Forwarded to devs SPF cannot be checked when local SPF rule provided in Plesk

[Kaspar]

User name: Rasp

TITLE

SPF cannot be checked when local SPF rule provided in Plesk

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

CentOS 7.8.2003 (Core), Plesk 18.0.27 Update #1

PROBLEM DESCRIPTION

When a local SPF rule is provided in Plesk the SPF checked is not performed in some cases because the SPF rule (somehow) becomes invalid. For example the SPF check is not performed (when a local rule is provided) on email messages received from Gmail or any Gsuite domain (with a SPF record configured).

In my case I've set include:spf.antispamcloud.com as a local SPF rule. When an email is received from an Gmail sender the SPF check is not performed. This becomes apparent in the mail header with:

Received-SPF: none (test.hostname.com: no valid SPF record)

In the mail log there are the following entries:

spf[6404]: Starting the spf filter...
spf[6404]: Error code: (31) include: or redirect= caused unlimited recursion
spf[6404]: SPF result: none
spf[6404]: SPF status: PASS

If I understand the documentation correctly the local SPF rule is concatenated to the actual senders domain. So imagine the SPF rule gets rewritten to v=spf1 redirect=_spf.google.com include:spf.antispamcloud.com. Which, as far as I can tell from the rfc7208 specification is a valid syntax. But some how it seems to fail the SPF check in Plesk.

This becomes some what of a (security) issue for domains using Gsuite (at least for those that have an strict SPF record configured). Because in this case the SPF always becomes invalid and as a result an email always passes the SPF check.

STEPS TO REPRODUCE

Setup a local SPF rule that uses the include syntax. Send a email from an Gmail account to a mailbox on the Plesk server.

ACTUAL RESULT

SPF not checked

EXPECTED RESULT

SPF check should not fail as the syntax is valid.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

From developer:

Cannot reproduce:

• I setup up Plesk 18.0.27.1 in DO
• Create a valid domain, subscription and email address [email protected]
• Set *_include:spf.antispamcloud.com _*as local SPF rule
• Send email from mail Gmail to [email protected]
• Check mail log

Mail log does not contain errors:

Jun 10 08:24:43 161-35-195-65 spf[981]: Starting the spf filter...
Jun 10 08:24:43 161-35-195-65 spf[981]: SPF result: pass
Jun 10 08:24:43 161-35-195-65 spf[981]: SPF status: PASS
Jun 10 08:24:43 161-35-195-65 psa-pc-remote[854]: handlers_stderr: PASS
Jun 10 08:24:43 161-35-195-65 psa-pc-remote[854]: PASS during call 'spf' handler

 

[Kaspar]

Thank you for the response. Unfortunately I am unable to achieve the same results. Just to be sure I just spun up an fresh installation of Plesk with a new VPS instance to test this again. After installation I followed these steps:

• Set hostname for server
• Install SSL certificate (let's encrypt) for hostname
• Add domain, subscription, and email address ([email protected])
• Secured domain with SSL certificate (let's encrypt)
• Set include:spf.antispamcloud.com as local rule in Mail Server Settings
• Send email from Gmail account to [email protected]
• Check mail log:

Jun 10 14:46:47 test postfix/smtpd[18242]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jun 10 14:46:47 test postfix/smtpd[18242]: connect from mail-io1-xd2c.google.com[2607:f8b0:4864:20::d2c]
Jun 10 14:46:48 test postfix/smtpd[18242]: 7831812B32: client=mail-io1-xd2c.google.com[2607:f8b0:4864:20::d2c]
Jun 10 14:46:48 test postfix/cleanup[18257]: 7831812B32: message-id=<CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com>
Jun 10 14:46:48 test spf[18260]: Starting the spf filter...
Jun 10 14:46:48 test spf[18260]: Error code: (31) include: or redirect= caused unlimited recursion
Jun 10 14:46:48 test spf[18260]: SPF result: none
Jun 10 14:46:48 test spf[18260]: SPF status: PASS
Jun 10 14:46:48 test psa-pc-remote[6532]: handlers_stderr: PASS
Jun 10 14:46:48 test psa-pc-remote[6532]: PASS during call 'spf' handler
Jun 10 14:46:48 test check-quota[18262]: Starting the check-quota filter...
Jun 10 14:46:48 test psa-pc-remote[6532]: handlers_stderr: SKIP
Jun 10 14:46:48 test psa-pc-remote[6532]: SKIP during call 'check-quota' handler
Jun 10 14:46:48 test postfix/qmgr[6583]: 7831812B32: from=<[email protected]>, size=2560, nrcpt=1 (queue active)
Jun 10 14:46:48 test postfix-local[18264]: postfix-local: from=[email protected], to=[email protected], dirname=/var/qmail/mailnames
Jun 10 14:46:48 test spamassassin[18265]: Starting the spamassassin filter...
Jun 10 14:46:48 test spamd[7130]: spamd: connection from localhost.localdomain [::1]:37338 to port 783, fd 6
Jun 10 14:46:48 test spamd[7130]: spamd: using default config for [email protected]: /var/qmail/mailnames/test-domain.com/info/.spamassassin/user_prefs
Jun 10 14:46:48 test spamd[7130]: spamd: processing message <CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com> for [email protected]:30
Jun 10 14:46:48 test postfix/smtpd[18242]: disconnect from mail-io1-xd2c.google.com[2607:f8b0:4864:20::d2c] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Jun 10 14:46:48 test spamd[7130]: spamd: clean message (-0.1/7.0) for [email protected]:30 in 0.2 seconds, 2851 bytes.
Jun 10 14:46:48 test spamd[7130]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS scantime=0.2,size=2851,user=[email protected],uid=30,required_score=7.0,rhost=localhost.localdomain,raddr=::1,rport=37338,mid=<CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com>,autolearn=ham autolearn_force=no
Jun 10 14:46:48 test spamd[7126]: prefork: child states: II
Jun 10 14:46:48 test dk_check[18267]: Starting the dk_check filter...
Jun 10 14:46:48 test dk_check[18267]: DKIM verify result: Success
Jun 10 14:46:49 test dmarc[18268]: Starting the dmarc filter...
Jun 10 14:46:49 test dmarc[18268]: Store DKIM result for 'gmail.com' into DMARC library.
Jun 10 14:46:49 test dmarc[18268]: DMARC: PASS message for [email protected]
Jun 10 14:46:49 test dovecot: service=lda, user=[email protected], ip=[]. msgid=<CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com>: saved mail to INBOX
Jun 10 14:46:49 test postfix/pipe[18263]: 7831812B32: to=<[email protected]>, relay=plesk_virtual, delay=0.63, delays=0.2/0.03/0/0.4, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jun 10 14:46:49 test postfix/qmgr[6583]: 7831812B32: removed

Am I perhaps missing something? Is there a more comprehensive way the test this issue?

 

[IgorG]

I suppose that investigation directly on your server is required. Therefore I suggest you contact Plesk Support Team.

 

[Kaspar]

For future reference: after contacting support this was confirmed to be a bug and logged with ID PPPM-12075.

 

[IgorG]

Fixed in Plesk 18.0.31 - Change Log for Plesk Obsidian

Sending an email from a “*@gmail.com” mail address to a mailbox in Plesk no longer results in SPF handler failure if the domain in Plesk has IPv6 configured and the Plesk server has “include:spf.antispamcloud.com” SPF local rule configured. (PPPM-12075)