Cloudron SPF record does not permit IP
-
Hi.
I just found the following from an E-Mail I sent from my cloudron managed server to another E-Mail-Server where I own an Email account:
Received-SPF: SoftFail (mail.jascha.wtf: domain of jascha.wtf does not designate 84.57.85.124 as permitted sender) receiver=mail.jascha.wtf; identity=mailfrom; client-ip=84.57.85.124 helo=[10.0.0.10]; envelope-from=<jascha@jascha.wtf>The IP shown is my IP at home. I send Emails via Thunderbird. In my understanding the sending Ip should not be the IP of me at home but the one from the mailserver, right?
Did I do something wrong? Or is it a problem with the cloudron Mailserver?
@jaschaezra said in Cloudron SPF record does not permit IP:
The IP shown is my IP at home. I send Emails via Thunderbird. In my understanding the sending Ip should not be the IP of me at home but the one from the mailserver, right?
That's correct. I wonder how it can even have the IP of your home server. This shouldn't be anywhere. Do you think you can send a test mail to test@cloudron.io , so I can look at the headers?
-
@jaschaezra said in Cloudron SPF record does not permit IP:
The IP shown is my IP at home. I send Emails via Thunderbird. In my understanding the sending Ip should not be the IP of me at home but the one from the mailserver, right?
That's correct. I wonder how it can even have the IP of your home server. This shouldn't be anywhere. Do you think you can send a test mail to test@cloudron.io , so I can look at the headers?
@girish I have the same experience as @jaschaezra on my Cloudron Instance.
-
@jaschaezra said in Cloudron SPF record does not permit IP:
The IP shown is my IP at home. I send Emails via Thunderbird. In my understanding the sending Ip should not be the IP of me at home but the one from the mailserver, right?
That's correct. I wonder how it can even have the IP of your home server. This shouldn't be anywhere. Do you think you can send a test mail to test@cloudron.io , so I can look at the headers?
@girish done
sent from jascha@jascha.wtf, topic is the URL of this thread -
@jaschaezra said in Cloudron SPF record does not permit IP:
The IP shown is my IP at home. I send Emails via Thunderbird. In my understanding the sending Ip should not be the IP of me at home but the one from the mailserver, right?
That's correct. I wonder how it can even have the IP of your home server. This shouldn't be anywhere. Do you think you can send a test mail to test@cloudron.io , so I can look at the headers?
@girish said in Cloudron SPF record does not permit IP:
I wonder how it can even have the IP of your home server.
It is not the IP of my server, this is the IP of my DSL at home.
-
@girish said in Cloudron SPF record does not permit IP:
I wonder how it can even have the IP of your home server.
It is not the IP of my server, this is the IP of my DSL at home.
-
@girish an news on this one?
-
@girish I do not want to bother you but any news on this?
-
@girish sorry but I have to ask: any update on this?
@jaschaezra
I checked with myself. I confirm the problem with revealing the IP address of the home connection when sending emails from client mail -Thunderbird, K9 (Android), Gmail (iOS). It will probably be the same with other apps. When sending via webmail "Roundcube" the IP address of the home connection does not appear. -
@jaschaezra
I checked with myself. I confirm the problem with revealing the IP address of the home connection when sending emails from client mail -Thunderbird, K9 (Android), Gmail (iOS). It will probably be the same with other apps. When sending via webmail "Roundcube" the IP address of the home connection does not appear.@matix131997 this is correct as that is how the envelope is generated.
In some cases, very useful to use Snappy Mail or other client in Cloudron to avoid source IP issues.
-
@jaschaezra @matix131997 I could reproduce this one. Looks like Haraka outbound is adding that header. Note that this is not a problem for mail delivery as such, but it's not nice that the mail client IP is revealed for no reason. Looking into a fix.
-
@jaschaezra @matix131997 I could reproduce this one. Looks like Haraka outbound is adding that header. Note that this is not a problem for mail delivery as such, but it's not nice that the mail client IP is revealed for no reason. Looking into a fix.
-
@jaschaezra @matix131997 I could reproduce this one. Looks like Haraka outbound is adding that header. Note that this is not a problem for mail delivery as such, but it's not nice that the mail client IP is revealed for no reason. Looking into a fix.
@girish said in Cloudron SPF record does not permit IP:
@jaschaezra @matix131997 I could reproduce this one. Looks like Haraka outbound is adding that header. Note that this is not a problem for mail delivery as such, but it's not nice that the mail client IP is revealed for no reason. Looking into a fix.
And it gives a SPF-Soft-Fail which can at worst lead to being rejected.
-
@girish said in Cloudron SPF record does not permit IP:
@jaschaezra @matix131997 I could reproduce this one. Looks like Haraka outbound is adding that header. Note that this is not a problem for mail delivery as such, but it's not nice that the mail client IP is revealed for no reason. Looking into a fix.
And it gives a SPF-Soft-Fail which can at worst lead to being rejected.
@jaschaezra The receiving mailserver should be checking the the SPF record of the sending SMTP server, not the client, so you shouldn't get a (Soft)fail. Is the server IP not showing in the headers at all?
How often does the IP address of your home DSL connection change? Not a solution but at least a workaround would be to temporarily add that IP to the SPF record.
-
@jaschaezra The receiving mailserver should be checking the the SPF record of the sending SMTP server, not the client, so you shouldn't get a (Soft)fail. Is the server IP not showing in the headers at all?
How often does the IP address of your home DSL connection change? Not a solution but at least a workaround would be to temporarily add that IP to the SPF record.
@ccfu
This is a strange case. As you can see from Haraka screen shot, when sending from client mail it assigns an address, just for the forum I included via VPN as the address "SMTP"
-
@girish said in Cloudron SPF record does not permit IP:
@jaschaezra @matix131997 I could reproduce this one. Looks like Haraka outbound is adding that header. Note that this is not a problem for mail delivery as such, but it's not nice that the mail client IP is revealed for no reason. Looking into a fix.
And it gives a SPF-Soft-Fail which can at worst lead to being rejected.
@jaschaezra It shouldn't affect mail delivery, afaik. As @ccfu said, the check is carried out by the receiving mail server and as such the added meta headers have no effect. But it's not desired to add the Client IP, that I agree. You can check this by sending mails to https://www.mail-tester.com/
-
@ccfu
This is a strange case. As you can see from Haraka screen shot, when sending from client mail it assigns an address, just for the forum I included via VPN as the address "SMTP"
@matix131997
Interesting. I still can't get my head around why the recipient mailserver is incorrectly evaluating the client IP and not the server IP in the SPF record though. The mail is not being sent to the recipient by the client but by the SMTP server. -
@jaschaezra It shouldn't affect mail delivery, afaik. As @ccfu said, the check is carried out by the receiving mail server and as such the added meta headers have no effect. But it's not desired to add the Client IP, that I agree. You can check this by sending mails to https://www.mail-tester.com/
-
@girish This is the result:
@matix131997 Yup, so the SPF is valid. The email header is only the results of Haraka/Cloudron mail server. This is not considered by the destination server.
-
G girish marked this topic as a question on
-
I have the exact same problem --- only since updating Cloudron to v7.4.1 from v7.3.6.
So, this has clearly been introduced by v7.4.x.SPF is more important than @staff are making out above.
Fundamentally, the point is that the SENDING Haraka/Cloudron is guilty of injecting the wrong header SPF details into OUTGOING emails.
This needs a rapid solution, as domain and server reputation is at stake!
-
I have the exact same problem --- only since updating Cloudron to v7.4.1 from v7.3.6.
So, this has clearly been introduced by v7.4.x.SPF is more important than @staff are making out above.
Fundamentally, the point is that the SENDING Haraka/Cloudron is guilty of injecting the wrong header SPF details into OUTGOING emails.
This needs a rapid solution, as domain and server reputation is at stake!
Nobody seems to be suggesting that SPF is not important but the SPF details are not injected by Cloudron or Haraka at all. These details are set in the domain's DNS records and can be checked by the receiving SMTP server when processing incoming email.
If a receiving mailserver is checking the wrong headers then it is misconfigured. Alternatively, the SPF record may be incorrect.
