SPF softfail is not rejected
Issue description
(First of all, thanks again for this awesome project and feel free to close if that's expected behavior or I've missed a configuration option)
There is a new service which uses address verification: https://reacher.email/
Checking the logs I saw following:
Jul 02 09:31:38 myhostname postfix/smtpd[546036]: connect from ec2-3-231-223-125.compute-1.amazonaws.com[3.231.223.125]
Jul 02 09:31:39 myhostname policyd-spf[546042]: prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=3.231.223.125; helo=gmail.com; envelope-from=reacher.email@gmail.com; receiver=<UNKNOWN>
Jul 02 09:31:39 myhostname postfix/smtpd[546036]: NOQUEUE: reject: RCPT from ec2-3-231-223-125.compute-1.amazonaws.com[3.231.223.125]: 550 5.1.1 <411ht82pEn9nuNg@mydomain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<reacher.email@gmail.com> to=<411ht82pEn9nuNg@mydomain.com> proto=ESMTP helo=<gmail.com>
Jul 02 09:31:39 myhostname postfix/smtpd[546036]: NOQUEUE: reject: RCPT from ec2-3-231-223-125.compute-1.amazonaws.com[3.231.223.125]: 550 5.1.1 <invalidtest@mydomain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<reacher.email@gmail.com> to=<invalidtest@mydomain.com> proto=ESMTP helo=<gmail.com>
Jul 02 09:31:39 myhostname postfix/smtpd[546036]: disconnect from ec2-3-231-223-125.compute-1.amazonaws.com[3.231.223.125] ehlo=1 mail=1 rcpt=0/2 quit=1 commands=3/5
Second line indicates that this fails SPF check.
What I expected to happen:
Shouldn't this be blocked directly, since it is basically spoofing gmail.com domain, coming from AWS network?
What happened:
Process continued.
Technical details
- system: `"x86_64-linux"`
- host os: `Linux 5.4.100, NixOS, 21.05.1252.e9148dc1c30 (Okapi)`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.3.12`
- channels(root): `"nixos-21.05.1252.e9148dc1c30"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
SNM release branch name and Commit ID
Branch 21.05 (don't know exact commit but upgraded the system recently)
Relevant part of the config to reproduce:
mailserver = {
⎸ enable = true;
⎸ fqdn = "redacted";
⎸ domains = [ redacted ];
⎸ mailDirectory = "/shared/mail";
⎸ certificateDirectory = "/shared/mail/certificates";
⎸ dkimKeyDirectory = "/shared/.mail_dkim_keys";
⎸ certificateScheme = 3;
⎸ loginAccounts = {
⎸ ⎸ "${secrets.mailAccount}" = {
⎸ ⎸ ⎸ hashedPassword = secrets.mailAccountPass;
⎸ ⎸ };
⎸ };
⎸ extraVirtualAliases = secrets.mailVirtualAliases;
⎸ enableImap = true;
⎸ enablePop3 = true;
⎸ enableImapSsl = true;
⎸ enablePop3Ssl = true;
⎸ enableManageSieve = true;
⎸ virusScanning = false;
⎸ localDnsResolver = false;
mailboxes = {
⎸ ⎸ Trash = {
...
journald
log:
Relevant Provided above