SPF Engine

SPF checks not working from all servers

Asked by Pramod

Good day,

On Centos 7, I’m using, for SPF checking:

pypolicyd-spf-1.3.2-5.el7.noarch
python-pyspf-2.0.14-13.el7.noarch

Using these policyd-spf.conf settings:

debugLevel = 2
defaultSeedOnly = 1
HELO_reject = SPF_Not_pass
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

Which seems to work fine, as it issues warnings to servers that aren’t authorised to send for domains that don’t have SPF records set up correctly. However, when I do a command line test from a remote (unauthorised) server to send mail through this server, it happily accepts the mail, even though the unauthorised server is not in the SPF list. The sending server is not in the list of allowed IP addresses. I can’t understand why it doesn’t get rejected by the SPF check.

Any advice would be deeply appreciated. Thank you.

Question information

Language:
English Edit question
Status:
Answered
For:
SPF Engine Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
roman ross (romanross6) said (last edit ): 		#1

I think that is just a server error if u want it's a solution so ask about this from any professional person or just wait for some time it will work. <a href="https://ranboomerch.store/product-category/ranboo-sweatshirts/">here</a>

Revision history for this message
roman ross (romanross6) said : 		#2
Revision history for this message
Scott Kitterman (kitterman) said : 		#3

It depends on the exact SPF record for the domain in question. If an IP address doesn't match anything in the SPF record, then the SPF result is based on the all mechanism at the end. If the record ends in -all, that means it should be SPF fail and be rejected based on your configuration. If it ends in some other value, like ?all, then the result is not fail and should not be rejected. Rejecting on anything other than fail is not recommended.

Revision history for this message
Pramod (pramod) said : 		#4

Thanks for taking the time to reply, but it wasn't quite what I was asking. I was running a hand crafted SMTP transaction to test whether SPF tests were being implemented correctly on two different servers. The server I was testing from is not allowed to send mail for this domain (mindspring.co.za) via either server, i.e. mailmaster.mindspring.co.za, or mb1.mindspring.co.za. In the case of the mailmaster server, the mail is accepted by postfix, even though it fails SPF checks. For the second server, viz. mb1.mindspring.co.za, as soon as I submit the "From", it gets rejected by SPF. Is this possibly the mb1 servers is using a newer version of SPF or is this a configuration issue ?

I did subsequently find that the SPF checks are working on the first server that seemed to accept the mail (mailmaster.mindspring.co.za), but it got handed to Spamassassin that then rejected the mail because of SPF.

$ telnet mailmaster.mindspring.co.za 25
Trying 197.155.22.89...
Connected to mailmaster.mindspring.co.za.
Escape character is '^]'.
220 mailmaster.mindspring.co.za ESMTP Postfix
ehlo mindspring.co.za
250-mailmaster.mindspring.co.za
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <email address hidden>
250 2.1.0 Ok
rcpt to: <email address hidden>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: test
1.
.
250 2.0.0 Ok: queued as D6A1743AD04A
quit
221 2.0.0 Bye
Connection closed by foreign host.

*********************************************************
 telnet mb1.mindspring.co.za 25
Trying 178.79.131.19...
Connected to mb1.mindspring.co.za.
Escape character is '^]'.
220 mail.mb1.mindspring.co.za ESMTP
ehlo mindspring.co.za
250-mail.mb1.mindspring.co.za
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
mail from: <email address hidden>
250 2.1.0 Ok
rcpt to: <email address hidden>
550 5.7.23 <email address hidden>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=helo;id=mindspring.co.za;ip=88.80.187.207;r=<UNKNOWN>

Can you help with this problem?

Provide an answer of your own, or ask Pramod for more information if necessary.

To post a message you must log in.