Hi,
I'm currently having some issues with internal systems that used to work fine.

I recently upgraded to Mail Gateway 9.1.0 kernel: 7.0.6-2-pve
Now my internal services seem to have troubles sending E-Mails:

SMTP Error: The following recipients failed: {USER]@{Domain}.de: <{USER]@{Domain}.de>: Recipient address rejected: Rejected by SPF: 192.168.60.120 is not a designated mailserver for noreply%40{DOMAIN}.de (context mfrom, on mail.{DOMAIN}.de)\r\n"}}

mail.{DOMAIN}.de is my PMG.

Has anyone experienced similar issues?

Hi,

The SPF reject usually means the service is still submitting mail to PMG on the external SMTP port 25, where SPF checks are applied. Could you please configure the internal service to use PMG as smarthost on the internal SMTP port, default 26 [0], and retest?

If it must use port 25, add `192.168.60.120/32` or the subnet to the SMTP Welcomelist [1] to bypass SPF checks for that internal sender.

[0] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_ports
[1] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_smtp_welcomelist

Hi, I just stumbled across this, because currently I am trying to tweak our mail configuration at my work place.

Happily for us is, that we are using split DNS for internal hosts resolving and for external hosts resolving. So what we did (because SpamAssassin also does SPF checks while spam evaluation) was, that we implemented a different SPF-Record for internal hosts, so that our PMG would see any internal relaying SMTP-Servers as designated senders.

The SMTP Welcomelist feature is new, isn't it? Or did I just over-read it anytime I was digging through the manual -> But good to know that this is there!

Regards
~s.

In my case it was a dns / hostfile issue.
I had an host-file in place pointing the external domain to an internal ip.
That got overwritten by mistake and therefore it (correctly) enforced SPF.

Thanks for the help!