Hans Ekbrand
2011-Jan-04 19:59 UTC
[Pkg-exim4-users] activating SPF check on incomming mail
Hi list, I have recently installed exim4-daemon-heavy and sa-exim with a few anti-spam measures. I have documented the steps taken here: http://code.cjb.net/mail-server.html Spamassassin and greylistd both work as expected, but SPF verification does not seem to work. 2011-01-04 15:22:56 H=178-33-110-173.kimsufi.com (gtei.net) [178.33.110.173] F=<rosanneb.b at gmail.com> temporarily rejected RCPT <hans at sociologi.cjb.net>: greylisted. ... 2011-01-04 17:30:31 1Pa9mJ-00077o-0G SA: Debug: SAEximRunCond expand returned: ''1'' 2011-01-04 17:30:31 1Pa9mJ-00077o-0G SA: Debug: check succeeded, running spamc 2011-01-04 17:30:33 1Pa9mJ-00077o-0G SA: Action: scanned but message isn''t spam: score=4.8 required=5.0 (scanned in 2/2 secs | Message-Id: 76649590.20110104083008 at gmail.com). From <rosanneb.b at gmail.com> (host=178-33-110-173.kimsufi.com [178.33.110.173]) for hans at sociologi.cjb.net 2011-01-04 17:30:33 1Pa9mJ-00077o-0G <= rosanneb.b at gmail.com H=178-33-110-173.kimsufi.com (novembre) [178.33.110.173] P=smtp S=1322 id=76649590.20110104083008 at gmail.com 2011-01-04 17:30:34 1Pa9mJ-00077o-0G => |/usr/bin/procmail <hans at sociologi.cjb.net> R=userforward T=address_pipe 2011-01-04 17:30:34 1Pa9mJ-00077o-0G Completed I thought this mail would fail a SPF check, since the IP 178.33.110.173 is not from gmail/google (I assume). But there is nothing in the exim logs about any SPF check being done. The mail has two SPF related mail headers, but I guess they could be forged. Received: from 178-33-110-173.kimsufi.com ([178.33.110.173] helo=novembre) by sociologi.cjb.net with smtp (Exim 4.69) (envelope-from <rosanneb.b at gmail.com>) id 1Pa9mJ-00077o-0G for hans at sociologi.cjb.net; Tue, 04 Jan 2011 17:30:33 +0100 From: Rosanne Bentley <rosanneb.b at gmail.com> To: Hans <hans at sociologi.cjb.net> Date: Tue, 4 Jan 2011 08:30:08 +0100 Reply-To: Rosanne Bentley <rosanneb.b at gmail.com> Message-ID: <76649590.20110104083008 at gmail.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Received-SPF: neutral X-SPF-Guess: neutral X-SA-Exim-Connect-IP: 178.33.110.173 X-SA-Exim-Mail-From: rosanneb.b at gmail.com X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sociologi.cjb.net X-Spam-Level: **** X-Spam-Status: No, score=4.8 required=5.0 tests=DATE_IN_PAST_06_12, RDNS_DYNAMIC,SPF_NEUTRAL,TVD_RCVD_IP autolearn=no version=3.2.5 Subject: web_site_eval X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000) X-SA-Exim-Scanned: Yes (on sociologi.cjb.net) I configured SPF with the following file: # cat /etc/exim4/conf.d/main/00_local_options CHECK_RCPT_REVERSE_DNS = yes CHECK_RCPT_SPF = yes smtp_max_synprot_errors = 10 libmail-spf-query-perl is installed: # dpkg -l libmail-spf-query-perl ||/ Name Version Description +++-=====================================================-=====================================================-=========================================================================================================================ii libmail-spf-query-perl 1:1.999.1-3 query SPF (Sender Policy Framework) to validate mail senders How do you know that exim does SPF verification? -- Note that I use Debian version 5.0.7 Linux spelmaskinen 2.6.26-2-686 #1 SMP Thu Sep 16 19:35:51 UTC 2010 i686 GNU/Linux -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20110104/4e0c98a4/attachment.pgp>
Andreas Metzler
2011-Jan-05 18:22 UTC
[Pkg-exim4-users] activating SPF check on incomming mail
Hans Ekbrand <hans at sociologi.cjb.net> wrote:> I have recently installed exim4-daemon-heavy and sa-exim with a few > anti-spam measures. I have documented the steps taken here:> http://code.cjb.net/mail-server.html> Spamassassin and greylistd both work as expected, but SPF verification > does not seem to work.[...]> I thought this mail would fail a SPF check, since the IP 178.33.110.173 > is not from gmail/google (I assume).It is not, but google''s SPF records say "neutral". ametzler at argenau:~$ host -t txt gmail.com gmail.com descriptive text "v=spf1 redirect=_spf.google.com" ametzler at argenau:~$ host -t txt _spf.google.com _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all" http://www.openspf.org/SPF_Record_Syntax "Neutral The SPF record specifies explicitly that nothing can be said about validity. Intended action: accept" (LENNY)ametzler at argenau:~$ spfquery.mail-spf-query-perl --ip 178.33.110.173 --mail-from rosanneb.b at gmail.com --helo novembre ; echo $? neutral Please see http://www.openspf.org/why.html?sender=rosanneb.b%40gmail.com&ip=178.33.110.173&receiver=spfquery spfquery: 178.33.110.173 is neither permitted nor denied by domain of rosanneb.b at gmail.com Received-SPF: neutral (spfquery: 178.33.110.173 is neither permitted nor denied by domain of rosanneb.b at gmail.com) client-ip=178.33.110.173; envelope-from=rosanneb.b at gmail.com; helo=novembre; 3> But there is nothing in the exim logs about any SPF check being done. > The mail has two SPF related mail headers, but I guess they could be > forged.They are added by the rcpt acl. [...]> How do you know that exim does SPF verification?Try a domain with a restrictive policy, add log statements to the ACL. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.'' `I sew his ears on from time to time, sure''
Andreas Metzler
2011-Jan-06 08:18 UTC
[Pkg-exim4-users] activating SPF check on incomming mail
Hans Ekbrand <hans at sociologi.cjb.net> wrote:> I have recently installed exim4-daemon-heavy and sa-exim with a few > anti-spam measures. I have documented the steps taken here:> http://code.cjb.net/mail-server.html> Spamassassin and greylistd both work as expected, but SPF verification > does not seem to work.[...]> I thought this mail would fail a SPF check, since the IP 178.33.110.173 > is not from gmail/google (I assume).It is not, but google''s SPF records say "neutral". ametzler at argenau:~$ host -t txt gmail.com gmail.com descriptive text "v=spf1 redirect=_spf.google.com" ametzler at argenau:~$ host -t txt _spf.google.com _spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all" http://www.openspf.org/SPF_Record_Syntax "Neutral The SPF record specifies explicitly that nothing can be said about validity. Intended action: accept" (LENNY)ametzler at argenau:~$ spfquery.mail-spf-query-perl --ip 178.33.110.173 --mail-from rosanneb.b at gmail.com --helo novembre ; echo $? neutral Please see http://www.openspf.org/why.html?sender=rosanneb.b%40gmail.com&ip=178.33.110.173&receiver=spfquery spfquery: 178.33.110.173 is neither permitted nor denied by domain of rosanneb.b at gmail.com Received-SPF: neutral (spfquery: 178.33.110.173 is neither permitted nor denied by domain of rosanneb.b at gmail.com) client-ip=178.33.110.173; envelope-from=rosanneb.b at gmail.com; helo=novembre; 3> But there is nothing in the exim logs about any SPF check being done. > The mail has two SPF related mail headers, but I guess they could be > forged.They are added by the rcpt acl. [...]> How do you know that exim does SPF verification?Try a domain with a restrictive policy, add log statements to the ACL. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.'' `I sew his ears on from time to time, sure''