SPF Problem with Admin Mails

Discussion in 'Installation/Configuration' started by Sicor DevTeam, Mar 12, 2019.

  1. Sicor DevTeam

    Sicor DevTeam New Member

    As far as i know ISPConfig sends admin mails with the admin email address in the FROM Header. Let's assume it's [email protected] example.com.
    If there's an SPF and DMARC Record for example.com that prevents sending mails from non authorized IPs, then the mail would not be deliviered. You would have to add every server ip to the SPF Record in order to allow sending mails, which would be a bad workaround (?).

    Is there a way to configure the sender email-adress of the admin mails to something like [email protected] hostname.com ?
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is a common practice, you just create an spf record for the hosting service which covers all the server ip's (or hostnames), then include that in spf records of customer domains.

    Try: System > Main Config > Mail > Administrator's e-mail
  3. Sicor DevTeam

    Sicor DevTeam New Member

    This would imply that every server would be allowed to send from our companies main mail domain, which we definitely don't want to allow. Just a single website has to be breached to be allowed to send fake mails from our main domain.

    The problem is, that I need to use a different sender and reciepient adress. (The setting sets both addresses)
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, but the alternative is to add specific server ip's to the SPF record, which I believe was one aspect of your complaint/issue in your original post?
    Yes, though for most hosting setups that's about a non-issue, as spam sent from compromised sites usually has a sender address from the website domain itself, which typically is already in the SPF record. You may have stricter requirements in your environment, but most do not (as attested by _spf.google.com, spf.protection.outlook.com, etc).
    Curious, I didn't realize it would use a different sender/recipient if you don't specify an address there. You could put in a feature request, but I don't believe it's possible to do what you want in ISPConfig right now. You might be able to work around it at the postfix level and re-write the sender address (see http://www.postfix.org/postconf.5.html#sender_canonical_maps).
  5. Sicor DevTeam

    Sicor DevTeam New Member

    You pointed me to the right direction. First I tried to use sender_canonical_maps, which were working fine. But I would have to modify every postfix main.cf ..

    Then I had a look in our /etc/aliases, where all root mails are forwarded to a single mail account. The crucial line was
    "root: [email protected]".

    If you set the Admin Mail address to just "root", then postfix sends the mail from [email protected] to our mail account [email protected]. This should be the perfect solution for our case, without changing any SPF/Dmarc Policies or whitelisting the server :)

    Thank you for your input ;)
    Jesse Norell likes this.

Share This Page