[Solved]SPF is not checked for incoming mail

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

[Solved]SPF is not checked for incoming mail

Post by Labsy »

Hi,

I did not check for all domains, but on some I notice that new ZCS 8.8.6 (after upgrade) simply does not check for SPF policy.
Is it again CBPolicy somehow lost during upgrade?

Wiki on this is like reprogramming one third of Zimbra code, which I find quite unusual, because SPF and DKIM are practically standards today.
https://wiki.zimbra.com/wiki/Cluebringe ... _cbpolicyd

Any easier method?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: SPF is not checked for incoming mail

Post by phoenix »

Have you considered using rspamd for your ant-spam solution? It also does DKIM, DMARC etc. signing and checking and also checks SPF on inbound mail without problems.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

Re: SPF is not checked for incoming mail

Post by Labsy »

Hi Bill,

no, not yet, but I will. Thanx for the tip.

For now I just found out that SPF check is done, but Spamassasin simply gives it just -0.001 for SPF_FAIL.
So I created (as Zimbra user) new file:
/opt/zimbra/data/spamassassin/localrules/sauser.cf
And added to it some corrected scores:

Code: Select all

score GAPPY_SUBJECT 2.8 # from 1.954
score RCVD_IN_BRBL_LASTEXT 3.5 #from 1.449
score RCVD_IN_XBL 1 # from 0.375
score RCVD_IN_BL_SPAMCOP_NET 2 # from 1.347
score RCVD_IN_SBL 2 # from 0.141
score FREEMAIL_FORGED_FROMDOMAIN 3 # from 0.25
score NO_DNS_FOR_FROM 2 # from 0.001
score ADVANCE_FEE_4_NEW 4 # from 2.596
score FREEMAIL_ENVFROM_END_DIGIT 3 # from 0.25
score FREEMAIL_FORGED_REPLYTO 4 # from 2.095
score MALFORMED_FREEMAIL 4 # from 1
score SPF_FAIL 30 # from 0.00
Then restarted Amavis:

Code: Select all

zmamavisdctl restart
User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 632
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

Re: [Solved]SPF is not checked for incoming mail

Post by ccelis5215 »

Hi Labsy,

There are so many email server poorly configurated, your countermeasure is OK but your users will lose some messages.

ccelis
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

Re: [Solved]SPF is not checked for incoming mail

Post by Labsy »

Well, as we also run a big antispam proxy cluster, I became somehow resilient to poorly configured mail servers. I do, however, warn admins of those servers to properly configure their servers, and to have happy customers add some exceptions.
Post Reply