• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Forwarded to devs SPF cannot be checked when local SPF rule provided in Plesk

K

Kaspar

API expert
Plesk Guru
User name: Rasp

TITLE

SPF cannot be checked when local SPF rule provided in Plesk

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

CentOS 7.8.2003 (Core), Plesk 18.0.27 Update #1

PROBLEM DESCRIPTION

When a local SPF rule is provided in Plesk the SPF checked is not performed in some cases because the SPF rule (somehow) becomes invalid. For example the SPF check is not performed (when a local rule is provided) on email messages received from Gmail or any Gsuite domain (with a SPF record configured).

In my case I've set include:spf.antispamcloud.com as a local SPF rule. When an email is received from an Gmail sender the SPF check is not performed. This becomes apparent in the mail header with:
Received-SPF: none (test.hostname.com: no valid SPF record)
Click to expand...

In the mail log there are the following entries:
spf[6404]: Starting the spf filter...
spf[6404]: Error code: (31) include: or redirect= caused unlimited recursion
spf[6404]: SPF result: none
spf[6404]: SPF status: PASS
Click to expand...

If I understand the documentation correctly the local SPF rule is concatenated to the actual senders domain. So imagine the SPF rule gets rewritten to v=spf1 redirect=_spf.google.com include:spf.antispamcloud.com. Which, as far as I can tell from the rfc7208 specification is a valid syntax. But some how it seems to fail the SPF check in Plesk.

This becomes some what of a (security) issue for domains using Gsuite (at least for those that have an strict SPF record configured). Because in this case the SPF always becomes invalid and as a result an email always passes the SPF check.

STEPS TO REPRODUCE

Setup a local SPF rule that uses the include syntax. Send a email from an Gmail account to a mailbox on the Plesk server.

ACTUAL RESULT

SPF not checked

EXPECTED RESULT

SPF check should not fail as the syntax is valid.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
From developer:

Cannot reproduce:
  • I setup up Plesk 18.0.27.1 in DO
  • Create a valid domain, subscription and email address [email protected]
  • Set *_include:spf.antispamcloud.com _*as local SPF rule
  • Send email from mail Gmail to [email protected]
  • Check mail log
Mail log does not contain errors:
Jun 10 08:24:43 161-35-195-65 spf[981]: Starting the spf filter...
Jun 10 08:24:43 161-35-195-65 spf[981]: SPF result: pass
Jun 10 08:24:43 161-35-195-65 spf[981]: SPF status: PASS
Jun 10 08:24:43 161-35-195-65 psa-pc-remote[854]: handlers_stderr: PASS
Jun 10 08:24:43 161-35-195-65 psa-pc-remote[854]: PASS during call 'spf' handler
Click to expand...
 
Thank you for the response. Unfortunately I am unable to achieve the same results. Just to be sure I just spun up an fresh installation of Plesk with a new VPS instance to test this again. After installation I followed these steps:
  • Set hostname for server
  • Install SSL certificate (let's encrypt) for hostname
  • Add domain, subscription, and email address ([email protected])
  • Secured domain with SSL certificate (let's encrypt)
  • Set include:spf.antispamcloud.com as local rule in Mail Server Settings
  • Send email from Gmail account to [email protected]
  • Check mail log:
Jun 10 14:46:47 test postfix/smtpd[18242]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jun 10 14:46:47 test postfix/smtpd[18242]: connect from mail-io1-xd2c.google.com[2607:f8b0:4864:20::d2c]
Jun 10 14:46:48 test postfix/smtpd[18242]: 7831812B32: client=mail-io1-xd2c.google.com[2607:f8b0:4864:20::d2c]
Jun 10 14:46:48 test postfix/cleanup[18257]: 7831812B32: message-id=<CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com>
Jun 10 14:46:48 test spf[18260]: Starting the spf filter...
Jun 10 14:46:48 test spf[18260]: Error code: (31) include: or redirect= caused unlimited recursion
Jun 10 14:46:48 test spf[18260]: SPF result: none
Jun 10 14:46:48 test spf[18260]: SPF status: PASS
Jun 10 14:46:48 test psa-pc-remote[6532]: handlers_stderr: PASS
Jun 10 14:46:48 test psa-pc-remote[6532]: PASS during call 'spf' handler
Jun 10 14:46:48 test check-quota[18262]: Starting the check-quota filter...
Jun 10 14:46:48 test psa-pc-remote[6532]: handlers_stderr: SKIP
Jun 10 14:46:48 test psa-pc-remote[6532]: SKIP during call 'check-quota' handler
Jun 10 14:46:48 test postfix/qmgr[6583]: 7831812B32: from=<[email protected]>, size=2560, nrcpt=1 (queue active)
Jun 10 14:46:48 test postfix-local[18264]: postfix-local: from=[email protected], to=[email protected], dirname=/var/qmail/mailnames
Jun 10 14:46:48 test spamassassin[18265]: Starting the spamassassin filter...
Jun 10 14:46:48 test spamd[7130]: spamd: connection from localhost.localdomain [::1]:37338 to port 783, fd 6
Jun 10 14:46:48 test spamd[7130]: spamd: using default config for [email protected]: /var/qmail/mailnames/test-domain.com/info/.spamassassin/user_prefs
Jun 10 14:46:48 test spamd[7130]: spamd: processing message <CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com> for [email protected]:30
Jun 10 14:46:48 test postfix/smtpd[18242]: disconnect from mail-io1-xd2c.google.com[2607:f8b0:4864:20::d2c] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Jun 10 14:46:48 test spamd[7130]: spamd: clean message (-0.1/7.0) for [email protected]:30 in 0.2 seconds, 2851 bytes.
Jun 10 14:46:48 test spamd[7130]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS scantime=0.2,size=2851,user=[email protected],uid=30,required_score=7.0,rhost=localhost.localdomain,raddr=::1,rport=37338,mid=<CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com>,autolearn=ham autolearn_force=no
Jun 10 14:46:48 test spamd[7126]: prefork: child states: II
Jun 10 14:46:48 test dk_check[18267]: Starting the dk_check filter...
Jun 10 14:46:48 test dk_check[18267]: DKIM verify result: Success
Jun 10 14:46:49 test dmarc[18268]: Starting the dmarc filter...
Jun 10 14:46:49 test dmarc[18268]: Store DKIM result for 'gmail.com' into DMARC library.
Jun 10 14:46:49 test dmarc[18268]: DMARC: PASS message for [email protected]
Jun 10 14:46:49 test dovecot: service=lda, user=[email protected], ip=[]. msgid=<CAGRcP3LU6SJOsobh3bD0UpUdsfhOZAuM1ULU+HyB4+zi+Dxvgw@mail.gmail.com>: saved mail to INBOX
Jun 10 14:46:49 test postfix/pipe[18263]: 7831812B32: to=<[email protected]>, relay=plesk_virtual, delay=0.63, delays=0.2/0.03/0/0.4, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jun 10 14:46:49 test postfix/qmgr[6583]: 7831812B32: removed
Click to expand...

Am I perhaps missing something? Is there a more comprehensive way the test this issue?
 
I suppose that investigation directly on your server is required. Therefore I suggest you contact Plesk Support Team.
 
For future reference: after contacting support this was confirmed to be a bug and logged with ID PPPM-12075.
 
Last edited:
Fixed in Plesk 18.0.31 - Change Log for Plesk Obsidian

Sending an email from a “*@gmail.com” mail address to a mailbox in Plesk no longer results in SPF handler failure if the domain in Plesk has IPv6 configured and the Plesk server has “include:spf.antispamcloud.com” SPF local rule configured. (PPPM-12075)
Click to expand...
 
You must log in or register to reply here.

Similar threads

danami
Resolved Plesk 18.0.53 breaks SPF checks rejecting external email
Replies
1
Views
1K
danami
danami
nuno.pereira
Question SPF activation with relay server
Replies
4
Views
864
nuno.pereira
nuno.pereira
carlsson
Resolved Outgoing administrator mail not authorized [missing SPF record in sender domain]
Replies
11
Views
1K
rkbonatto
rkbonatto
C
Issue DKIM and SPF do not align with RFC5322. Then DMARC result is fail.
Replies
2
Views
837
cmartinez127
C
F
Resolved Error code: (26) DNS lookup failure, failed SPF check - spf.trusted-forwarder.org gone?
Replies
5
Views
2K
Peter Debik
P
Back
Top