Resolved SPF always gives PASS

[amystko]

Server operating system version

CentOS Linux 7.9.2009 (Core)

Plesk version and microupdate number

Plesk Obsidian 18.0.49 Update #1

I have Qmail and SPF configured (I guess properly) although SPF always gives: PASS (for apparently spoofed emails).
Any idea why is that? I have no additional rules defined for SPF, it is in default configuration.
NOTE1: I compared results in mailogs published by another users in that forum to mine and I noticed that mine is less verbose
(no direct messages from spf process) and SPF results goes to stderr, but it might be for any reason.
NOTE2: I have spamdyke configured and running, which might influence flow of data, but I cannot trace it, as spf process is hardcoded in plesk.

mail header:
From - Fri Dec 30 19:40:57 2022
X-Account-Key: account8
X-UIDL: UID30781-1553353418
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: artel
Received: (qmail 23003 invoked by uid 30); 30 Dec 2022 19:40:54 +0100
Authentication-Results: serwer.artel.com.pl;
dmarc=none (p=NONE sp=NONE) smtp.from=artel.com.pl header.from=artel.com.pl;
spf=pass (sender IP is (null)) smtp.mailfrom=[email protected] smtp.helo=artel.com.pl
Delivered-To: [email protected]
Received: (qmail 22992 invoked from network); 30 Dec 2022 19:40:53 +0100
Received-SPF: pass (serwer.artel.com.pl: connection is authenticated)
Received: from emkei.cz (89.187.129.26)
by mx.artel.com.pl with ESMTPA; 30 Dec 2022 19:40:53 +0100

mailog entry:
Dec 30 19:40:53 serwer qmail-queue[20628]: 162536: from=<[email protected]> to=<[email protected]>
Dec 30 19:40:53 serwer qmail-queue[20628]: 162536: py-limit-out: stderr: INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or unrestricted outgoing mail). SKIP message.
Dec 30 19:40:53 serwer qmail-queue[20628]: 162536: py-limit-out: stderr: SKIP
Dec 30 19:40:53 serwer qmail-queue[20628]: 162536: check-quota: stderr: SKIP
Dec 30 19:40:53 serwer qmail-queue[20628]: 162536: spf: stderr: PASS
Dec 30 19:40:54 serwer qmail-local[20638]: 162536: from=<[email protected]> to=<[email protected]>
Dec 30 19:40:54 serwer qmail-local[20638]: 162536: spam: stderr: PASS
Dec 30 19:40:54 serwer qmail-local[20638]: 162536: dk_check: stderr: PASS

 

[Peter Debik]

What is your SPF check setting in your mail configuration?

 

[amystko]

What is your SPF check setting in your mail configuration?

View attachment 22218

Hi, I tried two, with the same result:
Reject mail when SPF resolves to fail
Only create Received-SPF headers, never block

 

[amystko]

Hi, I did more testing and it appeared, that it is a compatibility problem between SPAMDYKE for QMAIL and SPF implemented by PLESK.
SPF just started to work properly (it adds headers with proper values into email) , when I deactivated SPAMDYKE.
Again it is difficult to trace the problem as SPF is not a script but complied soft.

 

[Kaspar]

So you where able to solve the issue by disabling SpamDyke? Note that SpamDyke does not ship with Plesk and isn't supported by Plesk either. From the looks of it, it does not work well with Plesk by default.

 

[amystko]

I cannot imagine to live without SpamDyke For now, I decided to live wihout SFP

I have SQL version of SpamDyke installed since 10years. It comes with a 3rd party plesk panel for SpamDyke logs and filters management which allows me to quickly debug spam problems.

I was thinking to patch SpamDyke to work as a plesk email hook filter but first: it would reduce some of SpamDyke capabilities, second: SpamDyke works as SMTP daemon and its source looks quite complex for me but I have not enough time for investigating.

However, if you can recommend another set of good anti SPAM tools for POSTFIX I would give them a try

 

[dzistemas]

Hi , I tried this:
Reject mail if SPF resolves to "fail" (deny)
SPF always gives pass and dónt reject mail
Example:

Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
webserver-143-55.grupoinova.es
X-Spam-Level:
X-Spam-Status: No, score=-5.8 required=7.0 tests=BAYES_00,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_DNSWL_HI,RDNS_NONE,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.2
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from webserver-143-55.grupoinova.es (localhost.localdomain [127.0.0.1])
by webserver-143-55.grupoinova.es (Postfix) with ESMTP id 635A62B45EF0
for <[email protected]>; Wed, 8 Feb 2023 09:00:05 +0100 (CET)
Authentication-Results: webserver-143-55.grupoinova.es;
dmarc=fail (p=NONE sp=NONE) smtp.from=azfamilyflorist.com header.from=moldtechsl.es;
spf=pass (sender IP is 127.0.0.1) [email protected] smtp.helo=webserver-143-55.grupoinova.es
Received-SPF: pass (webserver-143-55.grupoinova.es: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=webserver-143-55.grupoinova.es;
Received: from webserver-143-55.grupoinova.es ([217.61.143.57])
by webserver-143-55.grupoinova.es (webserver-143-55.grupoinova.es [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HIIrPyjSxTpz for <[email protected]>;
Wed, 8 Feb 2023 09:00:04 +0100 (CET)
Received: from p3plwbeout16-06.prod.phx3.secureserver.net (p3plsmtp16-06-2.prod.phx3.secureserver.net [173.201.193.64])
by webserver-143-55.grupoinova.es (Postfix) with ESMTPS id 033162B45EEE
for <[email protected]>; Wed, 8 Feb 2023 09:00:01 +0100 (CET)
Received-SPF: pass (webserver-143-55.grupoinova.es: domain of azfamilyflorist.com designates 173.201.193.64 as permitted sender) client-ip=173.201.193.64; [email protected]; helo=p3plwbeout16-06.prod.phx3.secureserver.net;
Received: from p3plgemwbe16-04.prod.phx3.secureserver.net ([173.201.193.25])
by :WBEOUT: with SMTP
id PfN0p6vv9LVjqPfN0pApRe; Wed, 08 Feb 2023 00:59:58 -0700
X-CMAE-Analysis: v=2.4 cv=FvTAQ0nq c=1 sm=1 tr=0 ts=63e3567e
a=nNQjsLeFNlFf8ZEpWh7W3A==:117 a=C1J9Q5C8-2MA:10 a=tJEoxdAfGegA:10
a=IkcTkHD0fZMA:10 a=m04uMKEZRckA:10 a=M51BFTxLslgA:10
a=-hGdK08GpahVcLt5FoUA:9 a=gMX2rfZsLK-g-3Jd:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10 a=6GNBm1jHBFyoEnMTZuYf:22
X-SECURESERVER-ACCT: [email protected]
X-SID: PfN0p6vv9LVjq
Received: (qmail 6488 invoked by uid 99); 8 Feb 2023 07:59:58 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 198.57.26.40
User-Agent: Workspace Webmail 6.12.14
Message-Id: <20230208005956.c031a153a55c76a5a7f402c0ae5dfe07.c456458e8b.wbe@email16.godaddy.com>
From: "=?UTF-8?Q?=C3=81ngel=20Cejudo?=" <[email protected]>
X-Sender: [email protected]
Reply-To: "=?UTF-8?Q?=C3=81ngel=20Cejudo?=" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Pago
Date: Wed, 08 Feb 2023 00:59:56 -0700
Mime-Version: 1.0
X-CMAE-Envelope: MS4xfJ2aQ1cH3ku0DWSXOuJ93C4ZI/QAP/uQCRLfiVX7C6rUP7Ap5gROoBuEfDPv1+YibpEEcdGSfzz71m3Qm7X7oxrZSNnZu1erd7cWxSFKvgFvmVXDSJ/f
rp4qgNd/vBh49LoA0BuS7E9IEDlKnbiVVeQ5xh/qDmcoKM6iEzZ3uB97SnxDdGs9t0I5KcH5+A6zPjKQJiVcpC5DpeaDbW/DLfvUBTYz4tWzNPxNi/EwnxD0
jxiBAqjjX0sHK3Z8IIH+BQ==

 

[scsa20]

The SPF record is only for your outgoing email to tell the other email server what to do if it fails the SPF check, it's not for incoming emails.

 

[dzistemas]

Hi ,
My Plesk should stop it , because in Mail this configuration :
Reject mail when SPF resolves to fail


As you can see with the header of the email that I have attached

 

[Kaspar]

My Plesk should stop it , because in Mail this configuration :
Reject mail when SPF resolves to fail


As you can see with the header of the email that I have attached

If you have selected the option "Reject mail when SPF resolves to fail" mail wil only be rejected by your server if the SPF check fails. The headers you posted clearly indicate that the SPF check passed. So there is noting for the server to reject.

Received-SPF: pass (webserver-143-55.grupoinova.es: domain of azfamilyflorist.com designates 173.201.193.64 as permitted sender) client-ip=173.201.193.64; [email protected]; helo=p3plwbeout16-06.prod.phx3.secureserver.net;

 

[dzistemas]

So it is convenient to always configure plesk with the option :
- Reject mail when SPF don´t resolves "pass" ¿?


With this it will reject all mail that does not pass all verification of the SPF.

 

[Kaspar]

The option "Reject mail when SPF don´t resolves pass" is very strict. It wil reject all emails unless they explicitly "pass" the SPF check. This also includes SPF softfails and neutral emails from domains for which no SPF configured. So be careful when you use this option.

 

[dzistemas]

Hi ,
What is the option best option ¿?

 

[Kaspar]

It depends on what you call "best". The most common option to use is the "Reject mail when SPF resolves to fail (deny)". It will reject mail when SPF fails but accept all other mails. If you want to run a more strict mode then you can also consider using "Reject mail when SPF resolves to softfail". Everything else is to strict for most use cases.