[exim-dev] [Bug 2549] New: SPF Fails on MX mechanism

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2549] New: SPF Fails on MX mechanism
https://bugs.exim.org/show_bug.cgi?id=2549

            Bug ID: 2549
           Summary: SPF Fails on MX mechanism
           Product: Exim
           Version: 4.93
          Hardware: x86-64
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: mike@???
                CC: exim-dev@???


Hello,

It looks like the changes in 4.93 to move the DNS lookups into exim, from the
SPF library, broke (at the very least) the MX mechanism.

I noticed that after upgrading, mail from several hosts were being rejected due
to SPF fail conditions. After investigating, I noticed that all the hosts that
were failing, were one's referenced in their SPF entries via the MX mechanism.

I created a simple warn condition in my MAIL ACL

    warn    log_message     = ---> SPF CHECK RESULTS: $spf_result -
$spf_received
            spf             = fail : temperror : pass : none : neutral :
permerror : softfail : permerror


I confirmed the issue, by setting up a new domain (testdomain.com), with a
single MX record, and a simple SPF entry:

    v=spf1 mx -all


and then delivered a message from the MX server, with exim in debug mode:

18265 processing "warn" (/etc/exim/configure 458)
18265 l_message: ---> SPF CHECK RESULTS: $spf_result - $spf_received
18265 check spf = fail : temperror : pass : none : neutral : permerror :
softfail : permerror
18265 spf_process
spf_dns.c:54         Debug: DNS[cache] lookup: testdomain.com SPF (99)
spf_dns.c:54         Debug: DNS[exim] lookup: testdomain.com SPF (99)
18265 SPF_dns_exim_lookup
18265 DNS lookup of testdomain.com (SPF) gave NO_DATA
18265 returning DNS_NODATA
18265 faking res_search(SPF) response length as 65535
18265  writing neg-cache entry for testdomain.com-SPF-80041, ttl 3600
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:69         Debug:     DOMAIN: (null)  TYPE: ANY (255)
spf_dns.c:76         Debug:     TTL: 86400  RR found: 0  herrno: 1  source:
exim
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:69         Debug:     DOMAIN: (null)  TYPE: ANY (255)
spf_dns.c:76         Debug:     TTL: 86400  RR found: 0  herrno: 1  source:
exim
spf_server.c:356     Debug: get_record(testdomain.com): HOST_NOT_FOUND
spf_dns.c:54         Debug: DNS[cache] lookup: testdomain.com TXT (16)
spf_dns.c:54         Debug: DNS[exim] lookup: testdomain.com TXT (16)
18265 SPF_dns_exim_lookup
18265 DNS lookup of testdomain.com (TXT) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:69         Debug:     DOMAIN: testdomain.com  TYPE: TXT (16)
spf_dns.c:76         Debug:     TTL: 120  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:69         Debug:     DOMAIN: testdomain.com  TYPE: TXT (16)
spf_dns.c:76         Debug:     TTL: 120  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_server.c:412     Debug: get_record(testdomain.com): NETDB_SUCCESS
spf_server.c:457     Debug: found SPF record: v=spf1 mx -all
spf_compile.c:1210   Debug: Compiling record v=spf1 mx -all
spf_compile.c:1314   Debug: Name starts at  mx -all
spf_compile.c:1408   Debug: Adding mechanism type 2
spf_compile.c:847    Debug: SPF_c_mech_add: type=2, value= -all
spf_compile.c:1314   Debug: Name starts at  all
spf_compile.c:1408   Debug: Adding mechanism type 8
spf_compile.c:847    Debug: SPF_c_mech_add: type=8, value=
spf_dns.c:54         Debug: DNS[cache] lookup: testdomain.com MX (15)
spf_dns.c:54         Debug: DNS[exim] lookup: testdomain.com MX (15)
18265 SPF_dns_exim_lookup
18265 DNS lookup of testdomain.com (MX) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:69         Debug:     DOMAIN: (null)  TYPE: ANY (255)
spf_dns.c:76         Debug:     TTL: 86400  RR found: 0  herrno: 1  source:
exim
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:69         Debug:     DOMAIN: (null)  TYPE: ANY (255)
spf_dns.c:76         Debug:     TTL: 86400  RR found: 0  herrno: 1  source:
exim
spf_interpret.c:824  Debug: found 0 MX records for testdomain.com  (herrno: 1)
18265 SPF result is fail (3)
18265 warn: condition test succeeded in ACL "acl_check_mail"
18265 LOG: MAIN
18265   H=monitoring.mrhost.ca [3.136.56.244] Warning: ---> SPF CHECK RESULTS:
fail - Received-SPF: fail (mx10.mrhost.ca: domain of testdomain.com does not
designate 3.136.56.244 as permitted sender) client-ip=3.136.56.244;
envelope-from=m$



It looks like it finds the SPF entry in the TXT record, and finds the MX
mechanism, then attempts to look up the MX records for testdomain.com, which
looks successful on the exim side, but then spf_dns.c sees a ANY RR rather an
MX or A.

I confirmed using Mail::SPF that the DNS records are working when checked
directly through the libspf2 library, and rolling back to exim 4.92.2 resolves
the issue as well.

I assume there's an issue in spf.c when passing the data back to libspf2 in the
SPF_dns_exim_lookup() call-back, but I haven't had a chance to debug further
yet.

Mike

--
You are receiving this mail because:
You are on the CC list for the bug.