[Solved]SPF is not checked for incoming mail

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Labsy
Outstanding Member
Outstanding Member
Posts: 377
Joined: Sat Sep 13, 2014 12:52 am

[Solved]SPF is not checked for incoming mail

Postby Labsy » Fri Mar 09, 2018 9:57 pm

Hi,

I did not check for all domains, but on some I notice that new ZCS 8.8.6 (after upgrade) simply does not check for SPF policy.
Is it again CBPolicy somehow lost during upgrade?

Wiki on this is like reprogramming one third of Zimbra code, which I find quite unusual, because SPF and DKIM are practically standards today.
https://wiki.zimbra.com/wiki/Cluebringe ... _cbpolicyd

Any easier method?


phoenix
Ambassador
Ambassador
Posts: 26284
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: SPF is not checked for incoming mail

Postby phoenix » Sat Mar 10, 2018 9:06 am

Have you considered using rspamd for your ant-spam solution? It also does DKIM, DMARC etc. signing and checking and also checks SPF on inbound mail without problems.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
Labsy
Outstanding Member
Outstanding Member
Posts: 377
Joined: Sat Sep 13, 2014 12:52 am

Re: SPF is not checked for incoming mail

Postby Labsy » Sat Mar 10, 2018 10:08 am

Hi Bill,

no, not yet, but I will. Thanx for the tip.

For now I just found out that SPF check is done, but Spamassasin simply gives it just -0.001 for SPF_FAIL.
So I created (as Zimbra user) new file:
/opt/zimbra/data/spamassassin/localrules/sauser.cf
And added to it some corrected scores:

Code: Select all

score GAPPY_SUBJECT 2.8 # from 1.954
score RCVD_IN_BRBL_LASTEXT 3.5 #from 1.449
score RCVD_IN_XBL 1 # from 0.375
score RCVD_IN_BL_SPAMCOP_NET 2 # from 1.347
score RCVD_IN_SBL 2 # from 0.141
score FREEMAIL_FORGED_FROMDOMAIN 3 # from 0.25
score NO_DNS_FOR_FROM 2 # from 0.001
score ADVANCE_FEE_4_NEW 4 # from 2.596
score FREEMAIL_ENVFROM_END_DIGIT 3 # from 0.25
score FREEMAIL_FORGED_REPLYTO 4 # from 2.095
score MALFORMED_FREEMAIL 4 # from 1
score SPF_FAIL 30 # from 0.00

Then restarted Amavis:

Code: Select all

zmamavisdctl restart
User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 607
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.0.9.GA.6191.UBUNTU12.64 FOSS

Re: [Solved]SPF is not checked for incoming mail

Postby ccelis5215 » Sat Mar 10, 2018 9:41 pm

Hi Labsy,

There are so many email server poorly configurated, your countermeasure is OK but your users will lose some messages.

ccelis
Labsy
Outstanding Member
Outstanding Member
Posts: 377
Joined: Sat Sep 13, 2014 12:52 am

Re: [Solved]SPF is not checked for incoming mail

Postby Labsy » Sun Mar 11, 2018 6:30 pm

Well, as we also run a big antispam proxy cluster, I became somehow resilient to poorly configured mail servers. I do, however, warn admins of those servers to properly configure their servers, and to have happy customers add some exceptions.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 5 guests