zimbra spf methods

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
zgokan
Advanced member
Advanced member
Posts: 171
Joined: Sun Apr 17, 2016 8:58 am

zimbra spf methods

Post by zgokan »

Hello

Zimbra and Centos stores have the following packages. In the version 8.8.10, the Webui comes hollow. I'm looking at an alternative solution.
Can't I create a solution using these packages below? By integrating Spamassassin ...

Code: Select all

golang-github-spf13-pflag-unit-test.x86_64 : Unit tests for golang-github-spf13-pflag package
libspf2.x86_64 : An implementation of the SPF specification
libspf2-apidocs.noarch : API documentation for the libspf2 library
libspf2-devel.x86_64 : Development tools needed to build programs that use libspf2
libspf2-progs.x86_64 : Programs for making SPF queries using libspf2
perl-Mail-SPF_XS.x86_64 : An XS implementation of Mail::SPF
pypolicyd-spf.noarch : SPF Policy Server for Postfix (Python implementation)
python-pyspf.noarch : Python module and programs for SPF (Sender Policy Framework)
zimbra-perl-mail-spf.x86_64 : Mail::SPF - An object-oriented implementation of Sender Policy Framework
golang-github-spf13-cobra-devel.noarch : A Commander for modern go CLI interactions
golang-github-spf13-pflag-devel.noarch : Replacement for Go's flag package
perl-Mail-SPF.noarch : Object-oriented implementation of Sender Policy Framework

phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: zimbra spf methods

Post by phoenix »

zgokan wrote:Zimbra and Centos stores have the following packages. In the version 8.8.10, the Webui comes hollow. I'm looking at an alternative solution.
Can't I create a solution using these packages below? By integrating Spamassassin ...
I don't really understand the point you're trying to make here, perhaps you could explain in a bit more detail? Are you criticising the package versions used in ZCS compared to the distribution versions? If you want a decent solution to your spam problems why not try Rspamd and get rid of spamassassin?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
zgokan
Advanced member
Advanced member
Posts: 171
Joined: Sun Apr 17, 2016 8:58 am

Re: zimbra spf methods

Post by zgokan »

Hello

just want to add spf protection. But I will try Rspamd as soon as possible. Can you support spf?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: zimbra spf methods

Post by phoenix »

SPF 'protection' is just a DNS configuration (on your external DNS server for your domain) and is fairly trivial to configure, nothing else needs to be done for it. Do you also have DKIM and DMARC configured ? In any case you can find out what's necessary by reading the wiki article on the subject, just search the wiki for 'spf' and you'll find everything you need.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
zgokan
Advanced member
Advanced member
Posts: 171
Joined: Sun Apr 17, 2016 8:58 am

Re: zimbra spf methods

Post by zgokan »

I don't think you understand my question. Can I provide SPF protection in e-mails that come with Spamassassin?
I was going to ask for information.

thank you.
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

Re: zimbra spf methods

Post by Labsy »

phoenix wrote:SPF 'protection' is just a DNS configuration (on your external DNS server for your domain) and is fairly trivial to configure, nothing else needs to be done for it. ...
Sorry for jumping in, but I believe this is NOT true. I have numerous incidents on different domains (all properly setup SPF records with hard fail) being able to normally fake FROM e-mail and being normally received by Zimbra server. SPF score is set to add 10 points, but in maile header I see only 0.001 points are added for SPF filter.
Meaning, without quite a lot of hassle SPF is NOT engaged by default...at least in my situation.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: zimbra spf methods

Post by phoenix »

Labsy wrote:
phoenix wrote:SPF 'protection' is just a DNS configuration (on your external DNS server for your domain) and is fairly trivial to configure, nothing else needs to be done for it. ...
Sorry for jumping in, but I believe this is NOT true. I have numerous incidents on different domains (all properly setup SPF records with hard fail) being able to normally fake FROM e-mail and being normally received by Zimbra server. SPF score is set to add 10 points, but in maile header I see only 0.001 points are added for SPF filter.
Meaning, without quite a lot of hassle SPF is NOT engaged by default...at least in my situation.
SPF is not a "filter" it is merely a method of specifying which servers are allowed to send mail for your domain and what action to take if the mail comes from another IP address, nothing more and nothing less. .

My comment that you've quoted was merely a comment about the function of SPF and not what your (or any other mail server) anti-spam system does about it.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: zimbra spf methods

Post by JDunphy »

Labsy wrote: I have numerous incidents on different domains (all properly setup SPF records with hard fail) being able to normally fake FROM e-mail and being normally received by Zimbra server. SPF score is set to add 10 points, but in maile header I see only 0.001 points are added for SPF filter.
Meaning, without quite a lot of hassle SPF is NOT engaged by default...at least in my situation.
I would agree with this... it isn't easy out of the box because while it seems SPF is easy to understand, it is overly simplistic and fails to solve spoofing in many instances.
IMO, if you want local SPF reject of your own domains and others too, than rspamd is perhaps a better solution given it can be deployed as a milter. This allows for the rejection of the envelope-from or helo during the SMTP dialog but before accepting the message. On the other hand, if you accept the email as Zimbra does by default than we preserve the envelope-from via a Return-Path header and pass it on to amavisd who will eventually pass it on to SA for checking. If we rejected the email now, we would then contribute to backscatter so scoring to spam or not deliver it are best options for following SPF policy. The real problem is that SPF breaks forwarding so real email gets bounced which decreases your users perception of the service you are offering. The best thing SPF does is in the reduction of backscatter on your domains provided the target follows your policy and as a component in DMARC "from" alignment. From a users perspective, the header-from can still be spoofed with SPF so what are you really accomplishing? To really prevent spoofing, digitally signing that header-from in addition to a few other headers in your email (DKIM) seems like the best solution currently.

Here are some ways to use SPF and DKIM to stop spoofing after you have already accepted email for your domains.

Code: Select all

header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook\.com/i
meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK && __FORGED_SENDER)
score FORGED_FACEBOOK 5 5 5 5
The above is from /opt/zimbra/conf/sa/sa_local.cf ... On my own servers, I do it slightly different like this in my salocal.cf:

Code: Select all

#spoofed from
header __SPFSENDER_FROM From =~ /\@example\.com|\@example\.net/i
meta J_SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score  J_SPOOFED_FROM 7
describe J_SPOOFED_FROM Not DKIM signed

meta J_WHITELISTUS (!J_SPOOFED_FROM && __SPFSENDER_FROM && DKIM_VALID_AU)
score J_WHITELISTUS -15
describe J_WHITELISTUS Kludge for mime parser FP
Note: I believe there is also a 10 lookup rule so if you have a few includes in your SPF records, double check you don't overshoot that if you have added outside vendors to that SPF record. It is becoming pretty rare to find strict SPF policy "-all" for most big mail providers given the problems associated with SPF false positives. Just a few years ago, they all had "-all" and told us we should too :-) - so things are changing.

Code: Select all

% dig +short _spf.google.com txt
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
% dig +short _spf.mail.yahoo.com txt
"v=spf1 ptr:yahoo.com ptr:yahoo.net ?all"
% dig +short aol.com txt
"'4a751cdeec084ee2bc9e2cb2e94ba8af'"
"v=spf1 ip4:204.29.186.0/23 include:spf.constantcontact.com include:aspmx.sailthru.com include:mail.zendesk.com include:_ipspf.yahoo.com ~all"
"spf2.0/pra ip4:204.29.186.0/23 include:spf.constantcontact.com include:aspmx.sailthru.com include:mail.zendesk.com ~all"
DMARC is a much better alternative to publish those stricter SPF/DKIM policies... And I just realized the OP was from Oct. Better get my first cup of coffee. You guys got me. LOL :-)

HTH

Jim
Post Reply