SPF never fails -> never rejects

[AndreZ]

I have a domain that has a correct SPF record in TXT. (v=spf1 ip4:*myip* -all)
This is proven to be correct due to several tests with
http://www.kitterman.com/spf/validate.html
as well as
spfquery from command line

But when an email with an invalid sender is received it will be treated as neutral:
Received-SPF: neutral (*snap*: *snap2* is neither permitted nor denied by domain of *snap3*) client-ip=*snap2*; envelope-from=rz@*snap3*; helo=blubtest;

*snap3* is the domain with the correct SPF record.

If I test it with spfquery it returns a fail to me.

So I sniffed my network connection and saw that my server does not only check the TXT record of *snap3* when an email is recieved. There is also a DNS packet right after the *snap3*-DNS-TXT-request to spf.trusted-forwarder.org which results in "?all".
=> that overrides my '-all' and everything is neutral, right? (Or not? If I test -all ?all this online tester still fails :\)

Why the does it check spf.trusted-forwarder.org ? And isn't it useless to provide an '?all' SPF record?

In plesk there is this server-wide local spf rules field. I have blanked it out
=> same issue.
I entered include:trusted-forwarder.org to see if that matters. Yes: Now I have 3 DNS-TXT-Requests foreach email. Firstly *snap3* then trusted-forwarder.org and finally spf.trusted-forwarder.org.

I have searched all /etc/* files for the word 'spf.trusted-forwarder.org'
=> no match

In PRODUCT_ROOT_D is nothing too.

Is there any place where this behavior is configured? Or has this something todo with that bool 'trusted' parameter of the perl SPF::Query?

Currently I am really frustrated. At the time I'm running a
root@host:/ # grep -r -i trusted-forwarder.org * > result.txt
in a screen session.
Maybe there is nothing new to report tomorrow. ^^

I have Plesk 9.2.3 running. I have a SpamAssassin license.
I switched from Postfix to QMail due to the well known "queue file write error" plesk-bug.
I switched as advised with the plesk script.

I think there are more people out there having the same issue:
http://forum.parallels.com/showthread.php?t=92236
http://forum.parallels.com/showthread.php?t=88381

No responses there yet. I try it here with some more information.

 

[IgorG]

We have already submitted bug regarding this problem. Try to apply patched versions of SPF from attach. There are versions only for CentOS 5 x32 and x64.
Try it and please update thread with results.

 

[AndreZ]

well nice, thanks!

There is something good to report. My server does not send 3 DNS-Requests anymore. It does not request the TXT record of spf.trusted-forwarder.org . Thats good.

But I have still neutral results.
I'm not sure if I patched my system correctly. Is there a plesk-script or something?

I'm sending test E-Mails from my home machine with a little PHP script which directly connects to 25.

Another idea:
Does plesk configure whitelist_from_spf ? I have *@*snap3* in whitelist in plesk configured. But I can not find any 'whitelist_from_spf' entries - so it only belongs to 'whitelist_from' for spamassassin, right?
In /etc/mail/spamassassin/local.cf there is only 'whitelist_from' defined.
X-Spam-Status header contains 'SPF_NEUTRAL'.

Thank you for your help

 

[IgorG]

If local rule is not defined, spf with set neutral status for all non-valid records despite DNS rule because library works so:

return DONE( SPF_RESULT_NEUTRAL, SPF_REASON_DEFAULT, SPF_E_SUCCESS );

1) Stop all mail services
/usr/local/psa/admin/sbin/mailmng --stop-service
2) unpack archive

3) Forcibly install RPM :

rpm -Uvh --force spf2-1.2.5-09120816.i386.rpm --force

4) Backup original handler:

mv /usr/local/psa/handlers/hooks/spf{,__backup}

5) replace it with fixed one:

cp spf /usr/local/psa/handlers/hooks/spf
chown rootopuser /usr/local/psa/handlers/hooks/spf
chmod 550 /usr/local/psa/handlers/hooks/spf

6) Start mail services:

/usr/local/psa/admin/sbin/mailmng --start-service

7) move and symlink /etc/psa-spf to /etc/psa/spf

8) Change in PP GUI SPF guess to:
v=spf1 +mx -all

And remove SPF Include records.

Set SPF local policy to
v=spf1 -all

All should work then.

 

[AndreZ]

Perfect! It works!

"554 mail server permanently rejected message (#5.3.0)" Yeah!

Thank you very much. Very nice support.

 

[AndreZ]

Well it worked not that perfect I thought it would. I noticed it some minutes later but I had no time to post the new behavior.

When I set everything as you said then everything was rejected. He still does not care of SPF records of sender-domains.
When I set SPF guess to ?all everything is neutral. He is guessing all the time.

But there is a log difference:
When the domain has no SPF record:
Jan 20 17:43:15 *snap* spf filter[867]: Starting spf filter...
Jan 20 17:43:15 *snap* spf filter[867]: Error code: (2) Could not find a valid SPF record
Jan 20 17:43:15 *snap* spf filter[867]: Failed to query MAIL-FROM: No DNS data for 'web.de'.
Jan 20 17:43:15 *snap* spf filter[867]: SPF result: neutral
Jan 20 17:43:15 *snap* spf filter[867]: SPF status: PASS

When there is a SPF record:
Jan 20 17:42:48 *snap* spf filter[815]: Starting spf filter...
Jan 20 17:42:48 *snap* spf filter[815]: SPF result: neutral
Jan 20 17:42:48 *snap* spf filter[815]: SPF status: PASS

Received-SPF: neutral (h1630608: 79.205.82.165 is neither permitted nor denied by domain of gft.eu)
This is not true!

Unfortunately, your patch does it only fix partly.

File contents:
/etc/psa-spf/spfbehavior 3
/etc/psa-spf/spfguess v=spf1 +mx ?all
/etc/psa-spf/spfrules v=spf1 -all

I set spfguess by plesk panel back to "v=spf1 +mx ?all" because with "-all" every email fails.

 

[jahsh420]

Do you have a fix for centos 4 coming?

 

[jahsh420]

is there a patch for centos 4? we need one

 

[IgorG]

Right, patch is really has fix partly. Bug still under developer's investigation.
I have requested patch for centos4. I will update thread when I receive it.

 

[IgorG]

Patch for CentOS4 32bit in attach.

 

[AndreZ]

Do you have a patch for openSUSE 11.0, too?

 

[AndreZ]

forgot to say: 64bit version

 

[IgorG]

I have requested patch for OpenSuse 11.0 64bit too. I will update thread when I receive it.

 

[IgorG]

Patch for OpenSuse 11.0 64bit in attach.

 

[AndreZ]

Unfortunately this patch does not work too as far as I tested it out today.

Received-SPF: neutral (*hostnamesnap*: *ipsnap* is neither permitted nor denied by domain of *domainsnap*) cli....

When I test this constellation with /usr/bin/spfquery I get a FAIL.

I have
v=spf1 -all
as local policy.

How does the spf binary in hooks directory know the sender IP? There are no IP-parameters given or accepted. It would be nice to know the way to investigate the issue further.

Does it work for you jahsh420?

 

[AndreZ]

Ok, found the ip. After studying handler documentation I programmed my own dirty handler. Works nice so far

Its not configurable by plesk but who cares. It works the way I want it to be.

But I hope to get an official working patch.

 

[nicutdk]

Hello,
I have centos 64bit and plesk 9.5.4.


I try this but I have a problem. Please help me to resolv this.

May 31 21:40:57 ns before-queue[21220]: Processing handlers...
May 31 21:40:57 ns before-queue[21220]: hook_dir = '/usr/local/psa/handlers/before-queue'
May 31 21:40:57 ns before-queue[21220]: call_handlers: call executable = '/usr/local/psa/handlers/info/05-grey-WpVf0x/executable'
May 31 21:40:57 ns greylisting filter[21225]: Starting greylisting filter...
May 31 21:40:57 ns greylisting filter[21225]: Timeout finished
May 31 21:40:57 ns before-queue[21220]: handlers_stderr: SKIP
May 31 21:40:57 ns before-queue[21220]: call_handlers: SKIP during call '/usr/local/psa/handlers/info/05-grey-WpVf0x/executable' handler
May 31 21:40:57 ns before-queue[21220]: call_handlers: call executable = '/usr/local/psa/handlers/info/10-spf-qBIG8L/executable'
May 31 21:40:57 ns spf filter[21226]: Starting spf filter...
May 31 21:40:57 ns spf filter[21226]: Error code: (31) include: or redirect= caused unlimited recursion
May 31 21:40:57 ns spf filter[21226]: SPF result: fail
May 31 21:40:57 ns spf filter[21226]: SPF status: REJECT
May 31 21:40:57 ns before-queue[21220]: handlers_stderr: REJECT
May 31 21:40:57 ns before-queue[21220]: call_handlers: REJECT during call '/usr/local/psa/handlers/info/10-spf-qBIG8L/executable' handler
May 31 21:40:57 ns before-queue[21220]: call_handlers: stop call handlers from dir '/usr/local/psa/handlers/before-queue/global'
.
.
.

May 31 21:40:57 ns before-queue[21227]: Processing handlers...
May 31 21:40:57 ns before-queue[21227]: hook_dir = '/usr/local/psa/handlers/before-queue'
May 31 21:40:57 ns before-queue[21227]: call_handlers: call executable = '/usr/local/psa/handlers/info/05-grey-WpVf0x/executable'
May 31 21:40:57 ns greylisting filter[21229]: Starting greylisting filter...
May 31 21:40:57 ns greylisting filter[21229]: Bounce message. SKIP
May 31 21:40:57 ns before-queue[21227]: handlers_stderr: SKIP
May 31 21:40:57 ns before-queue[21227]: call_handlers: SKIP during call '/usr/local/psa/handlers/info/05-grey-WpVf0x/executable' handler
May 31 21:40:57 ns before-queue[21227]: call_handlers: call executable = '/usr/local/psa/handlers/info/10-spf-qBIG8L/executable'
May 31 21:40:57 ns spf filter[21230]: Starting spf filter...
May 31 21:40:58 ns spf filter[21230]: Error code: (31) include: or redirect= caused unlimited recursion
May 31 21:40:58 ns spf filter[21230]: Error code: (2) Could not find a valid SPF record
May 31 21:40:58 ns spf filter[21230]: Failed to query MAIL-FROM: No DNS data for 'host.testdomain.com'.
May 31 21:40:58 ns spf filter[21230]: SPF result: none
May 31 21:40:58 ns spf filter[21230]: SPF status: PASS
May 31 21:40:58 ns before-queue[21227]: handlers_stderr: PASS
May 31 21:40:58 ns before-queue[21227]: call_handlers: PASS during call '/usr/local/psa/handlers/info/10-spf-qBIG8L/executable' handler

and I receive this message in inbox

This is the mail system at host host.testdomain.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[email protected]>: host mail.testdomain.com[IP_ADDRESS] said: 554
mail server permanently rejected message (in reply to end of DATA command)

Best Regards