Re: Trouble with SPF plugin
On Thu, 19 Nov 2015 11:05:28 -0700 Jonathan Hilgeman wrote: I just recently noticed that I hadn't enabled the SPF plugin, so I did that and ran a quick test to test an SPF failure. However, in the resulting email, I get an SPF_HELO_PASS result and no other SPF_ test results. does your MTA pust sender address to Return-Path or other header? SPF is applied on mail envelope from: (not header From:) and it must appear in headers for SA to check. SPF_HELO_* checks use helo string from Received: header. Am 19.11.2015 um 20:26 schrieb RW: Did the envelope from address contain a domain with an SPF record? For some reason the SPF_NONE result is turned-off, so you wont see results for domains that don't have a policy On 19.11.15 20:30, Reindl Harald wrote: [root@mail-gw:~]$ cat maillog | grep SPF_NONE | grep "Nov 19" | wc -l 837 grep SPF_NONE maillog| grep -c "Nov 19" would do the same job, just FYI ;-) [root@mail-gw:~]$ sa-score.sh SPF_NONE /usr/share/spamassassin score SPF_NONE 0 /var/lib/spamassassin/3.004001/updates_spamassassin_org score SPF_NONE 0 /etc/mail/spamassassin/local-*.cf score SPF_NONE 0.05 this confirms it: it's turned off (score 0) for some reason, just you have turned it on :-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
Re: Trouble with SPF plugin
Hi Bill, I realized after I hit send that I didn't include any setup / configuration, but didn't want to spam the list right out of the gate. I think I have a good idea of the problem, but am looking for the source of it. NOTE: I updated SA about an hour ago to see if it would fix anything (it didn't, but I understand why) First, my setup: SpamAssassin: 3.4.1 SMTP: Qmail 1.06 (Life with qmail setup) + Vpopmail Enabled Plugins in init.pre: Relay-Country, Hashcash, SPF Now, incoming mails go through an intermediate script that log the raw message, and then process it with spamc/spamd. I grabbed one of the raw messages and debugged it with the spamassassin client (raw message is stored in qmailfilter_4tKFKK): spamassassin -D < qmailfilter_4tKFKK 2>&1 | grep -i "spf" In the output, I see: Nov 19 14:21:10.748 [22787] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Nov 19 14:21:10.748 [22787] dbg: spf: cannot get Envelope-From, cannot use SPF So I re-checked the debug output and looked for the envelope-from processing: spamassassin -D < qmailfilter_4tKFKK 2>&1 | grep -i "envelope-from" Output: Nov 19 14:32:46.179 [23285] dbg: message: Return-Path header found after 1 or more Received lines, cannot trust envelope-from Nov 19 14:32:46.338 [23285] dbg: message: Return-Path header found after 1 or more Received lines, cannot trust envelope-from Nov 19 14:32:46.631 [23285] dbg: spf: cannot get Envelope-From, cannot use SPF Nov 19 14:32:46.941 [23285] dbg: message: Return-Path header found after 1 or more Received lines, cannot trust envelope-from So I checked the mail files and sure enough, "Return-Path:" is at the end of the mail headers. At this point, I'm assuming it's a problem due to the intermediate script orsomewhere before that. Perhaps a script is moving the header (it -shouldn't- but you never know), or the header is getting written late in the game. The message goes through about 3 layers of different delivery filters, so it's time to check those for culprits. Thursday, November 19, 2015, 12:33:24 PM, you wrote: > On 19 Nov 2015, at 13:05, Jonathan Hilgeman wrote: >> I just recently noticed that I hadn't enabled the SPF plugin, so I did >> that and ran a quick test to test an SPF failure. >> >> However, in the resulting email, I get an SPF_HELO_PASS result and no >> other SPF_ test results. >> >> Did the plugin only run the HELO test and not check the actual IP >> againsttheSPFrecord? If so, that seems like a very >> easily-faked and inaccurate test.- >> >> Assuming that is true, is there a good way to force the main SPF tests >> to run instead of only checking the HELO values? > That's not normal SA SPF checking behavior, but since you didn't provide > a single piece of data about your test or config it is hard to nail down > a certain explanation for why you got the result you got. > In general, it is important to understand what SPF tests and what it > does not test and what the possible results are. The primary SPF test is > of the envelope sender address, NOT an address extracted from the > "From:" header or anything else in the message data. If the domain part > of the envelope sender has no SPF record in DNS, there is no SPF test of > that domain possible, so there can be no result. Such a message might > have a HELO name that does have a SPF record, so that would be testable. > You can test for missing SPF records by giving a non-zero score to the > SPF_NONE rule, since any rules scored at 0 are skipped entirely.
Re: Trouble with SPF plugin
On 19 Nov 2015, at 13:05, Jonathan Hilgeman wrote: I just recently noticed that I hadn't enabled the SPF plugin, so I did that and ran a quick test to test an SPF failure. However, in the resulting email, I get an SPF_HELO_PASS result and no other SPF_ test results. Did the plugin only run the HELO test and not check the actual IP againsttheSPFrecord? If so, that seems like a very easily-faked and inaccurate test.- Assuming that is true, is there a good way to force the main SPF tests to run instead of only checking the HELO values? That's not normal SA SPF checking behavior, but since you didn't provide a single piece of data about your test or config it is hard to nail down a certain explanation for why you got the result you got. In general, it is important to understand what SPF tests and what it does not test and what the possible results are. The primary SPF test is of the envelope sender address, NOT an address extracted from the "From:" header or anything else in the message data. If the domain part of the envelope sender has no SPF record in DNS, there is no SPF test of that domain possible, so there can be no result. Such a message might have a HELO name that does have a SPF record, so that would be testable. You can test for missing SPF records by giving a non-zero score to the SPF_NONE rule, since any rules scored at 0 are skipped entirely.
Re: Trouble with SPF plugin
Am 19.11.2015 um 20:26 schrieb RW: On Thu, 19 Nov 2015 11:05:28 -0700 Jonathan Hilgeman wrote: I just recently noticed that I hadn't enabled the SPF plugin, so I did that and ran a quick test to test an SPF failure. However, in the resulting email, I get an SPF_HELO_PASS result and no other SPF_ test results. Did the envelope from address contain a domain with an SPF record? For some reason the SPF_NONE result is turned-off, so you wont see results for domains that don't have a policy [root@mail-gw:~]$ cat maillog | grep SPF_NONE | grep "Nov 19" | wc -l 837 [root@mail-gw:~]$ sa-score.sh SPF_NONE /usr/share/spamassassin score SPF_NONE 0 /var/lib/spamassassin/3.004001/updates_spamassassin_org score SPF_NONE 0 /etc/mail/spamassassin/local-*.cf score SPF_NONE 0.05 signature.asc Description: OpenPGP digital signature
Re: Trouble with SPF plugin
On Thu, 19 Nov 2015 11:05:28 -0700 Jonathan Hilgeman wrote: > I just recently noticed that I hadn't enabled the SPF plugin, so I did > that and ran a quick test to test an SPF failure. > > However, in the resulting email, I get an SPF_HELO_PASS result and no > other SPF_ test results. Did the envelope from address contain a domain with an SPF record? For some reason the SPF_NONE result is turned-off, so you wont see results for domains that don't have a policy. > > Did the plugin only run the HELO test and not check the actual IP > againsttheSPFrecord? If so, that seems like a very > easily-faked and inaccurate test.- The HELO is used in place of the sender domain, not the IP address.
Trouble with SPF plugin
I just recently noticed that I hadn't enabled the SPF plugin, so I did that and ran a quick test to test an SPF failure. However, in the resulting email, I get an SPF_HELO_PASS result and no other SPF_ test results. Did the plugin only run the HELO test and not check the actual IP againsttheSPFrecord? If so, that seems like a very easily-faked and inaccurate test.- Assuming that is true, is there a good way to force the main SPF tests to run instead of only checking the HELO values?
