Zimbra Forums

Zimbra Collaboration & Zimbra Desktop Forums
https://forums.zimbra.org/

[Solved]SPF is not checked for incoming mail

https://forums.zimbra.org/viewtopic.php?t=63809

Page 1 of 1

[Solved]SPF is not checked for incoming mail

Posted: Fri Mar 09, 2018 9:57 pm
by Labsy
Hi,

I did not check for all domains, but on some I notice that new ZCS 8.8.6 (after upgrade) simply does not check for SPF policy.
Is it again CBPolicy somehow lost during upgrade?

Wiki on this is like reprogramming one third of Zimbra code, which I find quite unusual, because SPF and DKIM are practically standards today.
https://wiki.zimbra.com/wiki/Cluebringe ... _cbpolicyd

Any easier method?

Re: SPF is not checked for incoming mail

Posted: Sat Mar 10, 2018 9:06 am
by phoenix
Have you considered using rspamd for your ant-spam solution? It also does DKIM, DMARC etc. signing and checking and also checks SPF on inbound mail without problems.

Re: SPF is not checked for incoming mail

Posted: Sat Mar 10, 2018 10:08 am
by Labsy
Hi Bill,

no, not yet, but I will. Thanx for the tip.

For now I just found out that SPF check is done, but Spamassasin simply gives it just -0.001 for SPF_FAIL.
So I created (as Zimbra user) new file:
/opt/zimbra/data/spamassassin/localrules/sauser.cf
And added to it some corrected scores:

Code: Select all

score GAPPY_SUBJECT 2.8 # from 1.954
score RCVD_IN_BRBL_LASTEXT 3.5 #from 1.449
score RCVD_IN_XBL 1 # from 0.375
score RCVD_IN_BL_SPAMCOP_NET 2 # from 1.347
score RCVD_IN_SBL 2 # from 0.141
score FREEMAIL_FORGED_FROMDOMAIN 3 # from 0.25
score NO_DNS_FOR_FROM 2 # from 0.001
score ADVANCE_FEE_4_NEW 4 # from 2.596
score FREEMAIL_ENVFROM_END_DIGIT 3 # from 0.25
score FREEMAIL_FORGED_REPLYTO 4 # from 2.095
score MALFORMED_FREEMAIL 4 # from 1
score SPF_FAIL 30 # from 0.00
Then restarted Amavis:

Code: Select all

zmamavisdctl restart

Re: [Solved]SPF is not checked for incoming mail

Posted: Sat Mar 10, 2018 9:41 pm
by ccelis5215
Hi Labsy,

There are so many email server poorly configurated, your countermeasure is OK but your users will lose some messages.

ccelis

Re: [Solved]SPF is not checked for incoming mail

Posted: Sun Mar 11, 2018 6:30 pm
by Labsy
Well, as we also run a big antispam proxy cluster, I became somehow resilient to poorly configured mail servers. I do, however, warn admins of those servers to properly configure their servers, and to have happy customers add some exceptions.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited