[opendmarc-users] spf pass which I can't understand

Petr Novák novakp43 at gmail.com
Thu Jan 7 07:14:52 PST 2016


Hello,

I think the cause for this problem is already mentioned in this ticket:
http://sourceforge.net/p/opendmarc/tickets/120/

There is also a patch to fix it.

Best Regards
    Petr Novak

Dne 7.1.2016 v 12:33 Sistemisti Posta napsal(a):
> Hello, If you would reproduce this you could follow these steps:
>
> # cat testmsg.eml
> To: Marco <marco at aol.com>
> From: Marco <marco at libero.it>
> Subject: bye
> Message-ID: <AAAAAAAAA.60dgdsffds at aol.it>
> Date: Thu, 7 Jan 2016 11:50:08 +0100
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
>   Thunderbird/38.5.0
> MIME-Version: 1.0
>
> Ciao.
> Marco
>
>
> # env | grep OPENDMARC
> OPENDMARC_TEST_HELONAME=wl-in-f109.1e100.net
> OPENDMARC_TEST_CLIENTHOST=wl-in-f109.1e100.net
> OPENDMARC_TEST_CLIENTIP=64.233.167.109
> OPENDMARC_TEST_ENVFROM=marco at libero.it
>
> # opendmarc -t testmsg.eml -vvvv
> opendmarc: mlfi_connect() returned SMFIS_CONTINUE
> opendmarc: mlfi_helo() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: mlfi_envfrom() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 1: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 2: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 3: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 4: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 5: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 6: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: testmsg.eml: line 8: mlfi_header() returned SMFIS_CONTINUE
> ### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j;
> spf=pass smtp.mailfrom=marco at libero.it'
> ### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j;
> dmarc=fail header.from=libero.it'
> ### INSHEADER: idx=1 hname='DMARC-Filter' hvalue='OpenDMARC Filter
> v1.3.1 DEBUG-j DEBUG-i'
> opendmarc: testmsg.eml: mlfi_eom() returned SMFIS_CONTINUE
> opendmarc: mlfi_close() returned SMFIS_CONTINUE
>
> # host -t txt libero.it
> libero.it descriptive text "v=spf1 ip4:212.48.25.128/25
> ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com
> include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com
> include:mail.zendesk.com -all"
>
> job DEBUG-i
> reporter DEBUG-j
> received 1452166179
> ipaddr 64.233.167.109
> from libero.it
> mfrom libero.it
> spf 0
> pdomain libero.it
> policy 17
> rua mailto:dmarc_agg_rep at libero.it
> pct 100
> adkim 114
> aspf 114
> p 113
> sp 0
> align_dkim 5
> align_spf 5
> action 2
>
> If you try a report like this:
> http://tools.bevhost.com/spf/
> I obtain a fail:
> fail Please see
> http://www.openspf.org/why.html?sender=marco%40libero.it&ip=64.233.167.109&receiver=tools.bevhost.com
> tools.bevhost.com: domain of marco at libero.it does not designate
> 64.233.167.109 as permitted sender v=spf1 ip4:212.48.25.128/25
> ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com
> include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com
> include:mail.zendesk.com -all HASH(0x1d4e298)
>
> Thanks again
> Best Regards
> Marco
>
> Il 31/12/2015 09:18, Sistemisti Posta ha scritto:
>> Hello opendmarc user,
>>
>>   I have a question about an spf pass that it shouldn't pass.
>>
>> I sent a mail not DKIM signed with a server not allowed by SPF policy.
>> In particular I sent a mail with the envelope from <marco at libero.it>,
>> using an MSA that is not allowed by libero.it policy:
>>
>> libero.it descriptive text "v=spf1 ip4:212.48.25.128/25
>> ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com
>> include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com
>> include:mail.zendesk.com -all"
>>
>> So, if I well understand, the spf check would fail.
>>
>> opendmarc is configured to make its own spf check (libspf2):
>>
>>   ldd /usr/sbin/opendmarc
>>          linux-vdso.so.1 =>  (0x00007fff32fbc000)
>>          libopendmarc.so.2 => /lib64/libopendmarc.so.2
>> (0x00007f2424b1c000)
>>          libmilter.so.1.0 => /lib64/libmilter.so.1.0 (0x00007f242490b000)
>>          libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f24246f0000)
>>          libspf2.so.2 => /lib64/libspf2.so.2 (0x00007f24244d4000)
>>          libbsd.so.0 => /lib64/libbsd.so.0 (0x00007f24242c5000)
>>          librt.so.1 => /lib64/librt.so.1 (0x00007f24240bc000)
>>          libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2423ea0000)
>>          libc.so.6 => /lib64/libc.so.6 (0x00007f2423adf000)
>>          libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f24238c5000)
>>          /lib64/ld-linux-x86-64.so.2 (0x00007f2424d36000)
>>
>> opendmarc.conf:
>> AuthservID HOSTNAME
>> SPFIgnoreResults true
>> SPFSelfValidate true
>>
>> hostname is "04mx.example.com".
>> The mail I receive is:
>>
>> Return-Path: <marco at libero.it>
>> Received: from 04mx.example.com (04mx.example.com [x.x.x.86])
>>       by ucstore.example.com (Cyrus v2.4.17-Invoca-RPM-2.4.17-6.el6)
>> with LMTPA;
>>       Thu, 31 Dec 2015 08:48:04 +0100
>> X-Sieve: CMU Sieve 2.4
>> Received: from localhost (localhost [127.0.0.1])
>>      by 04mx.example.com (MailFarm) with ESMTP id 3pWM6D1dNjzFpVl
>>      for <marco at example.com>; Thu, 31 Dec 2015 08:48:04 +0100 (CET)
>> X-Virus-Scanned: amavisd-new at example.com
>> X-Spam-Flag: NO
>> X-Spam-Score: 1.696
>> X-Spam-Level: *
>> X-Spam-Status: No, score=1.696 tagged_above=-999 required=4.5
>>      tests=[BODY_SINGLE_WORD=0.001, DSPAM_HAM_99=-0.5,
>> FREEMAIL_FROM=0.001,
>>      RDNS_NONE=1.274, SPF_FAIL=0.919, TVD_SPACE_RATIO=0.001]
>>      autolearn=disabled
>> Received: from localhost ([127.0.0.1])
>>      by localhost (04mx.example.com [127.0.0.1]) (amavisd-new, port
>> 10024)
>>      with LMTP id 4vah2SkDixO0 for <marco at example.com>;
>>      Thu, 31 Dec 2015 08:48:03 +0100 (CET)
>> Received: from msa.example.com (unknown [x.x.x.55])
>>      by 04mx.example.com (MailFarm) with ESMTP id 3pWM6C04hwzFpVj
>>      for <marco at example.com>; Thu, 31 Dec 2015 08:48:02 +0100 (CET)
>> DMARC-Filter: OpenDMARC Filter v1.3.1 04mx.example.com 3pWM6C04hwzFpVj
>> Authentication-Results: 04mx.example.com; dmarc=fail
>> header.from=libero.it
>> Authentication-Results: 04mx.example.com; spf=pass
>> smtp.mailfrom=marco at libero.it
>> DKIM-Filter: OpenDKIM Filter v2.10.3 04mx.example.com 3pWM6C04hwzFpVj
>> Received: from [x.x.x.13] (client.example.com [x.x.x.13])
>>      (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
>> bits))
>>      (No client certificate requested)
>>      by msa.example.com (MailFarm) with ESMTPSA id 3pWM6B69pfzBrKb
>>      for <marco at example.com>; Thu, 31 Dec 2015 08:48:02 +0100 (CET)
>> To: Marco <marco at example.com>
>> From: Marco <marco at libero.it>
>> ...
>>
>>
>> This mail should fail SPF check, but "Authentication-Results" says it
>> passes. In log I only see:
>>
>> 2015-12-31T08:48:03.092716+01:00 04mx opendmarc[23762]: implicit
>> authentication service: 04mx.example.com
>>
>> 2015-12-31T08:48:03.198839+01:00 04mx opendmarc[23762]: 3pWM6C04hwzFpVj:
>> libero.it fail
>>
>> the dat file says:
>> job 3pWM6C04hwzFpVj
>> reporter 04mx.example.com
>> received 1451548083
>> ipaddr x.x.x.55
>> from libero.it
>> mfrom libero.it
>> spf 0
>> pdomain libero.it
>> policy 17
>> rua mailto:dmarc_agg_rep at libero.it
>> pct 100
>> adkim 114
>> aspf 114
>> p 113
>> sp 0
>> align_dkim 5
>> align_spf 5
>> action 2
>>
>> "spf 0" means that spf check passes, but after it fails the DKIM and SPF
>> alignment. I believed to find an spf check failed, but aligned, because
>> envelope from and header from are the same.
>>
>> Could you explain me how to understand this behavior?
>>
>> Thank you very much
>> Happy new year
>> Marco
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.org
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>
>
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users


More information about the opendmarc-users mailing list