5.6.8-B2431 SPF Check Failures

Greta · Post by **Greta** » 2020-10-09 13:12

When I receive e-mails from the tax authorities, the messages are market as spam because the SPF record would not be correct.

Information from their site of the tax authorities:
The Sender Policy Framework (SPF) records for the domains have fixed IP addresses and host names. We use different macros in the SPF records. These macros are in accordance with RFC 7208. In chapter 7 of RFC you will find more information about the use of macros. With these adjustments, the Tax and Customs Administration follows the e-mail standards of the Standardization Forum.

The current SPF record for the mentioned domains looks like this: v = spf1 exists: _i.% {i} ._ h.% {h} ._ o.% {o} ._ spf.xxxx –all

This value contains 3 macros. These macros request the following data from the sending mail server:
% {i}: The IP address or the SMTP address from which the mail comes.
% {h}: HELO / EHLO of the domain from which the mail comes.
% {o}: The domain or field "MAIL FROM" or the "HELO" identity

Anyone have any idea what I can do about this? The messages really come from the tax authorities if you check the ip addresses. Something is really going wrong with the spf record detection

palinka · Post by **palinka** » 2020-10-09 14:11

If you're sure it's not spam, you could whitelist the addresses.

Greta · Post by **Greta** » 2020-10-09 18:25

Yes, I’m absolute sure it is no spam

DKIM, IP-address and content are all correct. Only SPF not according to hmail.

johang · Post by **johang** » 2020-10-09 19:06

Greta wrote: ↑
2020-10-09 18:25
Yes, I’m absolute sure it is no spam

DKIM, IP-address and content are all correct. Only SPF not according to hmail.

out of curiosity what does the spf check at mxtoolboox say ? ( i have actually never come across anyone using macros like that yet, so i am curious )

palinka · Post by **palinka** » 2020-10-09 23:02

johang wrote: ↑
2020-10-09 19:06

Greta wrote: ↑
2020-10-09 18:25
Yes, I’m absolute sure it is no spam

DKIM, IP-address and content are all correct. Only SPF not according to hmail.
out of curiosity what does the spf check at mxtoolboox say ? ( i have actually never come across anyone using macros like that yet, so i am curious )

Same here. Not sure how that would even work. Does an instantly updateable dns record even exist? It gets changed every time an email is sent? I don't get it.

SorenR · Post by **SorenR** » 2020-10-10 01:08

The current SPF record for the mentioned domains looks like this: v = spf1 exists: _i.% {i} ._ h.% {h} ._ o.% {o} ._ spf.xxxx –all

This will fail as there can only be spaces between "spf1 exists:" and "xxxx -all"

Like this ... v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.mydomain.tld –all

Greta · Post by **Greta** » 2020-10-10 11:49

mxtoolbox indicates that everything is correct

SorenR · Post by **SorenR** » 2020-10-10 12:20

Greta wrote: ↑
2020-10-10 11:49
mxtoolbox indicates that everything is correct

Did you have to add it to your DNS to test it with mctoolbox?

I used this ... https://vamsoft.com/support/tools/spf-policy-tester select the "advanced" tab.

The translated line should be: v=spf1 exists:_i.123.123.123.123._h.mail.mydomain.tld._o.mydomain.tld._spf.mydomain.tld –all

Greta · Post by **Greta** » 2020-10-10 17:48

The result of this test is also good:

TEST SUMMARY
The evaluation completed in 508 ms, with 0 error and 0 warning.
Result: SPF pass

Greta · Post by **Greta** » 2020-10-15 10:58

Something really goes wrong in hmail spf control when using a macro for the spf record. I have transferred a domain name to exchange server (office365). And the emails that come in there from the tax authorities pass the spf test well. And messages from the same server of the tax authorities servers that are sent to another domain on the hmail server do not pass the spf test.

Hope this can be fixed in a future version of hmail.

SorenR · Post by **SorenR** » 2020-10-15 15:13

Greta wrote: ↑
2020-10-15 10:58
Something really goes wrong in hmail spf control when using a macro for the spf record. I have transferred a domain name to exchange server (office365). And the emails that come in there from the tax authorities pass the spf test well. And messages from the same server of the tax authorities servers that are sent to another domain on the hmail server do not pass the spf test.

Hope this can be fixed in a future version of hmail.

hMailServer as standard is using a modified (by Martin) SPF library originally written by Roger Moser. http://www.pamho.net/source/

My compilation of 5.6.8 is using the unmodified SPF library so if you have a source domain using macros in SPF you can send me an email...

Greta · Post by **Greta** » 2020-10-16 07:49

Thanks, I sent you a pm

SorenR · Post by **SorenR** » 2020-10-16 12:05

Greta wrote: ↑
2020-10-16 07:49
Thanks, I sent you a pm

It seems hms do not pass the HELO/EHLO domain to the SPFVerify routine.

I will need to spend some time on this as I'm not a full-time programmer so I need to dust off some old 'C' skills

SorenR · Post by **SorenR** » 2020-10-16 18:22

I will need to figure out how to test the changes...

I found that my inhouse DNS do not accept "_" in hostname...

Greta · Post by **Greta** » 2020-10-16 19:14

SorenR wrote: ↑
2020-10-16 12:05
I need to dust off some old 'C' skills

Unfortunately, I cannot help you with that. If I could, I would have solved it myself

Thanks for looking at it!

RvdH · Post by **RvdH** » 2020-10-20 22:03

Greta wrote: ↑
2020-10-16 19:14

SorenR wrote: ↑
2020-10-16 12:05
I need to dust off some old 'C' skills
Unfortunately, I cannot help you with that. If I could, I would have solved it myself

Thanks for looking at it!

@Greta
SorenRR and myself have done some test with such SPF record and SorenRR made a fix for it, included in this build

Nu komt mail van de belastingdienst wel door de SPF test

Greta · Post by **Greta** » 2020-10-21 07:30

Thanks, I installed it.

RvdH wrote: ↑
2020-10-20 22:03
Nu komt mail van de belastingdienst wel door de SPF test

I think some people would have preferred not to receive these messages.

But I'm happy it works.

RvdH · Post by **RvdH** » 2020-10-21 08:43

FYI:
v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.testdomain.com -all

1. with existing A-record that matches _i.xxx.xxx.xxx.xxx ._h.mail.testdomain.nl._o.testdomain.com._spf.testdomain.com

"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF xxx.xxx.xxx.xxx ruud@testdomain.com mail.testdomain.nl"
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF, Result: Pass"
"DEBUG" 8220 "2020-10-19 22:47:57.177" "Spam test: SpamTestSPF, Score: 0"

2. without A-record (NXDOMAIN)

"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF xxx.xxx.xxx.xxx ruud@testdomain.com mail.testdomain.nl"
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF, Result: Fail"
"DEBUG" 4588 "2020-10-19 23:56:29.059" "Spam test: SpamTestSPF, Score: 1"

Note: the italic printed DEBUG line is not included in .27,

Greta · Post by **Greta** » 2020-10-21 11:10

Thanks

Greta · Post by **Greta** » 2020-10-21 19:24

Sorry guys, I now have version 5.6.8-B2505 running. But unfortunately still get SPF Check Failures with this domain.

Just enabled debug to see why and what's happening.

SorenR · Post by **SorenR** » 2020-10-21 19:45

Greta wrote: ↑
2020-10-21 19:24
Sorry guys, I now have version 5.6.8-B2505 running. But unfortunately still get SPF Check Failures with this domain.

Just enabled debug to see why and what's happening.

Same domain or a different domain?

RvdH · Post by **RvdH** » 2020-10-21 19:55

5.6.8-B2505 or 5.6.8-B2505.27?

SorenR · Post by **SorenR** » 2020-10-21 20:01

Hmm...

RvdH is using the RMSPF library version 1.10. I am using version 1.12 ...

Want to try my version of 5.6.8 ?

I've attached RMSPF 1.12 for RvdH

RvdH · Post by **RvdH** » 2020-10-21 20:22

SorenR wrote: ↑
2020-10-21 20:01
Hmm...

RvdH is using the RMSPF library version 1.10. I am using version 1.12 ...

Want to try my version of 5.6.8 ?

I've attached RMSPF 1.12 for RvdH

I already have it, i examined the changelog and came to the conclusion it's not worth to upgrade, no functionality related to macro's usage is added so decided to stick with 1.10
Also it is unrelated to the problem

Greta · Post by **Greta** » 2020-10-22 08:06

RvdH wrote: ↑
2020-10-21 19:55
5.6.8-B2505 or 5.6.8-B2505.27?

Where can I find that. HMail admin status give me 5.6.8-B2505. And hMailServer.exe properties give a file version 1.0.0.1

RvdH wrote: ↑
2020-10-21 20:22
I already have it, i examined the changelog and came to the conclusion it's not worth to upgrade, no functionality related to macro's usage is added so decided to stick with 1.10
Also it is unrelated to the problem

Ok, then it doesn't matter which version I install. Then they should both be the same.

RvdH · Post by **RvdH** » 2020-10-22 08:59

Greta wrote: ↑
2020-10-22 08:06

RvdH wrote: ↑
2020-10-21 19:55
5.6.8-B2505 or 5.6.8-B2505.27?
Where can I find that. HMail admin status give me 5.6.8-B2505. And hMailServer.exe properties give a file version 1.0.0.1
RvdH wrote: ↑
2020-10-21 20:22
I already have it, i examined the changelog and came to the conclusion it's not worth to upgrade, no functionality related to macro's usage is added so decided to stick with 1.10
Also it is unrelated to the problem
Ok, then it doesn't matter which version I install. Then they should both be the same.

Ah, OK...my suspicion was right it seems

It seems you only did step 1

You first have to install the latest artifact (5.6.8-B2505)
Stop the hmailserver service
Then copy and overwrite files in this archive in hmailserver '/bin' directory (5.6.8-B2505.27)

5.6.8-B2505.27 holds 27 fixes/additions described here
Many of these fixes are in the Alpha 5.7 64-bit branch nowadays but were/are not backported to 5.6.x releases

The github source of my build is located here:
https://github.com/RvdHout/hmailserver/tree/5.6.8

Greta · Post by **Greta** » 2020-10-22 09:51

Ah clearly. I now have version .27 running

But if a new version is published on the download page of hmailserver.com, will these bug fixes also be included?

RvdH · Post by **RvdH** » 2020-10-22 10:03

Greta wrote: ↑
2020-10-22 09:51
Ah clearly. I now have version .27 running

But if a new version is published on the download page of hmailserver.com, will these bug fixes also be included?

Nope, unfortunately not, like i said the author of hmailserver (martin) choose to not backported to 5.6.x and only commit them to 5.7 branch
So you always need to check this page after a new version in the 5.6.x branch is published

drop me a pm with a test e-mailadres of yours and i will send you a mail from a domain with similar SPF record to test

Greta · Post by **Greta** » 2020-10-23 07:41

Clearly. Thanks for quickly fixing the software.

The emails now arrive without an SPF error

RvdH · Post by **RvdH** » 2020-10-23 19:16

Greta wrote: ↑
2020-10-23 07:41
Clearly. Thanks for quickly fixing the software.

The emails now arrive without an SPF error

Greta · Post by **Greta** » 2020-11-09 19:56

Sorry for kicking up this thread again. It now seems that nothing is rejected on SPF anymore. There are now spam emails in the name of a bank come through where the SPF should be give a failure

SorenR · Post by **SorenR** » 2020-11-09 20:26

Greta wrote: ↑
2020-11-09 19:56
Sorry for kicking up this thread again. It now seems that nothing is rejected on SPF anymore. There are now spam emails in the name of a bank come through where the SPF should be give a failure

I just compared "Blocked by SPF" in my logs with the logs of SpamAssassin (SPF_FAIL)... They match 100%.

jimimaseye · Post by **jimimaseye** » 2020-11-09 22:07

Greta wrote: ↑
2020-11-09 19:56
Sorry for kicking up this thread again. It now seems that nothing is rejected on SPF anymore. There are now spam emails in the name of a bank come through where the SPF should be give a failure

You sure the bank has their spf records set up correctly (ie, to reject)?

[Entered by mobile. Excuse my spelling.]

RvdH · Post by **RvdH** » 2020-11-10 00:56

jimimaseye wrote: ↑
2020-11-09 22:07

Greta wrote: ↑
2020-11-09 19:56
Sorry for kicking up this thread again. It now seems that nothing is rejected on SPF anymore. There are now spam emails in the name of a bank come through where the SPF should be give a failure
You sure the bank has their spf records set up correctly (ie, to reject)?

[Entered by mobile. Excuse my spelling.]

The poster said in name of a bank, not from the (official) domain of that bank... so sure, it can pass the SPF check as long as that (fake)domain has a valid SPF

@Greta
That's exactly the reason why (most) banks rely on DMARC, eg: SPF + DKIM + alignment and not SPF alone

SorenR · Post by **SorenR** » 2020-11-10 01:30

hMailServer only care about the - (minus) Qualifier.

+ for a PASS result. This can be omitted; e.g., +mx is the same as mx.
? for a NEUTRAL result interpreted like NONE (no policy).
~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.
- (minus) for FAIL, the mail should be rejected (see below).

https://en.wikipedia.org/wiki/Sender_Po ... Qualifiers

Perhaps we should consider including the ~ (tilde) with it's own score ???

jimimaseye · Post by **jimimaseye** » 2020-11-10 01:36

RvdH wrote: ↑
2020-11-10 00:56
The poster said in name of a bank, not from the (official) domain of that bank... so sure, it can pass the SPF check as long as that (fake)domain has a valid SPF

But SPF checking takes the 'claimed' domain name of the bank, checks the banks official dns spf records to see what ip addresses can send for that domain and sees that this email has been sent from an ip address that is not allowed to send in the name of the bank. Therefore, it will fail IF the bank has -all.

That is of course assuming the imitated domain is an exact match of the bank and not with some slight amendment (or even completely different) i.e fake (as you say).

[Entered by mobile. Excuse my spelling.]

mattg · Post by **mattg** » 2020-11-10 01:48

SorenR wrote: ↑
2020-11-10 01:30
Perhaps we should consider including the ~ (tilde) with it's own score ???

Yes Please

ALSO

I'd like to fail anyone who uses +all

Greta · Post by **Greta** » 2020-11-10 08:22

The bank uses –all, so this one shouldn't get through anyway. See below the header of the message.

Code: Select all

Received: from 216-198-73-40.client.cypresscom.net (216-198-73-40.client.cypresscom.net [216.198.73.40])
	by hmailserver
	; Mon, 9 Nov 2020 15:15:40 +0100
Return-Path: klantinfo@rabobank.nl
MIME-Version: 1.0
From: "Rabobank" <klantinfo@rabobank.nl>
Reply-To: klantinfo@rabobank.nl
To: xxxx@xxxxxxx.xx
Subject: Uw vernieuwde AVG richtlijn
Content-Type: multipart/related; boundary="jj=_vyVoh28JpGElF7pBG61ct8SoNKbJMQ"
X-Mailer: Smart_Send_3_1_6
Date: Mon, 9 Nov 2020 15:12:41 +0100
Message-ID: <2524244376344971919@WIN-4N5LJLCGCJ1>
X-Original-To: scimodel@protonmail.ch
Authentication-Results: mail12i.protonmail.ch; dmarc=none (p=none dis=none) header.from=dr.com
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1570670139; bh=lsscw/sPBhEOz5Mx+hWEYf2ikvZGbg/B4sFPjwPQfDk=; h=X-UI-Sender-Class:From:To:Subject:Date:References; b=R5iolzTQaGO9vgdI2KjP92uUuH7JHbfDpNcEVg3gKF8+QH/1jrRTqJzxE2u34OJPs  scOnrm1/w7gqfiadCQNsZrwBAsdOqYOY8xntzbsdJ9/zZ+nNNzC0XbtSx5AXWlHI6I  frdpMPzsqWAOMs0rzuLbDuk9FUJXxCtPdr8LiHqs=
X-Ui-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
Importance: normal
Sensitivity: Normal
References: <548964862.12249.1570668712252@veco4583.oracle.rabobank.nl>
X-Ui-Message-Type: mail
X-Provags-Id: V03:K1:ql6ML+5G+6ewiflCwFKCe4b404kEAHHNNo0OBsWeKeSdLoAS7oFMU4US1SJzfuZlDUvta DN4pmx/KSYC+k2xclqyQfvvU0hDzIj1OWkhTPeUdgcOMbnX0k1kKmqgS+3jV3xYSMe5tsGfRx1VP VRM3/MiGuE7I400Xi7ISE/hJ+s7P8sAGozcv7OFxTcHVzlTH/m7zOyuqeY8wa2V/K5oO6YO3eEXP 2aqOXXT12SMYbVZRW/OKJgUq57T9zO0Omrf9zJbD+Gap9jo6SOPvr0NYUKA6jMyfswJS1yqFVQv0 Zs=
X-Ui-Out-Filterresults: notjunk:1;V03:K0:XwtDL170zRE=:pjZdmAt0xyoHfg6LE21Afr R0038jEb/JzAGmx3dS6yhHc7O9eQleKJrvs5fhH5MO1NYYHBW+MwuTtXsDtlXlH0VGQCz5Q0l ej3y1ry43sV+qF217QDVBD9HL2aC3xn8sijJfBTxC57ce+MzaLKTWo+NOlXNuWiaXgg9SZ9Xl jl75W5+oZVo1KLDo0U0I75F4PETBoVNWFWkRVQebFuv4SoObFzfcTsVDoPwoMaXHnBj4J87dQ eL3c8klrK78DR/VpIcQQEGkZ3MAQUmvHp1mkOTPAmAXqxbDu8XHfjr4BlILK/sB6xDLT4EfBa TEpJwWa+sXSzqP6JZKsOtSmHkV3Hd0+xfqUx51qMwzvJE3rHSYxSpBZwYOyJTWgNKRp3EY3U0 oElS7sv7v78r17fGvoK2AeTm4wr19oPJwCdInuQYPVC0TXIY4Z2BhR/MNn7rS1jo14LzLs6LF CQBWDb/pzoI1dZzg6yhQd/LaKJUHeSf0QnzyAV6VhSWshakrqMI6h3oMZlfFniGcg/Ia38iFA 8sLIxOANkjkhNOJWAqRSvzrBQVV1xyQGh66FlP1hNXA7r7UjHwTHJ4eUxG85/3+58A9WSxDIC +FO5dDr9J9PYVCUKpUiR5I2cfRTuQuFG3Z8YedMBqdGwz4RvCDSXcJO/Z4jBrXOQUkTBPGA7T LeK2OgJhR17Sc3MDyCvI4PupzoQCCGaY0aaqsk3wD8B0C7MbRIptdsT9LSCVIYXw76pCowHvI 6Zko+uP2P4EXFO1c1bVsV1gudpPlKzEr6mrjIFNPp4JqFKsLOQoR/Gd7D5w=
X-Spam-Status: No, score=0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS, T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch
X-Pm-Origin: external
X-Pm-Content-Encryption: on-delivery
X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
In-Reply-To: <2524244376344971919@WIN-4N5LJLCGCJ1>

jimimaseye · Post by **jimimaseye** » 2020-11-10 10:27

Those headers do not show the 'envelope from' (only the header 'from') and it also shows that spamassassin has also passed the spf check. Therefore it's likely to NOT be incoming as rabobank.nl.

Therefore SPF checking is consistent and working and it's likely a situation as Rvhd described:

The poster said in name of a bank, not from the (official) domain of that bank... so sure, it can pass the SPF check as long as that (fake)domain has a valid SPF

There's nothing wrong with your spf checking.

[Entered by mobile. Excuse my spelling.]

tunis · Post by **tunis** » 2020-11-10 12:28

My analysis on the message-id is that is a spamming VM or computer.

Code: Select all

Message-ID: <2524244376344971919@WIN-4N5LJLCGCJ1>

No company leaves windows default name of servers and clients.

Greta · Post by **Greta** » 2020-11-10 13:00

The header part of spamassassin does not come from my server. I don't use spamassassin. In addition, as I see it, the message comes from IP address 216.198.73.40 with the FROM sender klantinfo@rabobank.nl. And this combination IP and domain name is wrong. SPF should trigger on that I think.

RvdH · Post by **RvdH** » 2020-11-10 13:15

jimimaseye wrote: ↑
2020-11-10 01:36

RvdH wrote: ↑
2020-11-10 00:56
The poster said in name of a bank, not from the (official) domain of that bank... so sure, it can pass the SPF check as long as that (fake)domain has a valid SPF
But SPF checking takes the 'claimed' domain name of the bank, checks the banks official dns spf records to see what ip addresses can send for that domain and sees that this email has been sent from an ip address that is not allowed to send in the name of the bank. Therefore, it will fail IF the bank has -all.

That is of course assuming the imitated domain is an exact match of the bank and not with some slight amendment (or even completely different) i.e fake (as you say).

[Entered by mobile. Excuse my spelling.]

I see no problem with it... as it seems this particular message is a forwared (spam) message (X-Original-To: scimodel@protonmail.ch), so the SPF check would use SMTPFromAddress scimodel@protonmail.ch or header.from=dr.com and not *@rabobank.nl

protonmail.ch -> 216.198.73.40 -> SoftFail (SoftFail passes hmailserver SPF check, as it should)
dr.com -> 216.198.73.40 -> Fail

@Greta
If you think you can defeat spam with only SPF checking you are very, very wrong!
For adequate spam checking you really need to think about including SpamAssassin

SorenR · Post by **SorenR** » 2020-11-10 15:56

RvdH wrote: ↑
2020-11-10 00:56
That's exactly the reason why (most) banks rely on DMARC, eg: SPF + DKIM + alignment and not SPF alone

I have a DMARC setting covering my SPF and DKIM so about 2-3 times a week I get this from Google - apparently noone else use the DMARC reporting.. "mydomain.tld" is a substitute for my domain.

Code: Select all

v=DMARC1; p=quarantine; rua=mailto:root@mydomain.tld; adkim=s; aspf=s;

Code: Select all

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>719510582100019190</report_id>
    <date_range>
      <begin>1604534400</begin>
      <end>1604620799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>mydomain.tld</domain>
    <adkim>s</adkim>
    <aspf>s</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>145.131.17.165</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.tld</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>ixlce9cc--------------.145-131-17-165.static.awcloud.nl</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Greta · Post by **Greta** » 2020-11-10 16:53

RvdH wrote: ↑
2020-11-10 13:15
you can defeat spam with only SPF checking you are very, very wrong!
For adequate spam checking you really need to think about including SpamAssassin

I am not using SpamAssassin but other software. But I think a little differently about the SPF checking than you do. You look at the X-Original-To: and I at the From: which I think is also the right way. But anyway if it works as you indicate then indeed it works. Then sorry for the misunderstanding

SorenR · Post by **SorenR** » 2020-11-10 17:18

Greta wrote: ↑
2020-11-10 16:53

RvdH wrote: ↑
2020-11-10 13:15
you can defeat spam with only SPF checking you are very, very wrong!
For adequate spam checking you really need to think about including SpamAssassin
I am not using SpamAssassin but other software. But I think a little differently about the SPF checking than you do. You look at the X-Original-To: and I at the From: which I think is also the right way. But anyway if it works as you indicate then indeed it works. Then sorry for the misunderstanding

The mail address to use when checking SPF is the MAIL FROM: from the SMTPD log. All other addresses are standard headers that can (and will) be faked!

The "From:" header is like a FedEx van pulling up outside your house and the delivery guy is wearing a UPS uniform. Which company is delivering your letter?

A: "From:" ~ UPS
B: "MAIL FROM:" ~ FedEx

?

jimimaseye · Post by **jimimaseye** » 2020-11-10 17:41

Greta wrote: ↑
2020-11-10 16:53
I am not using SpamAssassin but other software.

News flash! Your "other software" is using spamassassin.

Greta wrote: ↑
2020-11-10 08:22
X-Ui-Message-Type: mail
X-Spam-Status: No, score=0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS, T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch

RvdH · Post by **RvdH** » 2020-11-10 19:35

jimimaseye wrote: ↑
2020-11-10 17:41

Greta wrote: ↑
2020-11-10 16:53
I am not using SpamAssassin but other software.
News flash! Your "other software" is using spamassassin.

Greta wrote: ↑
2020-11-10 08:22
X-Ui-Message-Type: mail
X-Spam-Status: No, score=0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, FREEMAIL_FROM,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_NONE,SPF_PASS, T_KAM_HTML_FONT_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on maili.protonmail.ch

I think that is a external server mentioned in X-Original-To: scimodel@protonmail.ch, that forwards the spam....

ProtonMail

Secure Email
Based in Switzerland

Secure? Secure my ass... fix your SPF so it can't be abused

Greta · Post by **Greta** » 2020-11-10 19:38

@SorenR
Okay, you indicate that the From in the header does not have to be the real From. That could be, but it seems to me that a mail server should not allow this. I'll turn on the loggin so I can check this next time. Because if this is really the case I have to see if I can find a script or something else that checks this.

@jimimaseye
As I have already mention that part of the header is not coming from my server. My server is absolutely NOT running SpamAssassin!

jimimaseye · Post by **jimimaseye** » 2020-11-10 19:53

@jimimaseye
As I have already mention that part of the header is not coming from my server

Yep. See that now.

[Entered by mobile. Excuse my spelling.]

Greta · Post by **Greta** » 2020-11-10 19:59

I just checked the log because it occurred to me that logging was still on.
It turns out that the From address what is on the header is indeed the same as in the log (at least in this situation). And in my opinion this should give an SPF error. If hmailserver checks the from address. But I'm not sure about that.

Code: Select all

"SMTPD"	24492	15912	"2020-11-09 15:15:39.247"	"216.198.73.40"	"SENT: 220 hmailserver"
"SMTPD"	25172	15912	"2020-11-09 15:15:39.356"	"216.198.73.40"	"RECEIVED: EHLO 216-198-73-40.client.cypresscom.net"
"SMTPD"	25172	15912	"2020-11-09 15:15:39.357"	"216.198.73.40"	"SENT: 250-hmailserver [nl]250-SIZE[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	24492	15912	"2020-11-09 15:15:39.498"	"216.198.73.40"	"RECEIVED: MAIL FROM: <klantinfo@rabobank.nl>"
"SMTPD"	24492	15912	"2020-11-09 15:15:39.556"	"216.198.73.40"	"SENT: 250 OK"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.708"	"216.198.73.40"	"RECEIVED: RCPT TO: <xxxx@xxxxxxx.xx>"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.762"	"216.198.73.40"	"SENT: 250 OK"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.870"	"216.198.73.40"	"RECEIVED: DATA"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.880"	"216.198.73.40"	"SENT: 354 OK, send."

SorenR · Post by **SorenR** » 2020-11-10 21:09

Hmm...

Code: Select all

Mail sent from this IP address: 216.198.73.40
Mail from (Sender): klantinfo@rabobank.nl
Mail checked using this SPF policy: v=spf1 include:spf-a.rabobank.nl include:spf-b.rabobank.nl include:spf-c.rabobank.nl include:spf.protection.outlook.com ip4:145.72.121.0/26 ip4:74.118.216.0/21 ip4:85.119.16.0/21 -all
Results - FAIL Message may be rejected

https://www.kitterman.com/spf/validate.html

jimimaseye · Post by **jimimaseye** » 2020-11-10 21:56

To be clear: can you run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914

[Entered by mobile. Excuse my spelling.]

RvdH · Post by **RvdH** » 2020-11-11 00:19

SorenR wrote: ↑

2020-11-10 21:09

Hmm...

Code: Select all

Mail sent from this IP address: 216.198.73.40
Mail from (Sender): klantinfo@rabobank.nl
Mail checked using this SPF policy: v=spf1 include:spf-a.rabobank.nl include:spf-b.rabobank.nl include:spf-c.rabobank.nl include:spf.protection.outlook.com ip4:145.72.121.0/26 ip4:74.118.216.0/21 ip4:85.119.16.0/21 -all
Results - FAIL Message may be rejected

https://www.kitterman.com/spf/validate.html

Still doesn't say anything, does it? From there is still not the EnvelopFrom

SorenR · Post by **SorenR** » 2020-11-11 00:38

RvdH wrote: ↑
2020-11-11 00:19
SorenR wrote: ↑
2020-11-10 21:09
Hmm...
Code: Select all
Mail sent from this IP address: 216.198.73.40
Mail from (Sender): klantinfo@rabobank.nl
Mail checked using this SPF policy: v=spf1 include:spf-a.rabobank.nl include:spf-b.rabobank.nl include:spf-c.rabobank.nl include:spf.protection.outlook.com ip4:145.72.121.0/26 ip4:74.118.216.0/21 ip4:85.119.16.0/21 -all
Results - FAIL Message may be rejected
https://www.kitterman.com/spf/validate.html
Still doesn't say anything, does it? From there is still not the EnvelopFrom

Envelope-From ... "RECEIVED: MAIL FROM: <klantinfo@rabobank.nl>"

Code: Select all

"SMTPD"	24492	15912	"2020-11-09 15:15:39.247"	"216.198.73.40"	"SENT: 220 hmailserver"
"SMTPD"	25172	15912	"2020-11-09 15:15:39.356"	"216.198.73.40"	"RECEIVED: EHLO 216-198-73-40.client.cypresscom.net"
"SMTPD"	25172	15912	"2020-11-09 15:15:39.357"	"216.198.73.40"	"SENT: 250-hmailserver [nl]250-SIZE[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	24492	15912	"2020-11-09 15:15:39.498"	"216.198.73.40"	"RECEIVED: MAIL FROM: <klantinfo@rabobank.nl>"
"SMTPD"	24492	15912	"2020-11-09 15:15:39.556"	"216.198.73.40"	"SENT: 250 OK"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.708"	"216.198.73.40"	"RECEIVED: RCPT TO: <xxxx@xxxxxxx.xx>"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.762"	"216.198.73.40"	"SENT: 250 OK"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.870"	"216.198.73.40"	"RECEIVED: DATA"
"SMTPD"	6684	15912	"2020-11-09 15:15:39.880"	"216.198.73.40"	"SENT: 354 OK, send."

Greta · Post by **Greta** » 2020-11-11 10:14

What is the best way to go back to the previous version hMailServer 5.6.7 - Build 2425. Because I have checked the log and since the new version has been installed there have not been any reports of SPF errors anymore. So it seems this is not working properly. And I'd rather have a system that might flag a little too much than a system that doesn't flag anything.

Yesterday there were again several messages that were not identified.

jimimaseye · Post by **jimimaseye** » 2020-11-11 10:26

You can simply reinstall it over the top of the current version.

SorenR · Post by **SorenR** » 2020-11-11 10:54

Greta wrote: ↑
2020-11-11 10:14
What is the best way to go back to the previous version hMailServer 5.6.7 - Build 2425. Because I have checked the log and since the new version has been installed there have not been any reports of SPF errors anymore. So it seems this is not working properly. And I'd rather have a system that might flag a little too much than a system that doesn't flag anything.

Yesterday there were again several messages that were not identified.

You mean no "Blocked by SPF" since you got the 5.6.8 version from RvdH?

Greta · Post by **Greta** » 2020-11-11 11:32

SorenR wrote: ↑
2020-11-11 10:54
You mean no "Blocked by SPF" since you got the 5.6.8 version from RvdH?

Thank you, yes that's what I mean.

RvdH · Post by **RvdH** » 2020-11-11 11:44

Greta wrote: ↑
2020-11-11 11:32

SorenR wrote: ↑
2020-11-11 10:54
You mean no "Blocked by SPF" since you got the 5.6.8 version from RvdH?
Thank you, yes that's what I mean.

This is going the wrong way...

What is your Spam mark threshold?
What is your SPF spam test score?

Does that give you a hint?

RvdH · Post by **RvdH** » 2020-11-11 11:52

jimimaseye wrote: ↑
2020-11-10 21:56
To be clear: can you run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914

[Entered by mobile. Excuse my spelling.]

What is your full name, Greta Trump?

Please do as told and stop claiming things and posting disinformation that are simply not true....