SPF_HELO_FAIL triggers on domain with valid SPF record and HELO settings

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF_HELO_FAIL triggers on domain with valid SPF record and HELO settings

Sebastian Arcus
I am running SA 4.0.0-r1823176 on Perl 5.26.2. On a number of domains I
administer, outbound mail triggers the SPF_HELO_FAIL rule - but the
regular SPF check passes. I am struggling to see why this is happening,
as the HELO name is set to the same value as the name of the server/dns
name, it has rDNS - and it clearly passes during the regular SPF check -
but not the SPF_HELO check. I have re-checked the domain settings at
mxtoolbox.com - and there doesn't seem to be any problem. Any ideas please?

# spamassassin -D 2>&1 < /test.eml | grep -i spf

</snip>

Jun 11 08:46:30.177 [5534] dbg: spf: checking to see if the message has
a Received-SPF header that we can use
Jun 11 08:46:30.341 [5534] dbg: spf: using Mail::SPF for SPF checks
Jun 11 08:46:30.342 [5534] dbg: spf: found Envelope-From in first
external Received header
Jun 11 08:46:30.342 [5534] dbg: spf: checking EnvelopeFrom
(helo=mail.sinclair-accounting.co.uk, ip=80.229.84.190,
envfrom=<email_removed>)
Jun 11 08:46:30.519 [5534] dbg: spf: query for
<email_removed>/80.229.84.190/mail.sinclair-accounting.co.uk: result:
pass, comment: , text: Mechanism 'mx' matched
Jun 11 08:46:30.758 [5534] dbg: spf: already checked for Received-SPF
headers, proceeding with DNS based checks
Jun 11 08:46:30.758 [5534] dbg: spf: checking HELO
(helo=mail.sinclair-accounting.co.uk, ip=80.229.84.190)
Jun 11 08:46:30.776 [5534] dbg: spf: query for
<email_removed>/80.229.84.190/mail.sinclair-accounting.co.uk: result:
fail, comment: Please see
http://www.openspf.org/Why?s=helo;id=mail.sinclair-accounting.co.uk;ip=80.229.84.190;r=obelisk.open-t.lan,
text: Mechanism '-all' matched
Jun 11 08:46:30.836 [5534] dbg: spf: def_whitelist_from_spf:
[hidden email] is not in DEF_WHITELIST_FROM_SPF
Jun 11 08:46:30.846 [5534] dbg: rules: ran eval rule SPF_PASS ======>
got hit (1)
Jun 11 08:46:30.853 [5534] dbg: rules: ran eval rule SPF_HELO_FAIL
======> got hit (1)
Reply | Threaded
Open this post in threaded view
|

Re: SPF_HELO_FAIL triggers on domain with valid SPF record and HELO settings

Matus UHLAR - fantomas
On 11.06.18 08:56, Sebastian Arcus wrote:
>I am running SA 4.0.0-r1823176 on Perl 5.26.2. On a number of domains
>I administer, outbound mail triggers the SPF_HELO_FAIL rule - but the
>regular SPF check passes. I am struggling to see why this is
>happening, as the HELO name is set to the same value as the name of
>the server/dns name, it has rDNS - and it clearly passes during the
>regular SPF check - but not the SPF_HELO check. I have re-checked the
>domain settings at mxtoolbox.com - and there doesn't seem to be any
>problem. Any ideas please?

do users use SMTP authentication?
Is that visible in headers?

># spamassassin -D 2>&1 < /test.eml | grep -i spf

we need to see the Received: header.

>Jun 11 08:46:30.758 [5534] dbg: spf: checking HELO
>(helo=mail.sinclair-accounting.co.uk, ip=80.229.84.190)
>Jun 11 08:46:30.776 [5534] dbg: spf: query for
><email_removed>/80.229.84.190/mail.sinclair-accounting.co.uk: result:
>fail, comment: Please see http://www.openspf.org/Why?s=helo;id=mail.sinclair-accounting.co.uk;ip=80.229.84.190;r=obelisk.open-t.lan,
>text: Mechanism '-all' matched

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Reply | Threaded
Open this post in threaded view
|

Re: SPF_HELO_FAIL triggers on domain with valid SPF record and HELO settings

Sebastian Arcus

On 11/06/18 09:39, Matus UHLAR - fantomas wrote:

> On 11.06.18 08:56, Sebastian Arcus wrote:
>> I am running SA 4.0.0-r1823176 on Perl 5.26.2. On a number of domains
>> I administer, outbound mail triggers the SPF_HELO_FAIL rule - but the
>> regular SPF check passes. I am struggling to see why this is
>> happening, as the HELO name is set to the same value as the name of
>> the server/dns name, it has rDNS - and it clearly passes during the
>> regular SPF check - but not the SPF_HELO check. I have re-checked the
>> domain settings at mxtoolbox.com - and there doesn't seem to be any
>> problem. Any ideas please?
>
> do users use SMTP authentication?

Messages submitted over SMTP are authenticated. Other messages are
generated locally on the sending server and passed on the command line
to Exim. All messages hit SPF_HELO_FAIL

> Is that visible in headers?

I'm not really sure. Which bit of the headers should contain the
authentication data?

>
>> # spamassassin -D 2>&1 < /test.eml | grep -i spf
>
> we need to see the Received: header.

Sure:

Received: from mail.sinclair-accounting.co.uk ([80.229.84.190]:47700)
        by mail.open-t.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
        (Exim 4.90)
        (envelope-from <email_removed>)
        id 1fSIEL-0001Wn-P4
        for email_removed; Mon, 11 Jun 2018 09:31:16 +0100


<DKIM header skipped>


Received: from jucara ([192.168.71.82])
        by mail.sinclair-accounting.co.uk with esmtpsa
(TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
        (Exim 4.90_1)
        (envelope-from <email_removed>)
        id 1fSIEG-0007bx-Lw
        for email_removed; Mon, 11 Jun 2018 09:31:10 +0100
Reply | Threaded
Open this post in threaded view
|

Re: SPF_HELO_FAIL triggers on domain with valid SPF record and HELO settings

Sebastian Arcus

On 11/06/18 10:20, Reindl Harald wrote:

>
>
> Am 11.06.2018 um 10:57 schrieb Sebastian Arcus:
>>
>> On 11/06/18 09:39, Matus UHLAR - fantomas wrote:
>>> On 11.06.18 08:56, Sebastian Arcus wrote:
>>>> I am running SA 4.0.0-r1823176 on Perl 5.26.2. On a number of domains
>>>> I administer, outbound mail triggers the SPF_HELO_FAIL rule - but the
>>>> regular SPF check passes. I am struggling to see why this is
>>>> happening, as the HELO name is set to the same value as the name of
>>>> the server/dns name, it has rDNS - and it clearly passes during the
>>>> regular SPF check - but not the SPF_HELO check. I have re-checked the
>>>> domain settings at mxtoolbox.com - and there doesn't seem to be any
>>>> problem. Any ideas please?
>>>
>>> do users use SMTP authentication?
>>
>> Messages submitted over SMTP are authenticated. Other messages are
>> generated locally on the sending server and passed on the command line
>> to Exim. All messages hit SPF_HELO_FAIL
>>
>>> Is that visible in headers?
>>
>> I'm not really sure. Which bit of the headers should contain the
>> authentication data?
>
> look if exim has a similar feature
> http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
>

My question is, is this header a requirement? Both servers at both ends
are configured by me, so I know the smtp submission is authenticated. Is
the SPF check at the receiving end supposed to fail if it can't find a
specific header showing the authenticated user at the sending end? What
is the connection between SPF HELO checks at the receiving server, and
the user which is submitting the message to the sending server? I'm not
really following I'm afraid - but I could be missing the point.
Reply | Threaded
Open this post in threaded view
|

Re: SPF_HELO_FAIL triggers on domain with valid SPF record and HELO settings

Sebastian Arcus
In reply to this post by Sebastian Arcus

On 11/06/18 08:56, Sebastian Arcus wrote:
> I am running SA 4.0.0-r1823176 on Perl 5.26.2. On a number of domains I
> administer, outbound mail triggers the SPF_HELO_FAIL rule - but the
> regular SPF check passes. I am struggling to see why this is happening,
> as the HELO name is set to the same value as the name of the server/dns
> name, it has rDNS - and it clearly passes during the regular SPF check -
> but not the SPF_HELO check. I have re-checked the domain settings at
> mxtoolbox.com - and there doesn't seem to be any problem. Any ideas please?

It turns out that it is indeed something I did. Somehow in all this time
since I started to use SPF, I never realised that SPF checks are also
done on the HELO hostname itself, not only the sending domain - and the
need to have a separate SPF record for it.

I actually had a separate SPF record for mail.sinclair-accounting.co.uk,
in which I denied everything - as my understanding was that there will
never be an address of the type [hidden email] - so
I wouldn't need to allow anything on SPF.

All corrected now - thank you for the input.