SPF Check do not work

B

BrUz

New Member
Jul 7, 2022
3
1
3
Hello!

I am testing at external port from a from a non-existing domain and domains with wrong spf is delivered.

Also tested from several different external IP addresses and they are not whitelisted

PMG: 7.1-1
Use SPF = Yes

Code: 
Aug 09 23:04:20 s postfix/postscreen[4401]: CONNECT from [XXX.XXX.XXX.XXX]:33830 to [10.11.11.26]:25
Aug 09 23:04:20 s postfix/postscreen[4401]: PASS OLD [XXX.XXX.XXX.XXX]:33830
Aug 09 23:04:20 s postfix/smtpd[4402]: connect from unknown[XXX.XXX.XXX.XXX]
Aug 09 23:04:20 s postfix/smtpd[4402]: 562D7680543: client=unknown[XXX.XXX.XXX.XXX]
Aug 09 23:04:20 s postfix/cleanup[4408]: 562D7680543: message-id=<b9f731918f872e08d999ab129f293dbe@aaaaaaaabbbbb.com>
Aug 09 23:04:20 s postfix/qmgr[4156]: 562D7680543: from=<*hidden@hidden*>, size=985, nrcpt=1 (queue active)
Aug 09 23:04:20 s postfix/smtpd[4402]: disconnect from unknown[XXX.XXX.XXX.XXX] ehlo=1 mail=1 rcpt=1 data=1 rset=1 quit=1 commands=6
Aug 09 23:04:20 s pmg-smtp-filter[819]: 2022/08/09-23:04:20 CONNECT TCP Peer: "[127.0.0.1]:32788" Local: "[127.0.0.1]:10024"
Aug 09 23:04:20 s pmg-smtp-filter[819]: 68054562F2CBD46907C: new mail message-id=<b9f731918f872e08d999ab129f293dbe@aaaaaaaabbbbb.com>
Aug 09 23:04:20 s pmg-smtp-filter[819]: 68054562F2CBD46907C: SA score=0/5 time=0.476 bayes=undefined autolearn=ham autolearn_force=no hits=DKIM_ADSP_NXDOMAIN(0.8),FSL_HELO_NON_FQDN_1(0.001),HELO_NO_DOMAIN(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),NO_DNS_FOR_FROM(0.379),RCVD_IN_DNSWL_HI(-5),RDNS_NONE(1.274),SPF_NONE(0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Aug 09 23:04:20 s postfix/smtpd[4413]: connect from localhost.localdomain[127.0.0.1]
Aug 09 23:04:20 s postfix/smtpd[4413]: E6C086806AC: client=localhost.localdomain[127.0.0.1], orig_client=unknown[XXX.XXX.XXX.XXX]
Aug 09 23:04:20 s postfix/cleanup[4408]: E6C086806AC: message-id=<b9f731918f872e08d999ab129f293dbe@aaaaaaaabbbbb.com>
Aug 09 23:04:20 s postfix/qmgr[4156]: E6C086806AC: from=<*hidden@hidden*>, size=1982, nrcpt=1 (queue active)
Aug 09 23:04:20 s pmg-smtp-filter[819]: 68054562F2CBD46907C: accept mail to <*hidden@hidden*> (E6C086806AC) (rule: default-accept)
Aug 09 23:04:20 s postfix/smtpd[4413]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 09 23:04:20 s pmg-smtp-filter[819]: 68054562F2CBD46907C: processing time: 0.52 seconds (0.476, 0.015, 0)
Aug 09 23:04:20 s postfix/lmtp[4409]: 562D7680543: to=<*hidden@hidden*>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.64, delays=0.09/0.02/0/0.52, dsn=2.5.0, status=sent (250 2.5.0 OK (68054562F2CBD46907C))
Aug 09 23:04:20 s postfix/qmgr[4156]: 562D7680543: removed
Aug 09 23:04:21 s postfix/smtp[4414]: Untrusted TLS connection established to *hidden*[*hidden*]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Aug 09 23:04:21 s postfix/smtp[4414]: E6C086806AC: to=<*hidden@hidden*>, relay=*hidden*[*hidden*]:25, delay=0.33, delays=0.01/0.02/0.03/0.27, dsn=2.6.0, status=sent (250 2.6.0 <b9f731918f872e08d999ab129f293dbe@aaaaaaaabbbbb.com> [InternalId=294720655851527, Hostname=*hidden*] Queued mail for delivery)
Aug 09 23:04:21 s postfix/qmgr[4156]: E6C086806AC: removed
 
Not sure where the issue lies - also not able to verify it since you masked all relevant information (sending domainname, sending IP address)

based on the SpamAssassin hits it seems the domain you tried to send from does not have any SPF record - and such mails should not (and are not blocked)

I hope this helps!
 
Thanks for reply! This is very strange.
I had to mask everything. Anyway, it has nothing to say about which sender address I use as everything gets through.
Changes in sender ip do not make a difference as I have tested from several different ones.
If I send from a domain with an invalid spf, it also gets through.


Basically looks like spf is not doing anything.
 
BrUz said:
I had to mask everything. Anyway, it has nothing to say about which sender address I use as everything gets through.
Click to expand...
In my experience this is how SPF works - mails only get blocked if the sending domain publishes a spf record, which contains a hard-fail somewhere (usually a final '-all') - everything else is accepted - although SpamAssassin might assign points to it ...
Additionally SPF in practice is not working too well (misconfigured records, mailing lists etc. ) so most implementations do not block mails outright
see also:
https://en.wikipedia.org/wiki/Sender_Policy_Framework

I hope this explains it!
 
Even with domains that has a final -all in their SPF, i can spoof using SMTP Test Tool for Windows. PMG completely ignores the SPF and delivers all e-mails.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back