5.6.8-B2431 SPF Check Failures
5.6.8-B2431 SPF Check Failures
When I receive e-mails from the tax authorities, the messages are market as spam because the SPF record would not be correct.
Information from their site of the tax authorities:
The Sender Policy Framework (SPF) records for the domains have fixed IP addresses and host names. We use different macros in the SPF records. These macros are in accordance with RFC 7208. In chapter 7 of RFC you will find more information about the use of macros. With these adjustments, the Tax and Customs Administration follows the e-mail standards of the Standardization Forum.
The current SPF record for the mentioned domains looks like this: v = spf1 exists: _i.% {i} ._ h.% {h} ._ o.% {o} ._ spf.xxxx –all
This value contains 3 macros. These macros request the following data from the sending mail server:
% {i}: The IP address or the SMTP address from which the mail comes.
% {h}: HELO / EHLO of the domain from which the mail comes.
% {o}: The domain or field "MAIL FROM" or the "HELO" identity
Anyone have any idea what I can do about this? The messages really come from the tax authorities if you check the ip addresses. Something is really going wrong with the spf record detection
Information from their site of the tax authorities:
The Sender Policy Framework (SPF) records for the domains have fixed IP addresses and host names. We use different macros in the SPF records. These macros are in accordance with RFC 7208. In chapter 7 of RFC you will find more information about the use of macros. With these adjustments, the Tax and Customs Administration follows the e-mail standards of the Standardization Forum.
The current SPF record for the mentioned domains looks like this: v = spf1 exists: _i.% {i} ._ h.% {h} ._ o.% {o} ._ spf.xxxx –all
This value contains 3 macros. These macros request the following data from the sending mail server:
% {i}: The IP address or the SMTP address from which the mail comes.
% {h}: HELO / EHLO of the domain from which the mail comes.
% {o}: The domain or field "MAIL FROM" or the "HELO" identity
Anyone have any idea what I can do about this? The messages really come from the tax authorities if you check the ip addresses. Something is really going wrong with the spf record detection
Re: 5.6.8-B2431 SPF Check Failures
If you're sure it's not spam, you could whitelist the addresses.
Re: 5.6.8-B2431 SPF Check Failures
Yes, I’m absolute sure it is no spam 
DKIM, IP-address and content are all correct. Only SPF not according to hmail.

DKIM, IP-address and content are all correct. Only SPF not according to hmail.
Re: 5.6.8-B2431 SPF Check Failures
out of curiosity what does the spf check at mxtoolboox say ? ( i have actually never come across anyone using macros like that yet, so i am curious )
___________________________________________________________end of the line
Re: 5.6.8-B2431 SPF Check Failures
Same here. Not sure how that would even work. Does an instantly updateable dns record even exist? It gets changed every time an email is sent? I don't get it.
Re: 5.6.8-B2431 SPF Check Failures
The current SPF record for the mentioned domains looks like this: v = spf1 exists: _i.% {i} ._ h.% {h} ._ o.% {o} ._ spf.xxxx –all
This will fail as there can only be spaces between "spf1 exists:" and "xxxx -all"
Like this ... v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.mydomain.tld –all
This will fail as there can only be spaces between "spf1 exists:" and "xxxx -all"
Like this ... v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.mydomain.tld –all
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
mxtoolbox indicates that everything is correct
Re: 5.6.8-B2431 SPF Check Failures
Did you have to add it to your DNS to test it with mctoolbox?
I used this ... https://vamsoft.com/support/tools/spf-policy-tester select the "advanced" tab.
The translated line should be: v=spf1 exists:_i.123.123.123.123._h.mail.mydomain.tld._o.mydomain.tld._spf.mydomain.tld –all
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
The result of this test is also good:
TEST SUMMARY
The evaluation completed in 508 ms, with 0 error and 0 warning.
Result: SPF pass
TEST SUMMARY
The evaluation completed in 508 ms, with 0 error and 0 warning.
Result: SPF pass
Re: 5.6.8-B2431 SPF Check Failures
Something really goes wrong in hmail spf control when using a macro for the spf record. I have transferred a domain name to exchange server (office365). And the emails that come in there from the tax authorities pass the spf test well. And messages from the same server of the tax authorities servers that are sent to another domain on the hmail server do not pass the spf test.
Hope this can be fixed in a future version of hmail.
Hope this can be fixed in a future version of hmail.
Re: 5.6.8-B2431 SPF Check Failures
hMailServer as standard is using a modified (by Martin) SPF library originally written by Roger Moser. http://www.pamho.net/source/Greta wrote: ↑2020-10-15 10:58Something really goes wrong in hmail spf control when using a macro for the spf record. I have transferred a domain name to exchange server (office365). And the emails that come in there from the tax authorities pass the spf test well. And messages from the same server of the tax authorities servers that are sent to another domain on the hmail server do not pass the spf test.
Hope this can be fixed in a future version of hmail.
My compilation of 5.6.8 is using the unmodified SPF library so if you have a source domain using macros in SPF you can send me an email...

SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
Thanks, I sent you a pm
Re: 5.6.8-B2431 SPF Check Failures
It seems hms do not pass the HELO/EHLO domain to the SPFVerify routine.
I will need to spend some time on this as I'm not a full-time programmer so I need to dust off some old 'C' skills

SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
I will need to figure out how to test the changes...
I found that my inhouse DNS do not accept "_" in hostname...
I found that my inhouse DNS do not accept "_" in hostname...

SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
@Greta
SorenRR and myself have done some test with such SPF record and SorenRR made a fix for it, included in this build
Nu komt mail van de belastingdienst wel door de SPF test

CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
FYI:
v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.testdomain.com -all
1. with existing A-record that matches _i.xxx.xxx.xxx.xxx ._h.mail.testdomain.nl._o.testdomain.com._spf.testdomain.com
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF xxx.xxx.xxx.xxx ruud@testdomain.com mail.testdomain.nl"
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF, Result: Pass"
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF, Score: 0"
2. without A-record (NXDOMAIN)
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF xxx.xxx.xxx.xxx ruud@testdomain.com mail.testdomain.nl"
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF, Result: Fail"
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF, Score: 1"
Note: the italic printed DEBUG line is not included in .27,
v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.testdomain.com -all
1. with existing A-record that matches _i.xxx.xxx.xxx.xxx ._h.mail.testdomain.nl._o.testdomain.com._spf.testdomain.com
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF xxx.xxx.xxx.xxx ruud@testdomain.com mail.testdomain.nl"
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF, Result: Pass"
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF, Score: 0"
2. without A-record (NXDOMAIN)
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF xxx.xxx.xxx.xxx ruud@testdomain.com mail.testdomain.nl"
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF, Result: Fail"
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF, Score: 1"
Note: the italic printed DEBUG line is not included in .27,
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Sorry guys, I now have version 5.6.8-B2505 running. But unfortunately still get SPF Check Failures with this domain. 
Just enabled debug to see why and what's happening.

Just enabled debug to see why and what's happening.
Re: 5.6.8-B2431 SPF Check Failures
Same domain or a different domain?
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
5.6.8-B2505 or 5.6.8-B2505.27?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Hmm...
RvdH is using the RMSPF library version 1.10. I am using version 1.12 ...
Want to try my version of 5.6.8 ?
I've attached RMSPF 1.12 for RvdH
RvdH is using the RMSPF library version 1.10. I am using version 1.12 ...
Want to try my version of 5.6.8 ?
I've attached RMSPF 1.12 for RvdH

- Attachments
-
- RMSPF.rar
- (24.08 KiB) Downloaded 76 times
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
I already have it, i examined the changelog and came to the conclusion it's not worth to upgrade, no functionality related to macro's usage is added so decided to stick with 1.10
Also it is unrelated to the problem
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Where can I find that. HMail admin status give me 5.6.8-B2505. And hMailServer.exe properties give a file version 1.0.0.1
Ok, then it doesn't matter which version I install. Then they should both be the same.
Re: 5.6.8-B2431 SPF Check Failures
Ah, OK...my suspicion was right it seems

It seems you only did step 1
- You first have to install the latest artifact (5.6.8-B2505)
- Stop the hmailserver service
- Then copy and overwrite files in this archive in hmailserver '/bin' directory (5.6.8-B2505.27)
Many of these fixes are in the Alpha 5.7 64-bit branch nowadays but were/are not backported to 5.6.x releases
The github source of my build is located here:
https://github.com/RvdHout/hmailserver/tree/5.6.8
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Ah clearly. I now have version .27 running 
But if a new version is published on the download page of hmailserver.com, will these bug fixes also be included?

But if a new version is published on the download page of hmailserver.com, will these bug fixes also be included?
Re: 5.6.8-B2431 SPF Check Failures
Nope, unfortunately not, like i said the author of hmailserver (martin) choose to not backported to 5.6.x and only commit them to 5.7 branch
So you always need to check this page after a new version in the 5.6.x branch is published
drop me a pm with a test e-mailadres of yours and i will send you a mail from a domain with similar SPF record to test
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Clearly. Thanks for quickly fixing the software.
The emails now arrive without an SPF error
The emails now arrive without an SPF error

Re: 5.6.8-B2431 SPF Check Failures

CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Sorry for kicking up this thread again. It now seems that nothing is rejected on SPF anymore. There are now spam emails in the name of a bank come through where the SPF should be give a failure 

Re: 5.6.8-B2431 SPF Check Failures
I just compared "Blocked by SPF" in my logs with the logs of SpamAssassin (SPF_FAIL)... They match 100%.
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
You sure the bank has their spf records set up correctly (ie, to reject)?
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
The poster said in name of a bank, not from the (official) domain of that bank... so sure, it can pass the SPF check as long as that (fake)domain has a valid SPFjimimaseye wrote: ↑2020-11-09 22:07You sure the bank has their spf records set up correctly (ie, to reject)?
[Entered by mobile. Excuse my spelling.]
@Greta
That's exactly the reason why (most) banks rely on DMARC, eg: SPF + DKIM + alignment and not SPF alone
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
hMailServer only care about the - (minus) Qualifier.
+ for a PASS result. This can be omitted; e.g., +mx is the same as mx.
? for a NEUTRAL result interpreted like NONE (no policy).
~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.
- (minus) for FAIL, the mail should be rejected (see below).
https://en.wikipedia.org/wiki/Sender_Po ... Qualifiers
Perhaps we should consider including the ~ (tilde) with it's own score ???
+ for a PASS result. This can be omitted; e.g., +mx is the same as mx.
? for a NEUTRAL result interpreted like NONE (no policy).
~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.
- (minus) for FAIL, the mail should be rejected (see below).
https://en.wikipedia.org/wiki/Sender_Po ... Qualifiers
Perhaps we should consider including the ~ (tilde) with it's own score ???
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
But SPF checking takes the 'claimed' domain name of the bank, checks the banks official dns spf records to see what ip addresses can send for that domain and sees that this email has been sent from an ip address that is not allowed to send in the name of the bank. Therefore, it will fail IF the bank has -all.
That is of course assuming the imitated domain is an exact match of the bank and not with some slight amendment (or even completely different) i.e fake (as you say).
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
Yes Please
ALSO
I'd like to fail anyone who uses +all
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: 5.6.8-B2431 SPF Check Failures
The bank uses –all, so this one shouldn't get through anyway. See below the header of the message.
Code: Select all
Received: from 216-198-73-40.client.cypresscom.net (216-198-73-40.client.cypresscom.net [216.198.73.40])
by hmailserver
; Mon, 9 Nov 2020 15:15:40 +0100
Return-Path: klantinfo@rabobank.nl
MIME-Version: 1.0
From: "Rabobank" <klantinfo@rabobank.nl>
Reply-To: klantinfo@rabobank.nl
To: xxxx@xxxxxxx.xx
Subject: Uw vernieuwde AVG richtlijn
Content-Type: multipart/related; boundary="jj=_vyVoh28JpGElF7pBG61ct8SoNKbJMQ"
X-Mailer: Smart_Send_3_1_6
Date: Mon, 9 Nov 2020 15:12:41 +0100
Message-ID: <2524244376344971919@WIN-4N5LJLCGCJ1>
X-Original-To: scimodel@protonmail.ch
Authentication-Results: mail12i.protonmail.ch; dmarc=none (p=none dis=none) header.from=dr.com
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1570670139; bh=lsscw/sPBhEOz5Mx+hWEYf2ikvZGbg/B4sFPjwPQfDk=; h=X-UI-Sender-Class:From:To:Subject:Date:References; b=R5iolzTQaGO9vgdI2KjP92uUuH7JHbfDpNcEVg3gKF8+QH/1jrRTqJzxE2u34OJPs scOnrm1/w7gqfiadCQNsZrwBAsdOqYOY8xntzbsdJ9/zZ+nNNzC0XbtSx5AXWlHI6I frdpMPzsqWAOMs0rzuLbDuk9FUJXxCtPdr8LiHqs=
X-Ui-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
Importance: normal
Sensitivity: Normal
References: <548964862.12249.1570668712252@veco4583.oracle.rabobank.nl>
X-Ui-Message-Type: mail
X-Provags-Id: V03:K1:ql6ML+5G+6ewiflCwFKCe4b404kEAHHNNo0OBsWeKeSdLoAS7oFMU4US1SJzfuZlDUvta DN4pmx/KSYC+k2xclqyQfvvU0hDzIj1OWkhTPeUdgcOMbnX0k1kKmqgS+3jV3xYSMe5tsGfRx1VP VRM3/MiGuE7I400Xi7ISE/hJ+s7P8sAGozcv7OFxTcHVzlTH/m7zOyuqeY8wa2V/K5oO6YO3eEXP 2aqOXXT12SMYbVZRW/OKJgUq57T9zO0Omrf9zJbD+Gap9jo6SOPvr0NYUKA6jMyfswJS1yqFVQv0 Zs=
X-Ui-Out-Filterresults: notjunk:1;V03:K0:XwtDL170zRE=:pjZdmAt0xyoHfg6LE21Afr R0038jEb/JzAGmx3dS6yhHc7O9eQleKJrvs5fhH5MO1NYYHBW+MwuTtXsDtlXlH0VGQCz5Q0l ej3y1ry43sV+qF217QDVBD9HL2aC3xn8sijJfBTxC57ce+MzaLKTWo+NOlXNuWiaXgg9SZ9Xl jl75W5+oZVo1KLDo0U0I75F4PETBoVNWFWkRVQebFuv4SoObFzfcTsVDoPwoMaXHnBj4J87dQ eL3c8klrK78DR/VpIcQQEGkZ3MAQUmvHp1mkOTPAmAXqxbDu8XHfjr4BlILK/sB6xDLT4EfBa TEpJwWa+sXSzqP6JZKsOtSmHkV3Hd0+xfqUx51qMwzvJE3rHSYxSpBZwYOyJTWgNKRp3EY3U0 oElS7sv7v78r17fGvoK2AeTm4wr19oPJwCdInuQYPVC0TXIY4Z2BhR/MNn7rS1jo14LzLs6LF CQBWDb/pzoI1dZzg6yhQd/LaKJUHeSf0QnzyAV6VhSWshakrqMI6h3oMZlfFniGcg/Ia38iFA 8sLIxOANkjkhNOJWAqRSvzrBQVV1xyQGh66FlP1hNXA7r7UjHwTHJ4eUxG85/3+58A9WSxDIC +FO5dDr9J9PYVCUKpUiR5I2cfRTuQuFG3Z8YedMBqdGwz4RvCDSXcJO/Z4jBrXOQUkTBPGA7T LeK2OgJhR17Sc3MDyCvI4PupzoQCCGaY0aaqsk3wD8B0C7MbRIptdsT9LSCVIYXw76pCowHvI 6Zko+uP2P4EXFO1c1bVsV1gudpPlKzEr6mrjIFNPp4JqFKsLOQoR/Gd7D5w=
X-Spam-Status: No, score=0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS, T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch
X-Pm-Origin: external
X-Pm-Content-Encryption: on-delivery
X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
In-Reply-To: <2524244376344971919@WIN-4N5LJLCGCJ1>
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
Those headers do not show the 'envelope from' (only the header 'from') and it also shows that spamassassin has also passed the spf check. Therefore it's likely to NOT be incoming as rabobank.nl.
Therefore SPF checking is consistent and working and it's likely a situation as Rvhd described:
[Entered by mobile. Excuse my spelling.]
Therefore SPF checking is consistent and working and it's likely a situation as Rvhd described:
There's nothing wrong with your spf checking.The poster said in name of a bank, not from the (official) domain of that bank... so sure, it can pass the SPF check as long as that (fake)domain has a valid SPF
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
My analysis on the message-id is that is a spamming VM or computer.
No company leaves windows default name of servers and clients.
Code: Select all
Message-ID: <2524244376344971919@WIN-4N5LJLCGCJ1>
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.8 B2534.28 on Windows Server 2016 Core VM.
HMS 5.6.7 B2425.16 on Windows Server 2012 R2 Core VM.
HMS 5.6.8 B2534.28 on Windows Server 2016 Core VM.
HMS 5.6.7 B2425.16 on Windows Server 2012 R2 Core VM.
Re: 5.6.8-B2431 SPF Check Failures
The header part of spamassassin does not come from my server. I don't use spamassassin. In addition, as I see it, the message comes from IP address 216.198.73.40 with the FROM sender klantinfo@rabobank.nl. And this combination IP and domain name is wrong. SPF should trigger on that I think.
Re: 5.6.8-B2431 SPF Check Failures
I see no problem with it... as it seems this particular message is a forwared (spam) message (X-Original-To: scimodel@protonmail.ch), so the SPF check would use SMTPFromAddress scimodel@protonmail.ch or header.from=dr.com and not *@rabobank.nljimimaseye wrote: ↑2020-11-10 01:36But SPF checking takes the 'claimed' domain name of the bank, checks the banks official dns spf records to see what ip addresses can send for that domain and sees that this email has been sent from an ip address that is not allowed to send in the name of the bank. Therefore, it will fail IF the bank has -all.
That is of course assuming the imitated domain is an exact match of the bank and not with some slight amendment (or even completely different) i.e fake (as you say).
[Entered by mobile. Excuse my spelling.]
protonmail.ch -> 216.198.73.40 -> SoftFail (SoftFail passes hmailserver SPF check, as it should)
dr.com -> 216.198.73.40 -> Fail
@Greta
If you think you can defeat spam with only SPF checking you are very, very wrong!
For adequate spam checking you really need to think about including SpamAssassin
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
I have a DMARC setting covering my SPF and DKIM so about 2-3 times a week I get this from Google - apparently noone else use the DMARC reporting.. "mydomain.tld" is a substitute for my domain.
Code: Select all
v=DMARC1; p=quarantine; rua=mailto:root@mydomain.tld; adkim=s; aspf=s;
Code: Select all
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>719510582100019190</report_id>
<date_range>
<begin>1604534400</begin>
<end>1604620799</end>
</date_range>
</report_metadata>
<policy_published>
<domain>mydomain.tld</domain>
<adkim>s</adkim>
<aspf>s</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>145.131.17.165</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.tld</header_from>
</identifiers>
<auth_results>
<spf>
<domain>ixlce9cc--------------.145-131-17-165.static.awcloud.nl</domain>
<result>none</result>
</spf>
</auth_results>
</record>
</feedback>
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
I am not using SpamAssassin but other software. But I think a little differently about the SPF checking than you do. You look at the X-Original-To: and I at the From: which I think is also the right way. But anyway if it works as you indicate then indeed it works. Then sorry for the misunderstanding
Re: 5.6.8-B2431 SPF Check Failures
The mail address to use when checking SPF is the MAIL FROM: from the SMTPD log. All other addresses are standard headers that can (and will) be faked!Greta wrote: ↑2020-11-10 16:53I am not using SpamAssassin but other software. But I think a little differently about the SPF checking than you do. You look at the X-Original-To: and I at the From: which I think is also the right way. But anyway if it works as you indicate then indeed it works. Then sorry for the misunderstanding
The "From:" header is like a FedEx van pulling up outside your house and the delivery guy is wearing a UPS uniform. Which company is delivering your letter?
A: "From:" ~ UPS
B: "MAIL FROM:" ~ FedEx
?
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
News flash! Your "other software" is using spamassassin.
Greta wrote: ↑2020-11-10 08:22X-Ui-Message-Type: mail
X-Spam-Status: No, score=0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS, T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
I think that is a external server mentioned in X-Original-To: scimodel@protonmail.ch, that forwards the spam....jimimaseye wrote: ↑2020-11-10 17:41News flash! Your "other software" is using spamassassin.
Greta wrote: ↑2020-11-10 08:22X-Ui-Message-Type: mail
X-Spam-Status: No, score=0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS, T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch
Secure? Secure my ass... fix your SPF so it can't be abusedProtonMail
Secure Email
Based in Switzerland
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
@SorenR
Okay, you indicate that the From in the header does not have to be the real From. That could be, but it seems to me that a mail server should not allow this. I'll turn on the loggin so I can check this next time. Because if this is really the case I have to see if I can find a script or something else that checks this.
@jimimaseye
As I have already mention that part of the header is not coming from my server. My server is absolutely NOT running SpamAssassin!
Okay, you indicate that the From in the header does not have to be the real From. That could be, but it seems to me that a mail server should not allow this. I'll turn on the loggin so I can check this next time. Because if this is really the case I have to see if I can find a script or something else that checks this.
@jimimaseye
As I have already mention that part of the header is not coming from my server. My server is absolutely NOT running SpamAssassin!
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
Yep. See that now.@jimimaseye
As I have already mention that part of the header is not coming from my server
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
I just checked the log because it occurred to me that logging was still on.
It turns out that the From address what is on the header is indeed the same as in the log (at least in this situation). And in my opinion this should give an SPF error. If hmailserver checks the from address. But I'm not sure about that.
It turns out that the From address what is on the header is indeed the same as in the log (at least in this situation). And in my opinion this should give an SPF error. If hmailserver checks the from address. But I'm not sure about that.
Code: Select all
"SMTPD" 24492 15912 "2020-11-09 15:15:39.247" "216.198.73.40" "SENT: 220 hmailserver"
"SMTPD" 25172 15912 "2020-11-09 15:15:39.356" "216.198.73.40" "RECEIVED: EHLO 216-198-73-40.client.cypresscom.net"
"SMTPD" 25172 15912 "2020-11-09 15:15:39.357" "216.198.73.40" "SENT: 250-hmailserver [nl]250-SIZE[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 24492 15912 "2020-11-09 15:15:39.498" "216.198.73.40" "RECEIVED: MAIL FROM: <klantinfo@rabobank.nl>"
"SMTPD" 24492 15912 "2020-11-09 15:15:39.556" "216.198.73.40" "SENT: 250 OK"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.708" "216.198.73.40" "RECEIVED: RCPT TO: <xxxx@xxxxxxx.xx>"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.762" "216.198.73.40" "SENT: 250 OK"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.870" "216.198.73.40" "RECEIVED: DATA"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.880" "216.198.73.40" "SENT: 354 OK, send."
Re: 5.6.8-B2431 SPF Check Failures
Hmm...
https://www.kitterman.com/spf/validate.html
Code: Select all
Mail sent from this IP address: 216.198.73.40
Mail from (Sender): klantinfo@rabobank.nl
Mail checked using this SPF policy: v=spf1 include:spf-a.rabobank.nl include:spf-b.rabobank.nl include:spf-c.rabobank.nl include:spf.protection.outlook.com ip4:145.72.121.0/26 ip4:74.118.216.0/21 ip4:85.119.16.0/21 -all
Results - FAIL Message may be rejected
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
To be clear: can you run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
[Entered by mobile. Excuse my spelling.]
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
Still doesn't say anything, does it? From there is still not the EnvelopFromSorenR wrote: ↑2020-11-10 21:09Hmm...
https://www.kitterman.com/spf/validate.htmlCode: Select all
Mail sent from this IP address: 216.198.73.40 Mail from (Sender): klantinfo@rabobank.nl Mail checked using this SPF policy: v=spf1 include:spf-a.rabobank.nl include:spf-b.rabobank.nl include:spf-c.rabobank.nl include:spf.protection.outlook.com ip4:145.72.121.0/26 ip4:74.118.216.0/21 ip4:85.119.16.0/21 -all Results - FAIL Message may be rejected
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
Envelope-From ... "RECEIVED: MAIL FROM: <klantinfo@rabobank.nl>"RvdH wrote: ↑2020-11-11 00:19Still doesn't say anything, does it? From there is still not the EnvelopFromSorenR wrote: ↑2020-11-10 21:09Hmm...
https://www.kitterman.com/spf/validate.htmlCode: Select all
Mail sent from this IP address: 216.198.73.40 Mail from (Sender): klantinfo@rabobank.nl Mail checked using this SPF policy: v=spf1 include:spf-a.rabobank.nl include:spf-b.rabobank.nl include:spf-c.rabobank.nl include:spf.protection.outlook.com ip4:145.72.121.0/26 ip4:74.118.216.0/21 ip4:85.119.16.0/21 -all Results - FAIL Message may be rejected
Code: Select all
"SMTPD" 24492 15912 "2020-11-09 15:15:39.247" "216.198.73.40" "SENT: 220 hmailserver"
"SMTPD" 25172 15912 "2020-11-09 15:15:39.356" "216.198.73.40" "RECEIVED: EHLO 216-198-73-40.client.cypresscom.net"
"SMTPD" 25172 15912 "2020-11-09 15:15:39.357" "216.198.73.40" "SENT: 250-hmailserver [nl]250-SIZE[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 24492 15912 "2020-11-09 15:15:39.498" "216.198.73.40" "RECEIVED: MAIL FROM: <klantinfo@rabobank.nl>"
"SMTPD" 24492 15912 "2020-11-09 15:15:39.556" "216.198.73.40" "SENT: 250 OK"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.708" "216.198.73.40" "RECEIVED: RCPT TO: <xxxx@xxxxxxx.xx>"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.762" "216.198.73.40" "SENT: 250 OK"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.870" "216.198.73.40" "RECEIVED: DATA"
"SMTPD" 6684 15912 "2020-11-09 15:15:39.880" "216.198.73.40" "SENT: 354 OK, send."
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
What is the best way to go back to the previous version hMailServer 5.6.7 - Build 2425. Because I have checked the log and since the new version has been installed there have not been any reports of SPF errors anymore. So it seems this is not working properly. And I'd rather have a system that might flag a little too much than a system that doesn't flag anything.
Yesterday there were again several messages that were not identified.
Yesterday there were again several messages that were not identified.
- jimimaseye
- Moderator
- Posts: 8917
- Joined: 2011-09-08 17:48
Re: 5.6.8-B2431 SPF Check Failures
You can simply reinstall it over the top of the current version.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: 5.6.8-B2431 SPF Check Failures
You mean no "Blocked by SPF" since you got the 5.6.8 version from RvdH?Greta wrote: ↑2020-11-11 10:14What is the best way to go back to the previous version hMailServer 5.6.7 - Build 2425. Because I have checked the log and since the new version has been installed there have not been any reports of SPF errors anymore. So it seems this is not working properly. And I'd rather have a system that might flag a little too much than a system that doesn't flag anything.
Yesterday there were again several messages that were not identified.
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: 5.6.8-B2431 SPF Check Failures
This is going the wrong way...
What is your Spam mark threshold?
What is your SPF spam test score?
Does that give you a hint?

CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Re: 5.6.8-B2431 SPF Check Failures
What is your full name, Greta Trump?jimimaseye wrote: ↑2020-11-10 21:56To be clear: can you run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
[Entered by mobile. Excuse my spelling.]


Please do as told and stop claiming things and posting disinformation that are simply not true....
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup