• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Too many Received-SPF headers

Ian1

New Pleskian
I maintain a server with a few domains. The server runs Plesk and Mailman. There are about 50 mailing lists with number of subscribers ranging from a couple people to a few hundred people. All work fine.

There is an additional list with around 2500 subscribers. Messages sent to this list are being received with nearly 500 identical "Received-SPF: pass" lines. Besides seeming odd, it's particularly problematic as some domains are bouncing the emails because the header is too large.

This behavior started after I upgraded from Plesk 11.x to 12.x.

The SPF lines look like this:
Received-SPF: pass (SERVER-HOSTNAME-HERE: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=BOUNCE-LIST-ADDRESS-HERE; helo=SERVER-HOSTNAME-HERE;

Where SERVER-HOSTNAME-HERE is our hostname and BOUNCE-LIST-ADDRESS-HERE is the list's bounce address.

For what it's worth the server hostname and the domain of the list do not match.

This issue seems to be tied to the number of subscribers. We made a new list with a few subscribers and messages looked fine. We added the 2500 subscribers to the new list and then we saw the plentiful Received-SPF: pass entries.

Any ideas?? Thanks!
 
I just upgraded to 12.x also, and now the large lists on the server are being rejected for headers being over 32K.
I finally saw this when joining the list myself to see why so many recipient servers are rejecting the mail.
I see hundreds of these:

Received-Spf: pass (server.mydomain.net: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=[email protected]; helo=mail.mydomain.net;

and there's one towards the end with:

Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=clientdomain.com; b=RYN97cdOiqBdkm17GknWv0IMwOmsBHoK+eRaAjYey1vg6+jke2Z35Z1CFBIs/ZvrSslcc1X3kSzu/5SvHzuZVS1nB7zEPDBdr7jZ/Y3ViFccqDWNQbbFjpW9/7tVrFRssMv55gCMNnDwmgqK8WfU1vMkHwfdsuDnIkmB4OtAfqP9w=; h=Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SP F:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF :Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received-SPF:Received:Received:Received-SPF:Received:Received:Received:Received:MIME-Version:X-Received:Received:Date:Message-ID:From:To:Content-Type:Subject:X-BeenThere:X-Mailman-Version:precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:Sender:Errors-To;

Has anyone solved this?
 
Hi,

had the same problem with debian/plesk. I did a ugly fix on postfix.

Edit file /etc/postfix/main.cf to add the lines :
smtp_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks
Then make a file /etc/postfix/header_checks with :
/^Received-SPF: pass.*/ IGNORE

This will strip "good" SPF headers on incoming and outgoing emails.

Regards,
Laurent.
 
I had disabled SPF and domainkeys, but I like your method better. But I'm more explicit to IGNORE the ones generated by mailman looking for localhost and client-ip.
 
I don't like that suggestion from the mailing list as it reduces the chunk size, which also increases the CPU and storage requirements. There's thousands of members on the list and they send hundreds per day already. This would make the server work much harder. This is something stupid that Parallels must have changed with the update since it was fine before. I rather just strip the "pass" headers from localhost.
 
Back
Top