_FROM: 0.0.0.0/32
      REAL_IP_HEADER: X-Forwarded-For
      REDIS_HOST: redis
      RSPAMD_ENABLE: "true"
      RSPAMD_WEB_PASSWORD: testing123
      TZ: America/Los_Angeles
      UPLOAD_MAX_SIZE: 16M
    image: anonaddy/anonaddy:latest
    networks:
      default: null
    ports:
    - target: 25
      published: "25"
      protocol: tcp
    restart: always
    volumes:
    - type: bind
      source: /opt/docker/anonaddy/data
      target: /data
      bind:
        create_host_path: true
    - type: bind
      source: /etc/mydomains/mydomain.com/fullchain.cer
      target: /certs/fullchain.pem
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /etc/mydomains/mydomain.com/privkey.key
      target: /certs/privkey.pem
      read_only: true
      bind:
        create_host_path: true
  db:
    command:
    - mysqld
    - --character-set-server=utf8mb4
    - --collation-server=utf8mb4_unicode_ci
    container_name: anonaddy_db
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
      MYSQL_DATABASE: anonaddy
      MYSQL_PASSWORD: anonaddy
      MYSQL_USER: anonaddy
    image: mariadb:10.5
    networks:
      default: null
    restart: always
    volumes:
    - type: bind
      source: /opt/docker/anonaddy/mariadb
      target: /var/lib/mysql
      bind:
        create_host_path: true
  nginx:
    container_name: anonaddy_nginx
    depends_on:
      anonaddy:
        condition: service_started
    image: nginx:alpine
    networks:
      default: null
    ports:
    - mode: ingress
      target: 80
      published: "80"
      protocol: tcp
    - mode: ingress
      target: 443
      published: "443"
      protocol: tcp
    restart: unless-stopped
    volumes:
    - type: bind
      source: /etc/ssl/dhparam.pem
      target: /etc/ssl/dhparam.pem
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /opt/docker/anonaddy/nginx/sites
      target: /etc/nginx/conf.d
      bind:
        create_host_path: true
    - type: bind
      source: /opt/docker/anonaddy/nginx/logs
      target: /var/log/nginx
      bind:
        create_host_path: true
    - type: bind
      source: /etc/mydomains/mydomain.com/fullchain.cer
      target: /certs/fullchain.pem
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /etc/mydomains/mydomain.com/privkey.key
      target: /certs/privkey.pem
      read_only: true
      bind:
        create_host_path: true
  redis:
    container_name: anonaddy_redis
    image: redis:4.0-alpine
    networks:
      default: null
    restart: always
networks:
  default:
    name: anonaddy_default

Logs

I saw these logs in postfix.  Not sure if they are relevant:

anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: dns_get_answer: type A for NAM10-DM6-obe.outbound.protection.outlook.com
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: generic_checks: name=reject_unknown_helo_hostname status=0
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: >>> END Helo command RESTRICTIONS <<<
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: >>> START Sender address RESTRICTIONS <<<
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: generic_checks: name=permit_mynetworks
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: permit_mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com 40.107.93.67
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 127.0.0.0/8
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 127.0.0.0/8
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? [::ffff:127.0.0.0]/104
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? [::ffff:127.0.0.0]/104
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? [::1]/128
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? [::1]/128
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 10.0.0.0/8
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 10.0.0.0/8
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 172.16.0.0/12
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 172.16.0.0/12
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostname: mynetworks: mail-dm6nam10on2067.outbound.protection.outlook.com ~? 192.168.0.0/16
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_hostaddr: mynetworks: 40.107.93.67 ~? 192.168.0.0/16
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_list_match: mail-dm6nam10on2067.outbound.protection.outlook.com: no match
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: match_list_match: 40.107.93.67: no match
anonaddy  | Jul 28 15:56:32 smtp postfix/smtpd[994]: generic_checks: name=permit_mynetworks status=0

Additional info

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug status/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sg1888