Can someone help me decipher this?

[nightfall_sg]

When I send a test mail to port25.com using a normal mail account from my server everything works.

When I send a test mail from a mail account that use Postini's filtering service I am unable to receive the reply from port25.com and I noticed this in the exim_mainlog.

Could anyone help tell me what is happening here? Is my server preventing the delivery due to some SPF error?

Thank you.

2012-05-02 05:57:45 H=exprod7mx206.postini.com (psmtp.com) [64.18.2.46]:54362 F=<[email protected]> rejected RCPT <[email protected]>: SPF: 64.18.2.46 is not allowed to send mail from verifier.port25.com
2012-05-02 05:57:46 H=exprod7mx206.postini.com (psmtp.com) [64.18.2.46]:54362 Warning: "Detected session with all messages failed"
2012-05-02 05:57:47 H=exprod7mx206.postini.com (psmtp.com) [64.18.2.46]:54362 Warning: "Increment slow_fail_block Ratelimit - exprod7mx206.postini.com (psmtp.com) [64.18.2.46]:54362 because of all messages failed"

 

[mtindor]

In WHM --> Service Configuration --> Exim Configuration Manager do you have the following enabled?

Reject SPF Failures

I ask because when a piece of mail is sent from port25.com and comes into Postini, your server then does an SPF lookup on verifier.port25.com to see if the sending server [Postini / 64.18.2.46] is allowed to send mail with an @verifier.port25.com FROM address.

Normally, verifier.port25.com would connect directly to your mailserver when sending the response. Your server would do a check against the verifier.port25.com SPF record and would pass the message because it was sent to your server from the IP address of verifier.port25.com.

But when you are using Postini, the response from verifier.port25.com passes through Postini and it is Postini who is actually connecting to your server and delivering a message claiming to be from @verifier.port25.com. Your server then compares the SPF record for verifier.port25.com with the Postini IP address of 64.18.2.46, and SPF fails -- thus the message is rejected.

verifier.port25.com SPF record: "v=spf1 a ald-verifier.port25.com -all"

Notice that SPF record says that the only valid hosts who send mail from verifier.port25.com are the IP addresses associated with verifier.port25.com (96.244.219.19) and old-verifier.port25.com (an A-record doesn't currently exist for it). 96.244.219.19 != 64.18.2.46, so SPF fails when Postini relays that mail to you from Port25 and your mail server does the SPF check --- but, when verifier.port25.com connects directly to your server [no Postini], SPF passes and you get the message.

Realistically, if you have customers using Postini, do you really want your server to have to perform additional filter checks [when in 99.9999% of the cases Postini will already have done a better job and all you will be doing is using up resources needlessly] ?

At any rate, I think you have Reject SPF Failures enabled. Disable it, Save the Tweak Settings. Then try a retest and see what happens.

Mike

 

[nightfall_sg]

Mike ! Thanks man! You are absolutely correct! Everything works after I disabled that feature and restarted.

Thanks!

 

[mtindor]

You're welcome. It was just a [somewhat educated] guess, but I'm glad it worked out to be the right answer.

Mike