Facebook
Twitter
J
JDKilmer
Guest
Plesk/Linux v9.5.2
We're setting up a new server this weekend, and with a fresh install of Plesk, discovered that there's a configuration discrepancy between the atMail webmail service and the SPF checking mechanism in Plesk. (This is actually a much broader problem with how Plesk resolves SPF failures, as I'll detail below, but atMail is the only "out of the box" feature that seems to be affected.)
Specifically, users cannot send mail from atMail while SPF checking with any rejection level is enabled. Even if SPF is set to the most-permissive reject behavior: Reject mail when SPF resolves to "fail". Users always receive a "554 mail server permanently rejected message" response when trying to send through the webmail interface. The postfix mail log shows the following sequence:
The SPF records themselves ARE set up correctly for the domains. After wrestling with this for a few hours, I believe I've found the cause, and a workaround. This is testable/provable by using telnet to manually process a SMTP transaction.
atMail is configured in /var/www/atmail/libs/PEAR/Net/SMTP.php to set $localhost = 'localhost', which is the value that it uses when doing a EHLO with the SMTP server. However, with SPF enabled, any host that EHLO's as localhost is _REJECTED_ by the Plesk SPF processor regardless of the sender address. If you EHLO with the actual local host name (eg 'my.host.com'), the SPF check passes. Changing that $localhost value in the SMTP.php file to the machine's real hostname causes mail to begin sending properly from atMail.
I haven't been able to find any documentation on how the SPF handler (/usr/local/psa/handlers/hooks/spf) actually resolves SPF records, so I don't know _why_ this is failing. But this is testable, in that if you issue a SMTP transaction by telnetting to localhost port 25, and EHLO as 'localhost', any mail send operation for a plesk-hosted domain sender will fail during the SPF check. (examples at bottom of this post) It's almost certainly not a SPF rules-related issue, as adding "ip4:127.0.0.1" to the SPF local rules or the sending-domain's SPF record does not have any effect on the behavior.
The workaround mentioned will make things work temporarily, but I expect that this will start failing again the next time that atMail is updated. This will also fail for any other local mail-sending daemons that EHLO as 'localhost'. So a fix from Plesk would be helpful!
If anyone else has encountered this, and has suggestions for fixing it on the SPF-side instead of the atMail-side, I'd appreciate it!
SMTP fails with 'EHLO localhost':
Same SMTP transaction _succeeds_ with 'EHLO my.hostname.com'
We're setting up a new server this weekend, and with a fresh install of Plesk, discovered that there's a configuration discrepancy between the atMail webmail service and the SPF checking mechanism in Plesk. (This is actually a much broader problem with how Plesk resolves SPF failures, as I'll detail below, but atMail is the only "out of the box" feature that seems to be affected.)
Specifically, users cannot send mail from atMail while SPF checking with any rejection level is enabled. Even if SPF is set to the most-permissive reject behavior: Reject mail when SPF resolves to "fail". Users always receive a "554 mail server permanently rejected message" response when trying to send through the webmail interface. The postfix mail log shows the following sequence:
The SPF records themselves ARE set up correctly for the domains. After wrestling with this for a few hours, I believe I've found the cause, and a workaround. This is testable/provable by using telnet to manually process a SMTP transaction.
atMail is configured in /var/www/atmail/libs/PEAR/Net/SMTP.php to set $localhost = 'localhost', which is the value that it uses when doing a EHLO with the SMTP server. However, with SPF enabled, any host that EHLO's as localhost is _REJECTED_ by the Plesk SPF processor regardless of the sender address. If you EHLO with the actual local host name (eg 'my.host.com'), the SPF check passes. Changing that $localhost value in the SMTP.php file to the machine's real hostname causes mail to begin sending properly from atMail.
I haven't been able to find any documentation on how the SPF handler (/usr/local/psa/handlers/hooks/spf) actually resolves SPF records, so I don't know _why_ this is failing. But this is testable, in that if you issue a SMTP transaction by telnetting to localhost port 25, and EHLO as 'localhost', any mail send operation for a plesk-hosted domain sender will fail during the SPF check. (examples at bottom of this post) It's almost certainly not a SPF rules-related issue, as adding "ip4:127.0.0.1" to the SPF local rules or the sending-domain's SPF record does not have any effect on the behavior.
The workaround mentioned will make things work temporarily, but I expect that this will start failing again the next time that atMail is updated. This will also fail for any other local mail-sending daemons that EHLO as 'localhost'. So a fix from Plesk would be helpful!
If anyone else has encountered this, and has suggestions for fixing it on the SPF-side instead of the atMail-side, I'd appreciate it!
SMTP fails with 'EHLO localhost':
Same SMTP transaction _succeeds_ with 'EHLO my.hostname.com'