Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am sending email from server mercureytech.com using sendmail 8.17.1. Messages sent to my personal server at novatec-inc.com have the warning "(may be forged)". Here is the received email header:
Code:
From mfoley@mercureytech.com Sat Jul 30 01:17:27 2022
Return-Path: <mfoley@mercureytech.com>
Received: from mail.mercureytech.com (rrcs-24-142-169-11.mail.mercureytech.com [24.142.169.11] (may be forged))
by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id 26U5HPD5025111
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <mfoley@novatec-inc.com>; Sat, 30 Jul 2022 01:17:25 -0400
Authentication-Results: server.novatec-inc.com;
dkim=pass (1024-bit key) header.d=mercureytech.com header.i=@mercureytech.com header.b=P8d82Z55
Received: from mail.mercureytech.com (localhost [127.0.0.1])
by mail.mercureytech.com (8.17.1/8.15.2) with ESMTP id 26U5HML6001469;
Sat, 30 Jul 2022 01:17:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mercureytech.com;
s=mercmail; t=1659158244;
bh=S7MfL3WyNCJJphHLiLR3MF2X25bUYeCPDPgkzirIS/s=;
h=Date:From:To:Subject;
b=P8d82Z556A+QcNDVa/joNGAmFIgseDX525vubAUFTKrcW+ulSBdvd8AWy4fk7Iz5e
b0zEor88Ooig2PUmBiNIhaIl9zuUjqq4crMOr36oT8lFhL9MZoNgYX59VQCfE03Hgg
yXyiWQTbOZmqfOWWHKpszTs1PcDE5X6miomrdaH4=
Received: (from mfoley@localhost)
by mail.mercureytech.com (8.17.1/8.17.1/Submit) id 26U5HMJR001468;
Sat, 30 Jul 2022 01:17:22 -0400
I did a web search for "email may be forged warning" and turned up a number of links. Most of them were irrelevant to your situation, but this one looks like it just might be relevant, as it refers to sendmail specifically.
When sending a HELO string to the SMTP server, HELO is followed by either a literal or a FQDN. If it is followed by a FQDN, then the A and PTR records must match. If they do not, then a warning is returned.
When I connect to the mail server I get:
Code:
$ telnet mercureytech.com 25
Trying 24.142.169.11...
Connected to mercureytech.com.
Escape character is '^]'.
220 mail.mercureytech.com ESMTP Sendmail 8.17.1/8.15.2; Tue, 2 Aug 2022 00:05:50 -0400
A record:
$ host mercureytech.com
mercureytech.com has address 24.142.169.11
mercureytech.com mail is handled by 10 mail.mercureytech.com.
PTR record:
$ host 24.142.169.11
11.169.142.24.in-addr.arpa domain name pointer rrcs-24-142-169-11.mail.mercureytech.com.
Does this mean that the A record and PTR record do not match? I could change the PTR record to just mercureytech.com, but I hesitate to do that as I have to contact the ISP and ask them to change it. I'd like to have relatively high confidence that this is the right thing to do before getting them involved.
Since you're asking for the rDNS of a mail server, it should point to the FQDN of the mail server.
I.e. if "dig mx mydom.com" points to blah.mydom.com, then the IP should resolve back to blah.mydom.com.
So, these two comments seem to be at odds with each other. Do you/anyone advise that I change my PTR record to be mercureytech.com instead of mail.mercureytech.com?
TenTenths: Thanks for the suggestion. Before trying that I changed my SPF record to:
Code:
v=spf1 ip4:24.142.169.11 +all
That is, I changed "~all" to "+all". When I did that, I stopped getting the "(may be forged)" warning on emails received at my server novatec-inc.com, and Google delivered the message to a recipient at gmail.com! (at first to SPAM, but after marking it not spam subsequent messages when to the inbox).
+ Passes authentication. The server with matching IP address is authorized to send for your domain. Messages are authenticated. This is the default action when the mechanism doesn’t use a qualifier.
~ Softfails authentication. It's unlikely that the server with matching IP address is authorized to send for the domain. The receiving server will typically accept the message but mark it as suspicious.
Can someone explain this to me in simple language? For "Softfails" what "server" and what "matching IP address" is it talking about? The IP in the SPF record is the IP of the sending mail server. How could the IP from the very server sending the message be considered "unauthorized"? I don't get it.
The "all" at the end tells the receiving server what to do with any IP address that doesn't match. In this case having +all says that any IP that doesn't match (as in like EVERY ip online) should pass and be allowed. -all would be reject every non matching ip and ~all means soft fail (may be forged) every non matching ip. Soft-fails should be delivered but with "may be forged", hard fails (-all) should be droppped.
You could try changing your spf to add an "a" which says if the host has an A record in the given domain then it matches.
I think a lot of your problems are because there's mismatches between your forward and reverse lookups, try the changes made in posts #6 and #8 and let us know how you get on.
I'm revisiting this question. I'm not getting any happiness. I'm still getting the "may be forged" in the headers regardless of my SPF "+all" or "~all" setting.
Code:
From maillist@mercureytech.com Thu Sep 29 01:05:15 2022
Return-Path: <maillist@mercureytech.com>
Received: from mail.mercureytech.com (rrcs-24-142-169-11.mail.mercureytech.com [24.142.169.11] (may be forged))
:
From: Mark Foley <maillist@mercureytech.com>
None of the comments/suggestions I've found on the Web seem to apply. Some comments say that it has to do with failed rDNS lookup, but the 3rd line shows the domain, IP and rDNS, all correct.
How can I get rid of this "may be forged message"? I'll try any suggestions
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.