SPF not working

General eFa discussion
Post Reply
Woger
Posts: 67
Joined: 15 Mar 2017 10:54

SPF not working

Post by Woger »

Hi,
I noticed that all my incoming mails for all domains (about 100) have the same SPF score by spamassassin:
0.01 T_SPF_HELO_PERMERROR SPF: test of HELO record failed (permerror)
0.01 T_SPF_PERMERROR SPF: test of record failed (permerror)
I have setup a domain with a SPF record for fail but still got the same score.
Does anybody know how to check what is going wrong?

Thanks,
Roger
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

Re: SPF not working

Post by thewomble »

Check your SPF record is correct

https://vamsoft.com/support/tools/spf-syntax-validator

Have you an example of the one of the domains?
Woger
Posts: 67
Joined: 15 Mar 2017 10:54

Re: SPF not working

Post by Woger »

Yep,
That was it. I changed the domainname for its IP address but forgot to change the a: to ip4: :?
However the score for SPF fail is 0. Can I just put :
score SPF_FAIL 0 0 0 3.50
score SPF_SOFTFAIL 0 0 0 1.50
score SPF_HELO_FAIL 0 0 0 1.00
score SPF_HELO_SOFTFAIL 0 0 0 0.50
In local.cf to overrule the default score?
Thanks,
Roger
Woger
Posts: 67
Joined: 15 Mar 2017 10:54

Re: SPF not working

Post by Woger »

To answer my own question. Yes it does :)

Thanks Thewomble
hiandras
Posts: 22
Joined: 25 Jul 2017 08:59

Re: SPF not working

Post by hiandras »

Hi,

Does SPF check work for you?

It does not seems to work for me at all.
I tried to add score SPF lines to local.cf also, restarted mailscanner,
but when a mail arrives from an IP, which is not in the SPF record of the sender domain
and it has SPF_FAIL set (also checked on vmasoft.com) the mail still goes through
and do not get any point for SPF.

Regards,
Andras
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SPF not working

Post by pdwalker »

If you get a failed spf check, what do you want the system to do exactly? Increase the spam score, or drop it all together?

What is your SPF record setting? In particular the "all" setting, is it:
+all
-all
~all
or ?all
hiandras
Posts: 22
Joined: 25 Jul 2017 08:59

Re: SPF not working

Post by hiandras »

I just figured it out.

You need to put this at the end of
/etc/mail/spamassassin/local.cf file:

ifplugin Mail::SpamAssassin::Plugin::SPF

score SPF_FAIL 0 0 0 9.50
score SPF_SOFTFAIL 0 0 0 7.50
score SPF_HELO_FAIL 0 0 0 1.00
score SPF_HELO_SOFTFAIL 0 0 0 0.50

endif # Mail::SpamAssassin::Plugin::SPF

(Points are to your liking.)

Regards, Andras
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SPF not working

Post by pdwalker »

Nicely done. I didn't think that ifplugin command was necessary, but apparently it is.
heronimus
Posts: 24
Joined: 11 Sep 2015 10:19
Location: Netherlands

Re: SPF not working

Post by heronimus »

hiandras wrote: 19 Sep 2017 14:04 I just figured it out.

You need to put this at the end of
/etc/mail/spamassassin/local.cf file:

ifplugin Mail::SpamAssassin::Plugin::SPF

score SPF_FAIL 0 0 0 9.50
score SPF_SOFTFAIL 0 0 0 7.50
score SPF_HELO_FAIL 0 0 0 1.00
score SPF_HELO_SOFTFAIL 0 0 0 0.50

endif # Mail::SpamAssassin::Plugin::SPF

(Points are to your liking.)

Regards, Andras
I tried this in my configuration file, but still gets the following points:

0.73 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
0.67 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

the ifplugin line differs from the example (I added SPF at the end)
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit::SPF
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SPF not working

Post by shawniverson »

Umm " Mail::SpamAssassin::Plugin::Shortcircuit::SPF" is not a plugin

Mail::SpamAssassin::Plugin::Shortcircuit is a plugin, and
Mail::SpamAssassin::Plugin::SPF is a plugin

I think you need to put in your own ifplugin block here and leave Shortcircuit alone.
Woger
Posts: 67
Joined: 15 Mar 2017 10:54

Re: SPF not working

Post by Woger »

I tried adding the above settings to local.cf but when I receive an email from gmail I got this info:
0.01 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
0.01 T_SPF_TEMPERROR SPF: test of record failed (temperror)

I get this info on every email I receive. Seems SPF is not working for some reason.

So what I set up earlier isn't working anymore :(
Could this be a DNS problem? The server is on a local network.
Woger
Posts: 67
Joined: 15 Mar 2017 10:54

Re: SPF not working

Post by Woger »

Ok,
I tried it on a existing nonspam email:
spamassassin -D < /var/spool/MailScanner/quarantine/20171106/nonspam/527E9C00CF.AE751 2>&1 | grep -i spf

and got this:

Nov 6 18:06:40.550 [14269] dbg: spf: checking to see if the message has a Received-SPF header that we can use
Nov 6 18:06:40.574 [14269] dbg: spf: using Mail::SPF for SPF checks
Nov 6 18:06:40.575 [14269] dbg: spf: checking HELO (helo=spring-chicken-bk.twitter.com, ip=199.16.156.176)
Nov 6 18:06:40.577 [14269] dbg: spf: query for /199.16.156.176/spring-chicken-bk.twitter.com: result: temperror, comment: , text: 'REFUSED' error on DNS 'TXT' lookup of 'spring-chicken-bk.twitter.com'
Nov 6 18:06:40.619 [14269] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks
Nov 6 18:06:40.619 [14269] dbg: spf: cannot get Envelope-From, cannot use SPF
Nov 6 18:06:40.622 [14269] dbg: rules: ran eval rule T_SPF_HELO_TEMPERROR ======> got hit (1)
Nov 6 18:06:40.624 [14269] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check
Nov 6 18:06:40.626 [14269] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check

seems that a dns lookup failed. Not sure why. I tried a few other mails and they all get "refused"
Woger
Posts: 67
Joined: 15 Mar 2017 10:54

Re: SPF not working

Post by Woger »

Ok, after changing my primary nameserver on the EFA server to another nameserver it started working again:

spamassassin -D < /var/spool/MailScanner/quarantine/20171106/nonspam/527E9C00CF.AE751 2>&1 | grep -i spf
Nov 6 18:18:37.451 [17813] dbg: spf: checking to see if the message has a Received-SPF header that we can use
Nov 6 18:18:37.471 [17813] dbg: spf: using Mail::SPF for SPF checks
Nov 6 18:18:37.471 [17813] dbg: spf: checking HELO (helo=spring-chicken-bk.twitter.com, ip=199.16.156.176)
Nov 6 18:18:37.478 [17813] dbg: spf: query for /199.16.156.176/spring-chicken-bk.twitter.com: result: none, comment: , text: No applicable sender policy available
Nov 6 18:18:37.537 [17813] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks
Nov 6 18:18:37.537 [17813] dbg: spf: cannot get Envelope-From, cannot use SPF
Nov 6 18:18:37.541 [17813] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check
Nov 6 18:18:37.543 [17813] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check

:P
Post Reply