[exim] SPF fail on 4.93 but works on 4.92.3

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Chris Gerhard
Date:  
À: exim-users
Sujet: [exim] SPF fail on 4.93 but works on 4.92.3
Hi,

I have an ACL to reject any email when it fails an SPF test and on
4.92.3 it works just fine. However on 4.93 it will reject email from
linode.com

./build-Linux-x86_64/exim -bh 173.255.198.11 < /tmp/yy

**** SMTP testing session as if from host 173.255.198.11
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 173.255.198.11
>>> IP address lookup yielded "outbound-mail2.linode.com"
>>> checking addresses for outbound-mail2.linode.com
>>>   2600:3c00::f03c:91ff:fedf:57ab
>>>   173.255.198.11 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 mx2.thegerhards.com ESMTP Exim 4.93 Sat, 04 Jan 2020 19:15:02 +0000
250 mx2.thegerhards.com Hello outbound-mail2.linode.com [173.255.198.11]
>>> using ACL "acl_check_mail"
>>> processing "accept" (/etc/exim4/configure 324)
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_mail"
>>> processing "accept" (/etc/exim4/configure 326)
>>> check hosts = +relay_from_hosts
>>> gethostbyname2 looked up these IP addresses:
>>>   name=thegerhards.com address=86.30.255.25
>>> gethostbyname2 looked up these IP addresses:
>>>   name=homebike.publicvm.com address=86.30.255.25
>>> host in "*.thegerhards.com : thegerhards.com :

homebike.publicvm.com"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_mail"
>>> processing "drop" (/etc/exim4/configure 329)
>>> check sender_domains = +local_domains
>>> linode.com in "@ : localhost : localhost.localdomain :

thegerhards.com"? no (end of list)
>>> linode.com in "+local_domains"? no (end of list)
>>> drop: condition test failed in ACL "acl_check_mail"
>>> processing "drop" (/etc/exim4/configure 333)
>>> check senders = +BlackList
>>> bounces@??? in "/etc/exim4/blacklist"? no (end of list)
>>> bounces@??? in "+BlackList"? no (end of list)
>>> drop: condition test failed in ACL "acl_check_mail"
>>> processing "accept" (/etc/exim4/configure 336)
>>> accept: condition test succeeded in ACL "acl_check_mail"
>>> end of ACL "acl_check_mail": ACCEPT

250 OK
>>> using ACL "acl_check_rcpt"
>>> processing "accept" (/etc/exim4/configure 346)
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/etc/exim4/configure 374)
>>>   message: Restricted characters in address
>>> check domains = +local_domains
>>> thegerhards.com in "@ : localhost : localhost.localdomain :

thegerhards.com"? yes (matched "thegerhards.com")
>>> thegerhards.com in "+local_domains"? yes (matched "+local_domains")
>>> check local_parts = ^[.] : ^.*[@%!/|]
>>> chris in "^[.] : ^.*[@%!/|]"? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/etc/exim4/configure 389)
>>>   message: Restricted characters in address
>>> check domains = !+local_domains
>>> thegerhards.com in "!+local_domains"? no (matched "!+local_domains"

- cached)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/etc/exim4/configure 397)
>>> check local_parts = postmaster
>>> chris in "postmaster"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "require" (/etc/exim4/configure 403)
>>> check verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing bounces@???
>>> linode.com in "thegerhards.eu:thegerhards.com:*.thegerhards.com"?

no (end of list)
>>> linode.com in "+relay_to_domains"? no (end of list)
>>> linode.com in "@ : localhost : localhost.localdomain :

thegerhards.com"? no (end of list)
>>> linode.com in "! +local_domains"? yes (end of list)
>>> calling dnslookup router
>>> linode.com in "*"? yes (matched "*")
>>> 2600:3c01::f03c:91ff:feb6:a6cf in "0.0.0.0 : 127.0.0.0/8"? no (end

of list)
>>> 74.207.247.55 in "0.0.0.0 : 127.0.0.0/8"? no (end of list)
>>> 2600:3c03::f03c:91ff:fedf:5790 in "0.0.0.0 : 127.0.0.0/8"? no (end

of list)
>>> 96.126.108.55 in "0.0.0.0 : 127.0.0.0/8"? no (end of list)
>>> routed by dnslookup router
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "defer" (/etc/exim4/configure 427)
>>> check hosts = +relay_from_hosts
>>> host in "+relay_from_hosts"? no (end of list)
>>> defer: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/etc/exim4/configure 433)
>>> check hosts = +relay_from_hosts
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/etc/exim4/configure 441)
>>> check authenticated = *
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "require" (/etc/exim4/configure 448)
>>>   message: relay not permitted
>>> check domains = +local_domains : +relay_to_domains
>>> thegerhards.com in "+local_domains : +relay_to_domains"? yes

(matched "+local_domains" - cached)
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "require" (/etc/exim4/configure 457)
>>> check verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing chris@???
>>> thegerhards.com in

"thegerhards.eu:thegerhards.com:*.thegerhards.com"? yes (matched
"thegerhards.com")
>>> thegerhards.com in "+relay_to_domains"? yes (matched

"+relay_to_domains")
>>> calling relay router
>>> thegerhards.com in "thegerhards.com"? yes (matched "thegerhards.com")
>>> thegerhards.com in "*"? yes (matched "*")
>>> routed by relay router
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "deny" (/etc/exim4/configure 484)
>>> check spf = fail
>>>   message: $spf_smtp_comment contact postmaster@$domain if this is

not correct
>>> l_message: SPF fail $spf_smtp_comment
>>> deny: condition test succeeded in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": DENY

550-Please see
http://www.open-spf.org/Why?id=bounces%40linode.com&ip=173.255.198.11&receiver=mx2.thegerhards.com
550-: Reason: mechanism contact postmaster@??? if this is not
550 correct
LOG: H=outbound-mail2.linode.com (outbound.mail2.linode.com)
[173.255.198.11] F=<bounces@???> rejected RCPT
chris@???: SPF fail Please see
http://www.open-spf.org/Why?id=bounces%40linode.com&ip=173.255.198.11&receiver=mx2.thegerhards.com
: Reason: mechanism
421 mx2.thegerhards.com lost input connection
LOG: unexpected disconnection while reading SMTP command from
outbound-mail2.linode.com (outbound.mail2.linode.com) [173.255.198.11] D=3s
cjg@mx2:~/exim_build/exim-4.93$

Same thing with 4.92.3:

exim -bh 173.255.198.11 < /tmp/yy

**** SMTP testing session as if from host 173.255.198.11
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 173.255.198.11
>>> IP address lookup yielded "outbound-mail2.linode.com"
>>> checking addresses for outbound-mail2.linode.com
>>>   2600:3c00::f03c:91ff:fedf:57ab
>>>   173.255.198.11 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 mx2.thegerhards.com ESMTP Exim 4.92.3 Sat, 04 Jan 2020 19:19:51 +0000
250 mx2.thegerhards.com Hello outbound-mail2.linode.com [173.255.198.11]
>>> using ACL "acl_check_mail"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_mail"
>>> processing "accept"
>>> check hosts = +relay_from_hosts
>>> gethostbyname2 looked up these IP addresses:
>>>   name=thegerhards.com address=86.30.255.25
>>> gethostbyname2 looked up these IP addresses:
>>>   name=homebike.publicvm.com address=86.30.255.25
>>> host in "*.thegerhards.com : thegerhards.com :

homebike.publicvm.com"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_mail"
>>> processing "drop"
>>> check sender_domains = +local_domains
>>> linode.com in "@ : localhost : localhost.localdomain :

thegerhards.com"? no (end of list)
>>> linode.com in "+local_domains"? no (end of list)
>>> drop: condition test failed in ACL "acl_check_mail"
>>> processing "drop"
>>> check senders = +BlackList
>>> bounces@??? in "/etc/exim4/blacklist"? no (end of list)
>>> bounces@??? in "+BlackList"? no (end of list)
>>> drop: condition test failed in ACL "acl_check_mail"
>>> processing "accept"
>>> accept: condition test succeeded in ACL "acl_check_mail"
>>> end of ACL "acl_check_mail": ACCEPT

250 OK
>>> using ACL "acl_check_rcpt"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny"
>>>   message: Restricted characters in address
>>> check domains = +local_domains
>>> thegerhards.com in "@ : localhost : localhost.localdomain :

thegerhards.com"? yes (matched "thegerhards.com")
>>> thegerhards.com in "+local_domains"? yes (matched "+local_domains")
>>> check local_parts = ^[.] : ^.*[@%!/|]
>>> chris in "^[.] : ^.*[@%!/|]"? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny"
>>>   message: Restricted characters in address
>>> check domains = !+local_domains
>>> thegerhards.com in "!+local_domains"? no (matched "!+local_domains"

- cached)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept"
>>> check local_parts = postmaster
>>> chris in "postmaster"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "require"
>>> check verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing bounces@???
>>> linode.com in "thegerhards.eu:thegerhards.com:*.thegerhards.com"?

no (end of list)
>>> linode.com in "+relay_to_domains"? no (end of list)
>>> linode.com in "@ : localhost : localhost.localdomain :

thegerhards.com"? no (end of list)
>>> linode.com in "! +local_domains"? yes (end of list)
>>> calling dnslookup router
>>> 2600:3c03::f03c:91ff:fedf:5790 in "0.0.0.0 : 127.0.0.0/8"? no (end

of list)
>>> 96.126.108.55 in "0.0.0.0 : 127.0.0.0/8"? no (end of list)
>>> 2600:3c01::f03c:91ff:feb6:a6cf in "0.0.0.0 : 127.0.0.0/8"? no (end

of list)
>>> 74.207.247.55 in "0.0.0.0 : 127.0.0.0/8"? no (end of list)
>>> routed by dnslookup router
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "defer"
>>> check hosts = +relay_from_hosts
>>> host in "+relay_from_hosts"? no (end of list)
>>> defer: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept"
>>> check hosts = +relay_from_hosts
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept"
>>> check authenticated = *
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "require"
>>>   message: relay not permitted
>>> check domains = +local_domains : +relay_to_domains
>>> thegerhards.com in "+local_domains : +relay_to_domains"? yes

(matched "+local_domains" - cached)
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "require"
>>> check verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing chris@???
>>> thegerhards.com in

"thegerhards.eu:thegerhards.com:*.thegerhards.com"? yes (matched
"thegerhards.com")
>>> thegerhards.com in "+relay_to_domains"? yes (matched

"+relay_to_domains")
>>> calling relay router
>>> thegerhards.com in "thegerhards.com"? yes (matched "thegerhards.com")
>>> routed by relay router
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "deny"
>>> check spf = fail
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny"
>>> check spf = permerror
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "defer"
>>> check spf = temperror
>>> defer: condition test failed in ACL "acl_check_rcpt"
>>> processing "warn"
>>> check spf = !pass
>>> warn: condition test failed in ACL "acl_check_rcpt"
>>> processing "warn"
>>> check spf = pass
>>> l_message: SPF pass
>>> check add_header = X-SPF-Status: $spf_received
>>>                  = X-SPF-Status: Received-SPF: pass

(mx2.thegerhards.com: domain of linode.com designates 173.255.198.11 as
permitted sender) client-ip=173.255.198.11;
envelope-from=bounces@???; helo=outbound.mail2.linode.com;
>>> check add_header = :at_start:$spf_received
>>>                  = :at_start:Received-SPF: pass

(mx2.thegerhards.com: domain of linode.com designates 173.255.198.11 as
permitted sender) client-ip=173.255.198.11;
envelope-from=bounces@???; helo=outbound.mail2.linode.com;
>>> warn: condition test succeeded in ACL "acl_check_rcpt"

LOG: H=outbound-mail2.linode.com (outbound.mail2.linode.com)
[173.255.198.11] Warning: SPF pass
>>> processing "accept"
>>> accept: condition test succeeded in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": ACCEPT

250 Accepted
421 mx2.thegerhards.com lost input connection
LOG: unexpected disconnection while reading SMTP command from
outbound-mail2.linode.com (outbound.mail2.linode.com) [173.255.198.11] D=0s


Any ideas?

--

Chris