Forwarded to devs [PES extension] SPF always passes on incoming email when local SPF rule is set

[Kaspar]

User name: Rasp

TITLE

[PES extension] SPF always passes on incoming email when local SPF rule is set

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

CentOS 7.8.2003, Version 17.8.11 Update #85, Plesk Email Security Extension version 1.0.5-184 (free version)

PROBLEM DESCRIPTION

When the PES Extension is installed when a local SPF rule is set in Plesk all incoming email messages seem to pass the SPF check. Even when messages are send from an unauthorized server/domain with a strict SPF rule.

When looking at the headers of received email message there is always the line:

Received-SPF: pass (example.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=localhost;

All headers from a received message send from a gmail account.

Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (unknown [127.0.0.1])
    by example.hostname.com (Postfix) with ESMTP id 951E1852AB1
    for <[email protected]>; Sat, 9 May 2020 10:02:55 +0000 (UTC)
Authentication-Results: example.hostname.com;
    dkim=pass header.d=gmail.com;
    spf=pass (sender IP is 127.0.0.1) [email protected] smtp.helo=localhost
Received-SPF: pass (example.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=localhost;
X-Spam-Flag: NO
X-Spam-Score: -0.096
X-Spam-Level:
X-Spam-Status: No, score=-0.096 tagged_above=-9999 required=8
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001,
    TVD_SPACE_RATIO=0.001] autolearn=ham autolearn_force=no
Authentication-Results: example.hostname.com (amavisd-new);
    dkim=pass (2048-bit key) header.d=gmail.com
Received: from example.hostname.com ([127.0.0.1])
    by localhost (example.hostname.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id jqjJG-c4FfaU for <[email protected]>;
    Sat, 9 May 2020 12:02:54 +0200 (CEST)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130])
    by example.hostname.com (Postfix) with ESMTPS id 71C5A81BD3D
    for <[email protected]>; Sat, 9 May 2020 12:02:54 +0200 (CEST)
Received-SPF: none (example.hostname.com: no valid SPF record)
Received: by mail-il1-x130.google.com with SMTP id b18so3784340ilf.2
    for <[email protected]>; Sat, 09 May 2020 03:02:54 -0700 (PDT)
X-Received: by 1001:xxx:xxx:: with SMTP id b16mr7111433ilf.297.1589018571852;
    Sat, 09 May 2020 03:02:51 -0700 (PDT)
MIME-Version: 1.0
From: The best server Admin <[email protected]>
Date: Sat, 9 May 2020 12:02:40 +0200
Message-ID: <CAGRcP3+EdyYgoNmicEYtSRod7mAOOC+zwRbuBR89p0Czt3hihA@mail.gmail.com>
Subject: Hello world
To: [email protected]

STEPS TO REPRODUCE

1) Set a local SPF rule (I've set include:spf.antispamcloud.com)
2) Install the Plesk Email Security Extension (free version)
3) Setup an domain and a mailbox (if you do not have one already)
4) Send an email to that mailbox and view the email headers of that message

ACTUAL RESULT

Email messages always pass SPF check

EXPECTED RESULT

PES should adhere to the SPF rules

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

From developer:

Plesk Email Security does not remove the SPF handler provided by Plesk. You can run the command

plesk sbin mail_handlers_control --list

to see whether the SPF handler is active:

| X | | 10 | all-recipients | spf | global | before-queue |

If there is this entry, then the handler is executed according to the rules set in the Mail Server Settings.

Additionally, I cannot reproduce the header information using my Plesk mail account and a Google Mail account. In both cases the "Received-SPF" header is set properly, in case of PES, it is added one more time due to the Amavis integration within the mail transport chain.

Without PES:

Received-SPF: pass (mail.example.com: domain of googlemail.com designates 209.85.167.181 as permitted sender) client-ip=209.85.167.181; envelope-from=[email protected]; helo=mail-oi1-f181.google.com;

With PES:

Received-SPF: pass (mail.example.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=[email protected]; helo=plesk.code-sprint.de;

[...]

Received-SPF: pass (mail.example.com: domain of googlemail.com designates 209.85.167.179 as permitted sender) client-ip=209.85.167.179; envelope-from=[email protected]; helo=mail-oi1-f179.google.com;

 

[Kaspar]

Thank you for the explanation. However I do think there is something not quite working right. I have run some new tests on VPS with a fresh Plesk install and encountered the same issue. I am only able to reproduce the same results from the developer when no Local SPF rules are used.

When I run # plesk sbin mail_handlers_control --list i get:
| X | | 10 | all-recipients | spf | global | before-queue |

The mail header results I get are:

Without PES
No local SPF value specified in Plesk

Received-SPF: pass (test.hostname.com: domain of gmail.com designates 2607:f8b0:4864:20::e34 as permitted sender) client-ip=2607:f8b0:4864:20::e34; envelope-from=[email protected]; helo=mail-vs1-xe34.google.com;

Without PES
Local SPF value specified in Plesk (include:spf.antispamcloud.com)

Received-SPF: none (test.hostname.com: no valid SPF record)

With PES
No local SPF value specified in Plesk

Received-SPF: pass (test.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=[email protected]; helo=test.hostname.com;
[...]
Received-SPF: pass (test.hostname.com: domain of gmail.com designates 2607:f8b0:4864:20::92c as permitted sender) client-ip=2607:f8b0:4864:20::92c; envelope-from=[email protected]; helo=mail-ua1-x92c.google.com;

With PES
Local SPF value specified in Plesk (include:spf.antispamcloud.com)

Received-SPF: pass (test.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=[email protected]; helo=test.hostname.com;
[...]
Received-SPF: none (test.hostname.com: no valid SPF record)

So it seems something goes wrong when a local SPF rule is specified. From what I understand from the documentation the local SPF rule is concatenated to the actual senders domain. So imagine the SPF rule gets rewritten to v=spf1 redirect=_spf.google.com include:spf.antispamcloud.com. Which, as far as I can tell from the rfc7208 specification is a valid syntax. But some how it seems to fail the SPF check in Plesk.

 

[Viktor Vogel]

Hey Rasp,

just for my understanding:

With PES and your local SPF rule, the email was not handled correctly (like without having PES installed)? Or what exactly is the difference? If Plesk's SPF handler is enabled, it is always applied first, before PES gets the email for the content filter checks.

I compared your header information and don't see a difference in the main entry SPF string (with PES it is the second entry in your example, but chronologically it is the first SPF entry).

Amavis also adds a local SPF header ("localhost is always allowed"), this header is independent of any local SPF rules and is only used for internal communication with the connected filters (SpamAssassin and ClamAV).

Cheers

 

[Kaspar]

Hi @Viktor Vogel, I have to apologize for any confusion caused. I initially was under the impression that this was a PES related issue. It's not. As you rightfully pointed out the SPF results are actually the same, whether PES is installed or not.

The issue (SPF cannot be checked in some cases when a local rule is set because the rule becomes invalid) seems to related to the general SPF checking mechanism used in Plesk. I'll open a new bug report for this.

 

[Viktor Vogel]

Thanks for your feedback, Rasp!

Yes, please open a new bug report for it. Thank you!