1 (edited by awkpavo 2017-05-13 02:03:03)

Topic: SPF check failing with incorrect hostname

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Ubuntu 16.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Related log if you're reporting an issue: see below
====

I tested a domain with a incorrect SPF record (wrong hostname) and put the policy on fail (-all). I tested sending mail via Sendgrid to the iRedmail server which only forwards. The mail passed and was delivered. It didn't check for the incorrect SPF of the sending domain. Sendgrid is by default on the whitelist of sending domains, but also from other severs it passes like sending via Sparkpost which is not on the whitelist.

Here is the log:

May 11 21:17:43 mx postfix/smtpd[32606]: connect from o1.7nn.fshared.sendgrid.net[167.89.55.00]
May 11 21:17:44 mx postfix/smtpd[32606]: Anonymous TLS connection established from o1.7nn.fshared.sendgrid.net[167.89.55.00]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 11 21:17:45 mx postfix/smtpd[32606]: 9052460434: client=o1.7nn.fshared.sendgrid.net[167.89.55.00]
May 11 21:17:45 mx postsrsd[32611]: srs_forward: <bounces+1429439-4b8a-admin=sendinguser.com@sendgrid.net> rewritten as <SRS0=vNsa=4R=sendgrid.net=bounces+1429439-4b8a-admin=sendinguser.com@forwarder.com>
May 11 21:17:46 mx postfix/cleanup[32610]: 9052460434: message-id=<CAPa9m5FWjUHLSona_kuP7ROour-B7cVKDqmWvsqCdSa0T_7Aqw@mail.gmail.com>
May 11 21:17:46 mx postfix/qmgr[1610]: 9052460434: from=<srs0=vnsa=4r=sendgrid.net=bounces+1429439-4b8a-admin=sendinguser.com@forwarder.com>, size=2236, nrcpt=1 (queue active)
May 11 21:17:47 mx postfix/10025/smtpd[32616]: connect from localhost[127.0.0.1]
May 11 21:17:47 mx postfix/10025/smtpd[32616]: 434166045B: client=localhost[127.0.0.1]
May 11 21:17:47 mx postfix/cleanup[32610]: 434166045B: message-id=<CAPa9m5FWjUHLSona_kuP7ROour-B7cVKDqmWvsqCdSa0T_7Aqw@mail.gmail.com>
May 11 21:17:47 mx postfix/qmgr[1610]: 434166045B: from=<srs0=vnsa=4r=sendgrid.net=bounces+1429439-4b8a-admin=sendinguser.com@forwarder.com>, size=2410, nrcpt=1 (queue active)
May 11 21:17:47 mx postfix/10025/smtpd[32616]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 11 21:17:47 mx amavis[32363]: (32363-01) Passed CLEAN {RelayedInbound}, [167.89.55.00]:15812 [209.85.161.180] <srs0=vnsa=4r=sendgrid.net=bounces+1429439-4b8a-admin=sendinguser.com@forwarder.com> -> <mymailbox@gmail.com>, Queue-ID: 9052460434, Message-ID: <CAPa9m5FWjUHLSona_kuP7ROour-B7cVKDqmWvsqCdSa0T_7Aqw@mail.gmail.com>, mail_id: i-wmdByn93lR, Hits: 1.454, size: 2236, queued_as: 434166045B, dkim_sd=smtpapi:sendgrid.net, 1004 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_MESSAGE=0.001,RCVD_IN_MSPIKE_H3=-0.01,RCVD_IN_MSPIKE_WL=-0.01,RCVD_IN_SORBS_SPAM=0.5,SPF_SOFTFAIL=0.972]
May 11 21:17:47 mx postfix/smtp-amavis/smtp[32613]: 9052460434: to=<mymailbox@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=1/0.02/0.01/1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 434166045B)
May 11 21:17:47 mx postfix/qmgr[1610]: 9052460434: removed
May 11 21:17:47 mx postfix/smtp[32617]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.69.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 11 21:17:47 mx postfix/smtp[32617]: 434166045B: to=<mymailbox@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.27]:25, delay=0.25, delays=0.01/0.01/0.06/0.18, dsn=2.0.0, status=sent (250 2.0.0 OK 1494530267 h7si1000018ede.138 - gsmtp)
May 11 21:17:47 mx postfix/qmgr[1610]: 434166045B: removed
May 11 21:17:48 mx postfix/smtpd[32606]: disconnect from o1.7nn.fshared.sendgrid.net[167.89.55.00] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

My assumption
It looks to me like it's not checking the SPF at all before the SRS rewrite (= needed to forward e-mail to other servers). So after the rewrite and forward, the destination mail server only checks the SPF of the forward server itself. Which checks out and passes it.

Any clue why the SPF check is failing to pick up the incorrect SPF and doesn't drop the message? This would mean every SMTP relay can send mail without being properly checking the original 'from' domain.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPF check failing with incorrect hostname

SPF check happens after-queue, not BEFORE-queue. And Amavisd shows you the spf check result and score:

SPF_SOFTFAIL=0.972

3

Re: SPF check failing with incorrect hostname

The SPF check should fail, as the SPF record for the sending domain is not on SOFTFAIL. The record states -all, so it may not softfail.

Can the config be changed to do it before queueing? I think it impacts the SPF score when the SRS rewrite hasn't been done yet and the original SPF from the sending domain is properly checked. After means that the SRS rewrite has been done, so the SPF from the forward server is checked. It could explain the low SPF SOFTFAIL score.

4

Re: SPF check failing with incorrect hostname

awkpavo wrote:

Can the config be changed to do it before queueing?

I'm afraid that you have to setup other SPF software for before-queue checking.