[opendmarc-users] spf pass which I can't understand

Sistemisti Posta sistemisti-posta at csi.it
Thu Jan 7 03:33:36 PST 2016 

Hello, If you would reproduce this you could follow these steps:

# cat testmsg.eml
To: Marco <marco at aol.com>
From: Marco <marco at libero.it>
Subject: bye
Message-ID: <AAAAAAAAA.60dgdsffds at aol.it>
Date: Thu, 7 Jan 2016 11:50:08 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
  Thunderbird/38.5.0
MIME-Version: 1.0

Ciao.
Marco


# env | grep OPENDMARC
OPENDMARC_TEST_HELONAME=wl-in-f109.1e100.net
OPENDMARC_TEST_CLIENTHOST=wl-in-f109.1e100.net
OPENDMARC_TEST_CLIENTIP=64.233.167.109
OPENDMARC_TEST_ENVFROM=marco at libero.it

# opendmarc -t testmsg.eml -vvvv
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 3: mlfi_header() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 4: mlfi_header() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 5: mlfi_header() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 6: mlfi_header() returned SMFIS_CONTINUE
opendmarc: testmsg.eml: line 8: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; 
spf=pass smtp.mailfrom=marco at libero.it'
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; 
dmarc=fail header.from=libero.it'
### INSHEADER: idx=1 hname='DMARC-Filter' hvalue='OpenDMARC Filter 
v1.3.1 DEBUG-j DEBUG-i'
opendmarc: testmsg.eml: mlfi_eom() returned SMFIS_CONTINUE
opendmarc: mlfi_close() returned SMFIS_CONTINUE

# host -t txt libero.it
libero.it descriptive text "v=spf1 ip4:212.48.25.128/25 
ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com 
include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com 
include:mail.zendesk.com -all"

job DEBUG-i
reporter DEBUG-j
received 1452166179
ipaddr 64.233.167.109
from libero.it
mfrom libero.it
spf 0
pdomain libero.it
policy 17
rua mailto:dmarc_agg_rep at libero.it
pct 100
adkim 114
aspf 114
p 113
sp 0
align_dkim 5
align_spf 5
action 2

If you try a report like this:
http://tools.bevhost.com/spf/
I obtain a fail:
fail Please see 
http://www.openspf.org/why.html?sender=marco%40libero.it&ip=64.233.167.109&receiver=tools.bevhost.com 
tools.bevhost.com: domain of marco at libero.it does not designate 
64.233.167.109 as permitted sender v=spf1 ip4:212.48.25.128/25 
ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com 
include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com 
include:mail.zendesk.com -all HASH(0x1d4e298)

Thanks again
Best Regards
Marco

Il 31/12/2015 09:18, Sistemisti Posta ha scritto:
> Hello opendmarc user,
>
>   I have a question about an spf pass that it shouldn't pass.
>
> I sent a mail not DKIM signed with a server not allowed by SPF policy.
> In particular I sent a mail with the envelope from <marco at libero.it>,
> using an MSA that is not allowed by libero.it policy:
>
> libero.it descriptive text "v=spf1 ip4:212.48.25.128/25
> ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com
> include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com
> include:mail.zendesk.com -all"
>
> So, if I well understand, the spf check would fail.
>
> opendmarc is configured to make its own spf check (libspf2):
>
>   ldd /usr/sbin/opendmarc
>          linux-vdso.so.1 =>  (0x00007fff32fbc000)
>          libopendmarc.so.2 => /lib64/libopendmarc.so.2 (0x00007f2424b1c000)
>          libmilter.so.1.0 => /lib64/libmilter.so.1.0 (0x00007f242490b000)
>          libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f24246f0000)
>          libspf2.so.2 => /lib64/libspf2.so.2 (0x00007f24244d4000)
>          libbsd.so.0 => /lib64/libbsd.so.0 (0x00007f24242c5000)
>          librt.so.1 => /lib64/librt.so.1 (0x00007f24240bc000)
>          libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2423ea0000)
>          libc.so.6 => /lib64/libc.so.6 (0x00007f2423adf000)
>          libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f24238c5000)
>          /lib64/ld-linux-x86-64.so.2 (0x00007f2424d36000)
>
> opendmarc.conf:
> AuthservID HOSTNAME
> SPFIgnoreResults true
> SPFSelfValidate true
>
> hostname is "04mx.example.com".
> The mail I receive is:
>
> Return-Path: <marco at libero.it>
> Received: from 04mx.example.com (04mx.example.com [x.x.x.86])
>       by ucstore.example.com (Cyrus v2.4.17-Invoca-RPM-2.4.17-6.el6)
> with LMTPA;
>       Thu, 31 Dec 2015 08:48:04 +0100
> X-Sieve: CMU Sieve 2.4
> Received: from localhost (localhost [127.0.0.1])
>      by 04mx.example.com (MailFarm) with ESMTP id 3pWM6D1dNjzFpVl
>      for <marco at example.com>; Thu, 31 Dec 2015 08:48:04 +0100 (CET)
> X-Virus-Scanned: amavisd-new at example.com
> X-Spam-Flag: NO
> X-Spam-Score: 1.696
> X-Spam-Level: *
> X-Spam-Status: No, score=1.696 tagged_above=-999 required=4.5
>      tests=[BODY_SINGLE_WORD=0.001, DSPAM_HAM_99=-0.5, FREEMAIL_FROM=0.001,
>      RDNS_NONE=1.274, SPF_FAIL=0.919, TVD_SPACE_RATIO=0.001]
>      autolearn=disabled
> Received: from localhost ([127.0.0.1])
>      by localhost (04mx.example.com [127.0.0.1]) (amavisd-new, port 10024)
>      with LMTP id 4vah2SkDixO0 for <marco at example.com>;
>      Thu, 31 Dec 2015 08:48:03 +0100 (CET)
> Received: from msa.example.com (unknown [x.x.x.55])
>      by 04mx.example.com (MailFarm) with ESMTP id 3pWM6C04hwzFpVj
>      for <marco at example.com>; Thu, 31 Dec 2015 08:48:02 +0100 (CET)
> DMARC-Filter: OpenDMARC Filter v1.3.1 04mx.example.com 3pWM6C04hwzFpVj
> Authentication-Results: 04mx.example.com; dmarc=fail header.from=libero.it
> Authentication-Results: 04mx.example.com; spf=pass
> smtp.mailfrom=marco at libero.it
> DKIM-Filter: OpenDKIM Filter v2.10.3 04mx.example.com 3pWM6C04hwzFpVj
> Received: from [x.x.x.13] (client.example.com [x.x.x.13])
>      (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
>      (No client certificate requested)
>      by msa.example.com (MailFarm) with ESMTPSA id 3pWM6B69pfzBrKb
>      for <marco at example.com>; Thu, 31 Dec 2015 08:48:02 +0100 (CET)
> To: Marco <marco at example.com>
> From: Marco <marco at libero.it>
> ...
>
>
> This mail should fail SPF check, but "Authentication-Results" says it
> passes. In log I only see:
>
> 2015-12-31T08:48:03.092716+01:00 04mx opendmarc[23762]: implicit
> authentication service: 04mx.example.com
>
> 2015-12-31T08:48:03.198839+01:00 04mx opendmarc[23762]: 3pWM6C04hwzFpVj:
> libero.it fail
>
> the dat file says:
> job 3pWM6C04hwzFpVj
> reporter 04mx.example.com
> received 1451548083
> ipaddr x.x.x.55
> from libero.it
> mfrom libero.it
> spf 0
> pdomain libero.it
> policy 17
> rua mailto:dmarc_agg_rep at libero.it
> pct 100
> adkim 114
> aspf 114
> p 113
> sp 0
> align_dkim 5
> align_spf 5
> action 2
>
> "spf 0" means that spf check passes, but after it fails the DKIM and SPF
> alignment. I believed to find an spf check failed, but aligned, because
> envelope from and header from are the same.
>
> Could you explain me how to understand this behavior?
>
> Thank you very much
> Happy new year
> Marco
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>

More information about the opendmarc-users mailing list