Sending between accounts on the same server w/ remote MX - SPF problem

[rinkleton]

Ok so this is a very specific issue. 2 accounts on a server. Account a.com is the sender, account b.com the receiver. b.com is setup as a remote MX (google apps) and also has a dedicated IP.

What seems to be happening is when [email protected] sends to [email protected], cpanel tries to deliver locally, which sort of succeeds. b.com sort of accepts it, but then realizes it is configured as a remote so then b.com takes it upon itself to send the email out (from it's own dedicated IP). So when the message arrives in google apps account it does an SPF check against the b.com IP but against the SPF record for a.com... which doesn't have b.com's IP listed in it. It obviously fails.

Is it possible to make a.com smart enough to not try and deliver locally when b.com is set as remote?

 

[dalem]

you might want to correct your post as it make no sense

1st you say a.com is the sender then later in the post you have [email protected] is the sender which one is it ?
2nd you say b.com is remote than later on in the post you say a.com is remote which one is it?

that being said ensure which ever domain is the remote domain be sure its in
/etc/remotedomains

 

[Infopro]

Original post updated.

 

[rinkleton]

As far as solutions go, I tried using the API to collect all dedicated IPs on the server and add them to the SPF record, but it results in a string that is too long. And I would have to do that for every account on the server and keep them all up to date.

 

[rinkleton]

Also, account b.com is listed in remotedomains and not in localdomains

 

[mtindor]

Ok so this is a very specific issue. 2 accounts on a server. Account a.com is the sender, account b.com the receiver. b.com is setup as a remote MX (google apps) and also has a dedicated IP.

What seems to be happening is when [email protected] sends to [email protected], cpanel tries to deliver locally, which sort of succeeds. b.com sort of accepts it, but then realizes it is configured as a remote so then b.com takes it upon itself to send the email out (from it's own dedicated IP). So when the message arrives in google apps account it does an SPF check against the b.com IP but against the SPF record for a.com... which doesn't have b.com's IP listed in it. It obviously fails.

Is it possible to make a.com smart enough to not try and deliver locally when b.com is set as remote?

If a.com is in /etc/localdomains and b.com is in /etc/remotedomains, then the system really isn't struggling to deliver from a.com local to b.com on Google. You might think so, but it's fairly straightforward.

Just add b.com's dedicated IP address to a.com's SPF record.

If a.com's record looks anything like this:

"v=spf1 +a +mx +ip4:aaa.aaa.aaa.aaa ~all"

- where aaa.aaa.aaa.aaa is the IP address that a.com usually sends mail from

Then just add another +ip4 referencing B's IP address

"v=spf1 +a +mx +ip4:aaa.aaa.aaa.aaa +ip4:bbb.bbb.bbb.bbb ~all"
- where bbb.bbb.bbb.bbb is the dedicated IP address that b.com sends mail through

So any time a.com sends email to b.com and it arrives at Google apps via b.com's dedicated IP, it'll do the SPF check and see that b.com's dedicated IP is an allowed Ip address for sending a.com mail.

But i'd really like to understand what is going on.

a. is b.com's MX records pointing to Google mailservers and is b.com in /etc/remotedomains on the server?

OR

b. is b.com's mail being accepted locally and then forwarded to some other email accounts on Google apps [not @b.com] ?

Two different things there.

Depending upon how things are really set up [and it is impossible for us to know based upon the information you've given and the confusing nature of your email in general], just adding the IP address to the SPF may not be the preferred/best method. But it should get the job done in a pinch.

Mike

 

[rinkleton]

The SPF method won't work for reasons I listed in a subsequent reply.

I too want to get to the bottom of it. The setup is scenario A. b.com is in remote domains and we are using google's mx records for b.com (a.com is configured as a local domain). However looking at the email's headers it shows that google accepted the email from mail.b.com with b.com's dedicated IP. I can't really fathom why this would be happening other than a bug in cpanel or some random setting buried way deep.

 

[mtindor]

Well, if a website has a dedicated IP address, cPanel can be configured to use that dedicated IP address for outbound email delivery. And I'm guessing it probably is.

Your cPanel is likely either set to automatically configure any static IP websites to send out mail using the static IP, or your server may have been set up manually to have exim use the dedicated ip to send mail.

See: https://documentation.cpanel.net/display/CKB/How+to+Configure+Exim's+Outgoing+IP+Address

Are you using the automatic or manual method?

If you're using manual method, then just revert the process so there are no entries in /etc/mailhelo, /etc/mailips and /etc/mail/ for that particular website (b.com) with the dedicated IP for which mail is being handled at Google.

Mike

 

[rinkleton]

Yeah, I've configured cpanel to use each account's dedicated IP for sending.... except when sending from a.com it shouldn't be using b.com's dedicated IP right?

 

[mtindor]

Yeah, I've configured cpanel to use each account's dedicated IP for sending.... except when sending from a.com it shouldn't be using b.com's dedicated IP right?

I get what you are saying. I agree that it shouldn't. And maybe that should be classified as a bug / unwanted behavior. But I suspect it's not erroneously sending ALL of A's mail out B's static, but rather only mail sent to b.com. Right? If that's the case, with your configuration the way it is, I can understand why exim might be wanting to use b.com's static IP to send email destined for b.com.

Mike

 

[rinkleton]

That's correct. But I only see it trying to do that if b.com was listed as a localdomain. Interesting tidbit....it still does this even if I turn off sending from each account's dedicated IP.

 

[cPanelMichael]

Hello

Could you let us know the output from /var/log/exim_mainlog for one of these messages?

Thank you.

 

[rinkleton]

Thanks for the response.... Ok I have included output from 3 test along with their respective headers. I've changed domain names and IPs. If you need the unedited version, or don't think it's a security issue, I can post the original.

All emails were sent from IP 11.11.11.11 using SMTP server 00.00.00.00 logging in as account [email protected]. This account exists on the same servers that the tests were sent to.

-----------------------

Test 1 - to an address on account b.tld.  This account has dedicated IP 44.44.44.44 and uses google for email (setup as remote)

2015-07-22 11:06:13 SMTP connection from [11.11.11.11]:63366 (TCP/IP connection count = 1)
2015-07-22 11:06:14 1ZHvb4-003xrQ-8e <= [EMAIL][email protected][/EMAIL] H=rrcs-11-11-11-11.central.biz.rr.com (localhost) [11.11.11.11]:63366 P=esmtpsa X=TLSv1:DHE-RSA-AES256-SHA:256 A=dovecot_login:[EMAIL][email protected][/EMAIL] S=8135 T="Test - Email" for [EMAIL][email protected][/EMAIL]
2015-07-22 11:06:14 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZHvb4-003xrQ-8e
2015-07-22 11:06:14 1ZHvb4-003xrQ-8e SMTP connection outbound 1437577574 1ZHvb4-003xrQ-8e a3.tld [EMAIL][email protected][/EMAIL]
2015-07-22 11:06:14 SMTP connection from rrcs-11-11-11-11.central.biz.rr.com (localhost) [11.11.11.11]:63366 closed by QUIT
2015-07-22 11:06:15 1ZHvb4-003xrQ-8e => [EMAIL][email protected][/EMAIL] R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.28.26] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1437577577 a20si1758166ioe.144 - gsmtp"
2015-07-22 11:06:15 1ZHvb4-003xrQ-8e Completed


Delivered-To: [EMAIL][email protected][/EMAIL]
Received: by 22.22.22.22 with SMTP id v6csp1893339oaf;
  Wed, 22 Jul 2015 08:06:17 -0700 (PDT)
X-Received: by 33.33.33.33 with SMTP id d71mr5781138ioe.41.1437577577314;
  Wed, 22 Jul 2015 08:06:17 -0700 (PDT)
Return-Path: <[EMAIL][email protected][/EMAIL]>
[B]Received: from b.tld (mail.b.tld. [44.44.44.44])
  by mx.google.com[/B] with ESMTPS id a20si1758166ioe.144.2015.07.22.08.06.17
  for <[EMAIL][email protected][/EMAIL]>
  (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
  Wed, 22 Jul 2015 08:06:17 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [EMAIL][email protected][/EMAIL] does not designate 44.44.44.44 as permitted sender) client-ip=44.44.44.44;
Authentication-Results: mx.google.com;
  spf=softfail (google.com: domain of transitioning [EMAIL][email protected][/EMAIL] does not designate 44.44.44.44 as permitted sender) smtp.mail=[EMAIL][email protected][/EMAIL]
Date: Wed, 22 Jul 2015 08:06:17 -0700 (PDT)
Message-Id: <[EMAIL][email protected][/EMAIL]>
Received: from rrcs-11-11-11-11.central.biz.rr.com ([11.11.11.11]:63366 helo=localhost)
   by s3.a.tld with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
   (Exim 4.82)
   (envelope-from <[EMAIL][email protected][/EMAIL]>)
   id 1ZHvb4-003xrQ-8e
   for [EMAIL][email protected][/EMAIL]; Wed, 22 Jul 2015 11:06:14 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_979b112cb37c952bb881bd9fb7a9e872"
From: [EMAIL][email protected][/EMAIL]
To: [EMAIL][email protected][/EMAIL]
Subject: Test - Email
X-Mailer: Test Mailer
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s3.a.tld
X-AntiAbuse: Original Domain - b.tld
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - a3.tld
X-Get-Message-Sender-Via: s3.a.tld: authenticated_id: [EMAIL][email protected][/EMAIL]

-----------------

Test 2 - to an address on account d.tld.  This account has dedicated IP 88.88.88.88 and uses enom for email (setup as remote)

2015-07-22 11:16:58 SMTP connection from [11.11.11.11]:64016 (TCP/IP connection count = 1)
2015-07-22 11:16:59 1ZHvlT-003yMH-EX <= [EMAIL][email protected][/EMAIL] H=rrcs-11-11-11-11.central.biz.rr.com (localhost) [11.11.11.11]:64016 P=esmtpsa X=TLSv1:DHE-RSA-AES256-SHA:256 A=dovecot_login:[EMAIL][email protected][/EMAIL] S=8153 T="Test - Email" for [EMAIL][email protected][/EMAIL]
2015-07-22 11:16:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZHvlT-003yMH-EX
2015-07-22 11:16:59 1ZHvlT-003yMH-EX SMTP connection outbound 1437578219 1ZHvlT-003yMH-EX a3.tld [EMAIL][email protected][/EMAIL]
2015-07-22 11:17:00 SMTP connection from rrcs-11-11-11-11.central.biz.rr.com (localhost) [11.11.11.11]:64016 closed by QUIT
2015-07-22 11:18:04 1ZHvlT-003yMH-EX mx.mail2.name-services.com [55.55.55.55] Connection timed out
2015-07-22 11:18:04 1ZHvlT-003yMH-EX => [EMAIL][email protected][/EMAIL] R=lookuphost T=remote_smtp H=mx.mail2.name-services.com [66.66.66.66] C="250 2.0.0 Ok: queued as C5C6544B031"
2015-07-22 11:18:04 1ZHvlT-003yMH-EX Completed


Return-Path: <[EMAIL][email protected][/EMAIL]>
Received: from 77.77.77.77 unverified ([77.77.77.77]) by spsmtp01oc.mail2world.com with Mail2World SMTP Server; Wed, 22 Jul 2015 08:18:42 -0700
[B]Received: from d.tld (unknown [88.88.88.88])[/B]by c1mailgw10.amadis.com (Postfix) with ESMTP id C5C6544B031for <[EMAIL][email protected][/EMAIL]>; Wed, 22 Jul 2015 08:18:05 -0700 (PDT)
Received: from rrcs-11-11-11-11.central.biz.rr.com ([11.11.11.11]:64016 helo=localhost)by s3.a.tld with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)(Exim 4.82)(envelope-from <[EMAIL][email protected][/EMAIL]>)id 1ZHvlT-003yMH-EXfor [EMAIL][email protected][/EMAIL]; Wed, 22 Jul 2015 11:16:59 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary="=_87d8b46def4dbee81327f7ffa1a33036"
From: [EMAIL][email protected][/EMAIL]
To: [EMAIL][email protected][/EMAIL]
Subject: Test - Email
X-Mailer: Test Mailer
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s3.a.tld
X-AntiAbuse: Original Domain - d.tld
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - a3.tld
X-Get-Message-Sender-Via: s3.a.tld: authenticated_id: [EMAIL][email protected][/EMAIL]
X-CTASD-RefID: str=0001.0A010202.55AFB448.00BE,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTASD-IP: 88.88.88.88
X-CTASD-Sender: [EMAIL][email protected][/EMAIL]
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:

---------------

Test 3 - to an address on account c.tld.  This account has dedicated IP 99.99.99.99 and uses cpanel for email (setup as automatic) It looks like since this was delivered locally no SPF check was done.

SMTP connection from [11.11.11.11]:63834 (TCP/IP connection count = 1)
2015-07-22 11:13:03 1ZHvhf-003y8L-2Y <= [EMAIL][email protected][/EMAIL] H=rrcs-11-11-11-11.central.biz.rr.com (localhost) [11.11.11.11]:63834 P=esmtpsa X=TLSv1:DHE-RSA-AES256-SHA:256 A=dovecot_login:[EMAIL][email protected][/EMAIL] S=8147 T="Test - Email" for [EMAIL][email protected][/EMAIL]
2015-07-22 11:13:03 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZHvhf-003y8L-2Y
2015-07-22 11:13:03 SMTP connection from rrcs-11-11-11-11.central.biz.rr.com (localhost) [11.11.11.11]:63834 closed by QUIT
2015-07-22 11:13:03 1ZHvhf-003y8L-2Y => ryan <[EMAIL][email protected][/EMAIL]> R=virtual_user T=virtual_userdelivery
2015-07-22 11:13:03 1ZHvhf-003y8L-2Y Completed


Return-path: <[EMAIL][email protected][/EMAIL]>
Envelope-to: [EMAIL][email protected][/EMAIL]
Delivery-date: Wed, 22 Jul 2015 11:13:03 -0400
Received: from rrcs-11-11-11-11.central.biz.rr.com ([11.11.11.11]:63834 helo=localhost)
   by s3.a.tld with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
   (Exim 4.82)
   (envelope-from <[EMAIL][email protected][/EMAIL]>)
   id 1ZHvhf-003y8L-2Y
   for [EMAIL][email protected][/EMAIL]; Wed, 22 Jul 2015 11:13:03 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_97acbe865ce37cacdcfac1ef5a2c8184"
From: [EMAIL][email protected][/EMAIL]
To: [EMAIL][email protected][/EMAIL]
Subject: Test - Email
X-Mailer: Test Mailer

 

[cPanelMichael]

Hello

Could you open a support ticket using the link in my signature so we can take a better look at how this email account is configured on your system? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[rinkleton]

Hello

Could you open a support ticket using the link in my signature so we can take a better look at how this email account is configured on your system? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

Thanks for your help.... ticket ID 7071901

 

[cPanelMichael]

Hello

Internal case FB-171477 is open to address the issue where when the exchange is a remote exchange for a destination domain, and that destination domain is hosted on the server, the mail IP address used is not the sender domain IP address from the /etc/mailips file. You can monitor our change log to see when a resolution has been implemented:

cPanel - Change Logs

Thank you.