SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by robertitox »

Dear all, I've seen that SPF check for incoming mails is implemented with the following procedure under Red Hat / Zimbra:

# yum install perl-mail-spf perl-mail-spf-query

and after that I have to increase the SPF score into the spamassasin configuration file.

Please at first I need your confirmation that this is all I have to do in order to check SPF for incoming mails.

And also, I notice that perl-mail-spf package is contained in EPEL repo, and perl-mail-spf-query is contained in RPMFORGE repo. Do I need both these two packages ??? Is it OK if I add both repos to my current Zimbra 8.6 / Red Hat 6 server ??? Or is there a better solution in order to check SPF for incoming mails ???

Thanks a lot, greetings !!!
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by pup_seba »

Hi,

I've never installed those...at least intentionally. SPF filters/rules are already in place for spamassassin, you just need to tweak the scores to whatever you'd like (if you don't like the scores that come by default).

Where did you seen that's the procedure for SPF under red hat/zimbra?
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by robertitox »

Dear Sebastian, I've been some howtos with:

# yum install perl-mail-spf perl-mail-spf-query

and some others with:

# yum install perl-mail-spf-query

like this tutorial: http://www.ecualug.org/?q=2007/03/30/co ... nos_llegan

In Red Hat, I'd have to add the RPMForge repository and after that I have to download the perl-mail-spf-query package and finally modify the Spamassassin config file.

I've not done that yet, because I have a production mail server and I can't test at any time, I have to plan it.

Maybe you can add any comment.

Regards!!!
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by robertitox »

Sebastian, here I'll show you a tutorial for Zimbra+SPF:

https://soporte.itlinux.cl/hc/es/articl ... imbra-SPF-

The installation is using both packages:

perl-mail-spf
perl-mail-spf-query

But I think these two packages are for the same purpose, I think you have to use just one of them.....but I need a confirmation of an expert.

Thanks!!!
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by pup_seba »

Hi,

No official doc and not all of it applies to Zimbra. Note that SPF plugin is already present in the zimbra that ships with spam assassin.

All you have to do, in case you are not ok with the scores that come by default, is to tune the scores for the filters spam assassin uses for SPF.

Depending on your zimbra version, you have to do it in one place or another. Assuming you are using a newer zimbra version (i think older than 8.6 for the least), you need to create a file under.
/opt/zimbra/data/spamassassin/localrules

Name that file "sauser.cf", or in case you already have one "sauser.cf", simply add the lines for the SPF filters with the scores you'd like. For instance, by default, Zimbra uses these scores for SPF:
rules/50_scores.cf:score SPF_NONE 0
rules/50_scores.cf:score SPF_HELO_NONE 0
rules/50_scores.cf:score SPF_PASS -0.001
rules/50_scores.cf:score SPF_HELO_PASS -0.001
rules/50_scores.cf:score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2
rules/50_scores.cf:score SPF_HELO_FAIL 0 0.001 0 0.001 # n=0 n=2
rules/50_scores.cf:score SPF_HELO_NEUTRAL 0 0.001 0 0.112 # n=0 n=2
rules/50_scores.cf:score SPF_HELO_SOFTFAIL 0 0.896 0 0.732 # n=0 n=2
rules/50_scores.cf:score SPF_NEUTRAL 0 0.652 0 0.779 # n=0 n=2
rules/50_scores.cf:score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2

But you can change this, by creating the sauser.cf file, and just adding the scroes you'd like in there. For example:
score SPF_SOFTFAIL 3.000
score SPF_FAIL 7.000

Then, you just need to restart amavisd (zmamavisd restart).

You don't need to add new repositories, you don't need to install any perl "spf" package, you don't need to modify any postfix file. All you need to do is this non-intrusive and update persistent procedure, where YOU create the file with the scores for the already in place SPF filters.

Regards,
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by robertitox »

Dear Sebastian, thanks for your very interesting solution.

I have Zimbra 8.6, so I think the creation of saucer.cf is possible to me.

Please let me ask a new short question:

You tell me to create a content like this into saucer.cf:

score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2

But afther that you say I can modify it, for example:

score SPF_SOFTFAIL 3.000
score SPF_FAIL 7.000

I notice that contents are not the same, in the first case the line has several values....and in the second case it has just one value.

Plase tell me if it's OK, and next weekend I will test this solution.

Special thanks !!!
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by pup_seba »

Hi,

"I have Zimbra 8.6, so I think the creation of saucer.cf is possible to me."
Yes it is, and the path for the file is correct :) (older versions used another path for that file)

"
You tell me to create a content like this into saucer.cf:
score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2
"
Nope, sorry. I did not make myself clear. This is only a snippet of what the defaults in the 50_scores.cf file look like. You should not touch these.

"I notice that contents are not the same, in the first case the line has several values....and in the second case it has just one value."
To understand those other scores, you should read "scoring options" here https://spamassassin.apache.org/full/3. ... _Conf.html
I always just use one...it is easier and it works just fine for me.

En resumen:
1. Create the file
touch /opt/zimbra/data/spamassassin/sauser.cf

2. Edit that file and add the scores for the filters you wish to fine tune the score. In your case, something like this could help:
score SPF_SOFTFAIL 3.000
score SPF_FAIL 7.000

3. Restart amavis
zmamavisdctl restart

Test it. In this case, if a softfail happens (~all) which is the most common kind of fail as usually nobody uses hard fails in their spf (txt) records, your spamassassin will add 3 points to that mail. Zimbra, by default requires 6,6 (33% of 20) points to mark a mail as spam. If it is a hardfail (-all), then spamassassin will add 7 points to that mail, which it is enough to put it directly into your spam folder as that filter alone adds more points than necessary for spam-tagging.

Additionally, you could read this, the "rule updates" or "compilation" configurations are usually a good idea. Also, increasing the amavis log level is really usefull. I usually set that to 2 or 3. So now in your logs you will be able to see which filters are being applied.
https://wiki.zimbra.com/wiki/Anti-spam_Strategies

Good luck!
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by robertitox »

Dear Sebastian, thanks a lot for your fantastic help....and the time dedicated to me.

I will test all you said next weekend.

Greetings !!!
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by robertitox »

Dear Sebastian, how are you?

I did what yo suggest in order to heck SPF through Spamassassin scores, but it doesn't work.

After configuration as you said, I execute:

# tail -f /var/log/zimbra.log | grep -i spf

but there isn't any SPF log at all.

Maybe I have to install perl-mail-spf or perl-mail-spf-query extra packages as here:

https://blog.kvs-solutions.com/?p=940

Can you add any comment please?

Thanks again, greetings !!!
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: SPF for incoming mails with perl-mail-spf and perl-mail-spf-query packages

Post by pup_seba »

Hi,

SPF_FAIL is one of spamassassin basic rules, it comes enabled in zimbra by default for years now. You could see that by 'grep -iR "spf_fail" /opt/zimbra/data/spamassassin/rules'.

In order to see what filters are being applied under /var/log/zimbra.log, you need to increase the default amavisd log level. You can do that with "zmprov ms `zmhostname` zimbraAmavisLogLevel 2"

Then of course, you need to actually have some mails that are failing the spf, so the filter kicks in. You could run "amavis-logwatch /var/log/zimbra.log" if you like to see an in-depth report of your spamassassin activity, alghouth in my experience, the log facility in spamassassin for zimbra is broken and it does not log all the activity. So it is not 100% trusty (in fact, is pretty lame and it does not work). If you can, test it by means of having a missconfigured spf to send mails from to your zimbra, and check the filter by "show original" of the message once you receive it. Default scores for spf_fail are pretty low anyways.

Are you in spain? Would you rather we see this together in a remote session? I could show you how that works in my lab if you'd like.
Post Reply