SPF checks on Mailscanner

Mon Feb 21 00:11:15 UTC 2022

Sounds like that Mailborder guy really knows what he is doing :)

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>

On Feb 20, 2022, at 15:45, Pramod Daya via MailScanner <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>> wrote:

As a follow up, I found a difference in the way that my Mailscanner implementation was behaving, vs a mailborder implementation.   With Mailscanner, the mail was accepted, and then handed over to spamasassin, where the spamassassin rules would trigger and then cause the email to be tagged as spam.  In the case of Mailborder, as soon as the “From:” point in the protocol was reached, the process would stop and the mail got rejected. I was trying to understand why they were behaving differently; but the Spamassassin approach works so I guess I found a solution, and learned a bit more about SPF in the process.  Hopefully this will help someone else.

Here’s the transcript of what happens:

I was running a hand crafted SMTP transaction to test whether SPF tests were being implemented correctly on two different servers. The server I was testing from is not allowed to send mail for this domain (mindspring.co.za<http://mindspring.co.za/>) via either server, i.e. mailmaster.mindspring.co.za<http://mailmaster.mindspring.co.za/>, or mb1.mindspring.co.za<http://mb1.mindspring.co.za/>. In the case of the mailmaster server, the mail is accepted by postfix, even though it fails SPF checks.  For the second server, viz. mb1.mindspring.co.za<http://mb1.mindspring.co.za/>, as soon as I submit the "From", it gets rejected by SPF.    Is this possibly the mb1 servers is using a newer version of SPF or is this a configuration issue ?

I did subsequently find that the SPF checks are working on the first server that seemed to accept the mail (mailmaster.mindspring.co.za<http://mailmaster.mindspring.co.za/>), but it got handed to Spamassassin that then rejected the mail because of SPF.

============ Start of transaction on Server Running Mailscanner ===================
$ telnet mailmaster.mindspring.co.za<http://mailmaster.mindspring.co.za/> 25
Trying 197.155.22.89...
Connected to mailmaster.mindspring.co.za<http://mailmaster.mindspring.co.za/>.
Escape character is '^]'.
220 mailmaster.mindspring.co.za<http://mailmaster.mindspring.co.za/> ESMTP Postfix
ehlo mindspring.co.za<http://mindspring.co.za/>
250-mailmaster.mindspring.co.za<http://250-mailmaster.mindspring.co.za/>
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: user at mindspring.co.za<mailto:user at mindspring.co.za>
250 2.1.0 Ok
rcpt to: user at mindspring.co.za<mailto:user at mindspring.co.za>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: test
1
.
250 2.0.0 Ok: queued as D6A1743AD04A
quit
221 2.0.0 Bye
Connection closed by foreign host.
============ End of transaction on Server Running Mailscanner ===================

============ Start of transaction on Server Running Mailborder ===================
telnet mb1.mindspring.co.za<http://mb1.mindspring.co.za/> 25
Trying 178.79.131.19...
Connected to mb1.mindspring.co.za<http://mb1.mindspring.co.za/>.
Escape character is '^]'.
220 mail.mb1.mindspring.co.za<http://mail.mb1.mindspring.co.za/> ESMTP
ehlo mindspring.co.za<http://mindspring.co.za/>
250-mail.mb1.mindspring.co.za<http://250-mail.mb1.mindspring.co.za/>
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
mail from: user at mindspring.co.za<mailto:user at mindspring.co.za>
250 2.1.0 Ok
rcpt to: user at mindspring.co.za<mailto:user at mindspring.co.za>
550 5.7.23 <user at mindspring.co.za<mailto:user at mindspring.co.za>>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please seehttp://www.openspf.net/Whys=helo;id=mindspring.co.za;ip=88.80.187.207;r=<UNKNOWN<http://www.openspf.net/Whys=helo;id=mindspring.co.za;ip=88.80.187.207;r=%3cUNKNOWN>>
============ End of transaction on Server Running Mailscanner ===================

From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info<mailto:mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info>> On Behalf Of Shawn Iverson via MailScanner
Sent: Saturday, 05 February 2022 21:36
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Cc: Shawn Iverson <shawniverson at summitgrid.com>
Subject: Re: SPF checks on Mailscanner

Since this is concerning pypolicyd-spf and python-pyspf, unless somehow MailScanner is at play here, I don't think this is a MailScanner issue.  Can you bypass MailScanner and test again?

On 2/5/22 11:13, Pramod Daya via MailScanner wrote:
Hi Folks,

Running MailScanner 5.3.4-3 on Centos 7, I’m using, for SPF checking:

pypolicyd-spf-1.3.2-5.el7.noarch
python-pyspf-2.0.14-13.el7.noarch

Using these policyd-spf.conf settings:

debugLevel = 2
defaultSeedOnly = 1
HELO_reject = SPF_Not_pass
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

Which seems to work fine, as it issues warnings to servers that aren’t authorised to send for domains that don’t have SPF records set up correctly.  However, when I do a command line test from a remote (unauthorised) server to send mail through this server, it happily accepts the mail, even though the unauthorised server is not in the SPF list.  The sending server is not whitelisted, I can’t understand why it doesn’t get rejected by the SPF check.

Some advice or pointers would be greatly appreciated.

Thank you.
___________________________________________________
Pramod Daya (CEO)
M.Sc. Computer Science (U. of Oregon)
Unit 5, Melomed Office Park
Punters Way, Kenilworth
Cape Town, South Africa 7708
www.mindspring.co.za<http://www.mindspring.co.za/>
            <image001.png>
Work:  +27 21 657 1780
Fax:  +27 21 671 7599
  Cell:  +27 83 675 0367
pramod at mindspring.co.za<mailto:pramod at mindspring.co.za>

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20220221/47344d26/attachment-0001.html>