On 11/17/2017 2:34 PM, Gao wrote:
> Hi,
>
> I just built a postfix mail server(mail.mytestmx.com) with
> PostfixAdmin, SPF and DKIM.,etc. It works very well. Now I try to
> use the new built server as the backup mail server of another server
> (zeta.othermx.com), so I add a backup domain in PostfixAdmin and
> setup DNS accordingly. Later there is an email came with destination
> to b...@othermx.com, the relay attempt got rejected at
> zeta.othermx.com because of SPF.
>
> So what is the solution here? Should I add the mail.mytestmx.com to
> zeta.othermx.com's SPF record and make it trust it? If so are there
> any risk?
Remember that SPF is for checking the sender, not the recipient, so
the SPF is complaining about the emails.aircanada.com sender
address. Adjusting your own SPF record won't help this particular
problem.
Add a whitelist entry for the backup MX IP to your postfix main.cf
before the spf policy check, or even better, before any checks.
For a table with a single entry, the inline map type is great; if
you need to whitelist more than a handful of IPs, then a hash: or
cdb: map is probably cleaner. Your whitelist entry should be near
the top of your restrictions list, typically just after
reject_unauth_destination. Something like:
# main.cf
...
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access inline:{192.0.2.33=OK}
... other restrictions ...
check_policy_service ... spf check
If you need more detailed help, please show your "postconf -n" output.
-- Noel Jones
