[SOLVED] Small SPF problem when filtering outgoing spam

[bougatoyta]

Hi,

I have a PMG that is used as SMTP for a zimbra server, logically as only the PMG deliver mail to the outside, i've put only the PMG address in the SPF configuration.

But when PMG does the outgoing spam filtering, I get a SPF fail because the mail server is not in SPF.

All of this is logic when you know the way SPF work but in this case, I should not put the mail server in SPF because it is not used outside of LAN.

The outside mail traffic being : zimbra server -> PMG -> Internet

Any idea on how I can disable or tune PMG properly to not tag SPF issue in this case ?

Regards

 

[Stoiko Ivanov]

But when PMG does the outgoing spam filtering, I get a SPF fail because the mail server is not in SPF.

Please show the logs for such a mail - since that helps to get a better picture of where the 'fail' happens
Else on a hunch - make sure your zimbra is configured to relay to the internal port (defaults to 26) of your PMG and not the external one.

I hope this helps!

 

[bougatoyta]

Here a log of one mail

Oct 12 10:13:27 localhost postfix/smtpd[1670152]: connect from zimbra-server[zimbra-IP]
Oct 12 10:13:27 localhost postfix/smtpd[1670152]: Anonymous TLS connection established from zimbra-server[zimbra-IP]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Oct 12 10:13:27 localhost postfix/smtpd[1670152]: 6BA4414E6: client=zimbra-server[zimbra-IP]
Oct 12 10:13:27 localhost postfix/cleanup[1670062]: 6BA4414E6: message-id=<14EBBACD-C4D7-4AAE-9FF0-2E3B4DB95ECA@domain.com>
Oct 12 10:13:27 localhost postfix/qmgr[729892]: 6BA4414E6: from=<user@domain.com>, size=184104, nrcpt=1 (queue active)
Oct 12 10:13:27 localhost postfix/smtpd[1670152]: disconnect from zimbra-server[zimbra-IP] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 12 10:13:27 localhost pmg-smtp-filter[1670344]: 14F8634677276F928: new mail message-id=<14EBBACD-C4D7-4AAE-9FF0-2E3B4DB95ECA@domain.com>#012
Oct 12 10:13:28 localhost pmg-smtp-filter[1670344]: 14F8634677276F928: SA score=0/5 time=1.086 bayes=undefined autolearn=disabled hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972)
Oct 12 10:13:28 localhost postfix/smtpd[1669119]: connect from localhost[127.0.0.1]
Oct 12 10:13:28 localhost postfix/smtpd[1669119]: 9035D1525: client=localhost[127.0.0.1], orig_client=zimbra-server[zimbra-IP]
Oct 12 10:13:28 localhost postfix/cleanup[1669716]: 9035D1525: message-id=<14EBBACD-C4D7-4AAE-9FF0-2E3B4DB95ECA@domain.com>
Oct 12 10:13:28 localhost postfix/qmgr[729892]: 9035D1525: from=<user@domain.com>, size=184333, nrcpt=1 (queue active)
Oct 12 10:13:28 localhost postfix/smtpd[1669119]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 12 10:13:28 localhost pmg-smtp-filter[1670344]: 14F8634677276F928: accept mail to <receiver@domain.org> (9035D1525) (rule: default-accept)
Oct 12 10:13:28 localhost pmg-smtp-filter[1670344]: 14F8634677276F928: processing time: 1.147 seconds (1.086, 0.013, 0)
Oct 12 10:13:28 localhost postfix/lmtp[1669115]: 6BA4414E6: to=<receiver@domain.org>, relay=127.0.0.1[127.0.0.1]:10023, delay=1.2, delays=0.01/0/0/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (14F8634677276F928))
Oct 12 10:13:28 localhost postfix/qmgr[729892]: 6BA4414E6: removed
Oct 12 10:13:28 localhost postfix/smtp[1670097]: Untrusted TLS connection established to receiver-Server[receiver-IP]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 12 10:13:30 localhost postfix/smtp[1670097]: 9035D1525: to=<receiver@domain.org>, relay=receiver-Server[receiver-IP]:25, delay=1.7, delays=0.02/0/0.24/1.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B912D354)
Oct 12 10:13:30 localhost postfix/qmgr[729892]: 9035D1525: removed

You can see the line here :

Oct 12 10:13:28 localhost pmg-smtp-filter[1670344]: 14F8634677276F928: SA score=0/5 time=1.086 bayes=undefined autolearn=disabled hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972)

The softfail happend because I did not set zimbra-IP in the SPF.

Regards

 

[Stoiko Ivanov]

Oct 12 10:13:28 localhost pmg-smtp-filter[1670344]: 14F8634677276F928: SA score=0/5 time=1.086 bayes=undefined autolearn=disabled hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_SOFTFAIL(0.972)

Thanks for the logs - ok - so you're referring to the SpamAssassin hits - you have 2 options:
* ignore the issue - usually the SPF fails do not add too many points from SpamAssassin so it's unlikely that a mail will get quarantined due to this issue (if yes you can consider adapting the rule that caused the quarantine)
* setup a dedicated DNS-Server, which masks the public SPF record for your internal domains

I hope this helps!

 

[bougatoyta]

Thanks for the logs - ok - so you're referring to the SpamAssassin hits - you have 2 options:
* ignore the issue - usually the SPF fails do not add too many points from SpamAssassin so it's unlikely that a mail will get quarantined due to this issue (if yes you can consider adapting the rule that caused the quarantine)
* setup a dedicated DNS-Server, which masks the public SPF record for your internal domains

I hope this helps!

Thanks for the answer, I'm going to use the first option has this PMG filtre 400 domains so I don't want to mess with DNS, and since only the zimbra server is allowed to relay, it's pretty safe for now. I might rethink all this later