Back to Community Threads
3
ISSUE WITH SPF PARSING: SmarterMail is not able to properly parse complex SPF records that include macros to handle HELO/EHLO
Problem reported by Gabriele Maoret - SERSIS - 6/16/2023 at 8:26 AM
Submitted
It seems that SmarterMail is not able to properly parse complex SPF records that include macros to handle HELO/EHLO as well.

Example:

Receiving an email from the SE.COM domain coming from the IP 40.107.104.103 which has the HELO/EHLO "EUR03-DBA-obe.outbound.protection.outlook.com" as HELO/EHLO, you have this result in the SMTP LOGS:


[2023.06.16] 10:26:03.580 [40.107.104.103][53371412] rsp: 220 mail3.sersis.com
[2023.06.16] 10:26:03.580 [40.107.104.103][53371412] connected at 16/06/2023 10:26:03
[2023.06.16] 10:26:03.580 [40.107.104.103][53371412] Country code: IE
[2023.06.16] 10:26:03.612 [40.107.104.103][53371412] cmd: EHLO EUR03-DBA-obe.outbound.protection.outlook.com
[2023.06.16] 10:26:03.612 [40.107.104.103][53371412] rsp: 250-mail3.sersis.com Hello [40.107.104.103]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2023.06.16] 10:26:03.643 [40.107.104.103][53371412] cmd: STARTTLS
[2023.06.16] 10:26:03.643 [40.107.104.103][53371412] rsp: 220 Start TLS negotiation
[2023.06.16] 10:26:03.726 [40.107.104.103][53371412] cmd: EHLO EUR03-DBA-obe.outbound.protection.outlook.com
[2023.06.16] 10:26:03.727 [40.107.104.103][53371412] rsp: 250-mail3.sersis.com Hello [40.107.104.103]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
[2023.06.16] 10:26:03.769 [40.107.104.103][53371412] cmd: MAIL FROM:<asley.facchin@se.com> SIZE=60457
[2023.06.16] 10:26:03.769 [40.107.104.103][53371412] senderEmail(1): asley.facchin@se.com
[2023.06.16] 10:26:03.769 [40.107.104.103][53371412] rsp: 250 OK <asley.facchin@se.com> Sender ok
[2023.06.16] 10:26:03.769 [40.107.104.103][53371412] Sender accepted. Weight: 0. Block threshold: 45. 
[2023.06.16] 10:26:03.816 [40.107.104.103][53371412] cmd: RCPT TO:<info@ocsplast.it>
[2023.06.16] 10:26:03.816 [40.107.104.103][53371412] rsp: 250 OK <info@ocsplast.it> Recipient ok
[2023.06.16] 10:26:03.894 [40.107.104.103][53371412] cmd: DATA
[2023.06.16] 10:26:03.894 [40.107.104.103][53371412] Performing PTR host name lookup for 40.107.104.103
[2023.06.16] 10:26:03.909 [40.107.104.103][53371412] PTR host name for 40.107.104.103 resolved as mail-dbaeur03on2103.outbound.protection.outlook.com
[2023.06.16] 10:26:03.909 [40.107.104.103][53371412] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2023.06.16] 10:26:03.956 [40.107.104.103][53371412] senderEmail(2): asley.facchin@se.com parsed using: Asley Facchin <asley.facchin@se.com>
[2023.06.16] 10:26:04.628 [40.107.104.103][53371412] Sender accepted. Weight: 3. Block threshold: 45. Failed checks: _SPF (3,PermError)
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] DMARC Results: Failed (Domain: se.com, Reason: SPF: False, DKIM: True, Alignments: 0, Domain: se.com, Action: reject, Reason: SPF: False, DKIM: True, Alignments: 0, Domain: se.com, Reject? True
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] rsp: 550 Message rejected due to senders DMARC policy
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] A trace of the DMARC processing follows.
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] Beginning DMARC check for asley.facchin@se.com from IP 40.107.104.103...
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] The from field for the message is "Asley Facchin <asley.facchin@se.com>".  Will look for DMARC policy record at _dmarc.se.com
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] Retrieved the following DMARC policy record for "se.com": v=DMARC1; p=reject; rua=mailto:dmarc_agg@vali.email,mailto:46200f780373292@rep.dmarcanalyzer.com,mailto:dmarc_rua@emaildefense.proofpoint.com
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] Signature to verify:
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] DMARC: SPF failure.
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] DMARC policy violated due to DKIM domain ("se.com") not belonging to the same parent domain as the from address field domain ("se.com").
[2023.06.16] 10:26:04.784 [40.107.104.103][53371412] DMARC DKIM domains; se.com SPF domain se.com dmarc domain se.com dkim succeeded True spf succeeded False
[2023.06.16] 10:26:04.800 [40.107.104.103][53371412] Received message size: 41687 bytes
[2023.06.16] 10:26:04.800 [40.107.104.103][53371412] Successfully wrote to the HDR file. (s:\SmarterMail\Spool\SubSpool0\101754258.hdr)
[2023.06.16] 10:26:04.800 [40.107.104.103][53371412] Data transfer succeeded but message rejected by DMARC
[2023.06.16] 10:26:04.847 [40.107.104.103][53371412] cmd: QUIT
[2023.06.16] 10:26:04.847 [40.107.104.103][53371412] rsp: 221 Service closing transmission channel
[2023.06.16] 10:26:04.847 [40.107.104.103][53371412] disconnected at 16/06/2023 10:26:04



Too bad the SPF test is actually fake!


You can try it here (in the ADVANCED section) and you will see that actually the SPF test should be PASSED: https://vamsoft.com/support/tools/spf-policy-tester



RESULT:

Test Log

  • PARAMETERS
  • DNS server: 8.8.8.8 (Google Public DNS)
  • Evaluation time limit: 20 seconds (default, see RFC7208 Section 4.6.4)
  • Maximum number of void DNS lookups: 2 (default, see RFC7208 Section 4.6.4)
  • Standards compliance: RFC7208 (April 2014)
  •  
  • Test is queued, please wait...

  • +0 msSPF check starting.
  • IP: 40.107.104.103
  • Sender: asley.facchin@se.com
  • Domain: se.com
  • EHLO/HELO domain: EUR03-DBA-obe.outbound.protection.outlook.com
  • +0 msTXT record found.
  • Line #1: "v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
  • +0 msStarting SPF policy evaluation.
  • Policy: "v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
  • +0 msThe policy passed syntax validation.
  • +0 msEvaluating SPF mechanisms.
    • +0 msEvaluating mechanism "include".
    • Qualifier: "pass"
    • Domain argument: "%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email"
    • DNS limits status: DNS terms 0 of 10 allowed. Void lookups 0 of 2 allowed. See RFC7208 Section 4.6.4.
      • +0 msDomain argument after macro expansion: "40.107.104.103._ip.EUR03-DBA-obe.outbound.protection.outlook.com._ehlo.se.com._spf.vali.email".
    • +0 msEntering recursive evaluation.
    • +0 msSPF check starting.
    • IP: 40.107.104.103
    • Sender: asley.facchin@se.com
    • Domain: 40.107.104.103._ip.EUR03-DBA-obe.outbound.protection.outlook.com._ehlo.se.com._spf.vali.email
    • EHLO/HELO domain: EUR03-DBA-obe.outbound.protection.outlook.com
    • +0 msRetrieving DNS TXT record for "40.107.104.103._ip.EUR03-DBA-obe.outbound.protection.outlook.com._ehlo.se.com._spf.vali.email".
    • +29 msTXT record found.
    • Line #1: "v=spf1 include:spf.protection.outlook.com -all"
    • +0 msStarting SPF policy evaluation.
    • Policy: "v=spf1 include:spf.protection.outlook.com -all"
    • +0 msThe policy passed syntax validation.
    • +0 msEvaluating SPF mechanisms.
      • +0 msEvaluating mechanism "include".
      • Qualifier: "pass"
      • Domain argument: "spf.protection.outlook.com"
      • DNS limits status: DNS terms 1 of 10 allowed. Void lookups 0 of 2 allowed. See RFC7208 Section 4.6.4.
        • +0 msDomain argument after macro expansion: "spf.protection.outlook.com".
      • +0 msEntering recursive evaluation.
      • +0 msSPF check starting.
      • IP: 40.107.104.103
      • Sender: asley.facchin@se.com
      • Domain: spf.protection.outlook.com
      • EHLO/HELO domain: EUR03-DBA-obe.outbound.protection.outlook.com
      • +0 msRetrieving DNS TXT record for "spf.protection.outlook.com".
      • +8 msTXT record found.
      • Line #1: "v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all"
      • +0 msStarting SPF policy evaluation.
      • Policy: "v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all"
      • +0 msThe policy passed syntax validation.
      • +1 msEvaluating SPF mechanisms.
        • +0 msEvaluating mechanism "ip4".
        • Qualifier: "pass"
        • Network argument: "40.92.0.0"
        • CIDR length (IPv4) argument: 15
          • +0 msThe mechanism did not match.
        • +0 msEvaluating mechanism "ip4".
        • Qualifier: "pass"
        • Network argument: "40.107.0.0"
        • CIDR length (IPv4) argument: 16
          • +0 msThe mechanism matched with the "pass" qualifier.
      • +0 msFinished evaluating SPF mechanisms.
      • +0 msFinished SPF policy evaluation.
      • DNS limits status: DNS terms 2 of 10 allowed. Void lookups 0 of 2 allowed. See RFC7208 Section 4.6.4.
      • +0 msPolicy evaluation finished with SPF "pass".
      • +0 msReturned from recursive evaluation.
        • +0 msThe mechanism matched with the "pass" qualifier.
    • +0 msFinished evaluating SPF mechanisms.
    • +0 msFinished SPF policy evaluation.
    • DNS limits status: DNS terms 2 of 10 allowed. Void lookups 0 of 2 allowed. See RFC7208 Section 4.6.4.
    • +0 msPolicy evaluation finished with SPF "pass".
    • +0 msReturned from recursive evaluation.
      • +0 msThe mechanism matched with the "pass" qualifier.
  • +0 msFinished evaluating SPF mechanisms.
  • +0 msFinished SPF policy evaluation.
  • DNS limits status: DNS terms 2 of 10 allowed. Void lookups 0 of 2 allowed. See RFC7208 Section 4.6.4.
  • +0 msPolicy evaluation finished with SPF "pass".

  • TEST SUMMARY
  • The evaluation completed in 38 ms, with 0 error and 0 warning.
  • Result: SPF pass
  • The policy designates the argument IP as permitted sender.



So the mail should actually be accepted!!!!!


This is a serious problem...
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

3 Replies

Reply to Thread
0
Zach Sylvester Replied
6/16/2023 at 11:45 AM
Employee Post
Hey Gabriel,

Thanks for reaching out regarding this issue. Do you know if it's a specific macro that causes this issue or if it's just the amount I did a test using %I and %h and that passed with flying colors. 

Looking forward to hearing from you. 

Thanks,
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
0
Gabriele Maoret - SERSIS Replied
6/16/2023 at 2:35 PM
Hi Zach.

This is the SPF record:
v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

This is the source server IP:
40.107.104.103

This is the FROM_ADDRESS:

This is the source server HELO/EHLO:

In my previous message you can see the detailed SMTP LOG of SmarterMail that fails to manage this data and then the complete log of a system that does the correct parsing with these same data.

Please re-read carefully everything I have reported...

Do you need more details?
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Douglas Foster Replied
6/24/2023 at 3:40 PM
Salesforce. com uses macros and uses many subdomain for the SMTP Mail From address. 
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
DMARC - In Simple TermsSmarterMail > Antispam and Antivirus
Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Cannot Receive Mail MessagesSmarterMail > Troubleshooting