https://bugs.exim.org/show_bug.cgi?id=2549
Bug ID: 2549
Summary: SPF Fails on MX mechanism
Product: Exim
Version: 4.93
Hardware: x86-64
OS: All
Status: NEW
Severity: bug
Priority: medium
Component: ACLs
Assignee: jgh146exb@???
Reporter: mike@???
CC: exim-dev@???
Hello,
It looks like the changes in 4.93 to move the DNS lookups into exim, from the
SPF library, broke (at the very least) the MX mechanism.
I noticed that after upgrading, mail from several hosts were being rejected due
to SPF fail conditions. After investigating, I noticed that all the hosts that
were failing, were one's referenced in their SPF entries via the MX mechanism.
I created a simple warn condition in my MAIL ACL
warn log_message = ---> SPF CHECK RESULTS: $spf_result -
$spf_received
spf = fail : temperror : pass : none : neutral :
permerror : softfail : permerror
I confirmed the issue, by setting up a new domain (testdomain.com), with a
single MX record, and a simple SPF entry:
v=spf1 mx -all
and then delivered a message from the MX server, with exim in debug mode:
18265 processing "warn" (/etc/exim/configure 458)
18265 l_message: ---> SPF CHECK RESULTS: $spf_result - $spf_received
18265 check spf = fail : temperror : pass : none : neutral : permerror :
softfail : permerror
18265 spf_process
spf_dns.c:54 Debug: DNS[cache] lookup: testdomain.com SPF (99)
spf_dns.c:54 Debug: DNS[exim] lookup: testdomain.com SPF (99)
18265 SPF_dns_exim_lookup
18265 DNS lookup of testdomain.com (SPF) gave NO_DATA
18265 returning DNS_NODATA
18265 faking res_search(SPF) response length as 65535
18265 writing neg-cache entry for testdomain.com-SPF-80041, ttl 3600
spf_dns.c:66 Debug: DNS[exim] found record
spf_dns.c:69 Debug: DOMAIN: (null) TYPE: ANY (255)
spf_dns.c:76 Debug: TTL: 86400 RR found: 0 herrno: 1 source:
exim
spf_dns.c:66 Debug: DNS[cache] found record
spf_dns.c:69 Debug: DOMAIN: (null) TYPE: ANY (255)
spf_dns.c:76 Debug: TTL: 86400 RR found: 0 herrno: 1 source:
exim
spf_server.c:356 Debug: get_record(testdomain.com): HOST_NOT_FOUND
spf_dns.c:54 Debug: DNS[cache] lookup: testdomain.com TXT (16)
spf_dns.c:54 Debug: DNS[exim] lookup: testdomain.com TXT (16)
18265 SPF_dns_exim_lookup
18265 DNS lookup of testdomain.com (TXT) succeeded
spf_dns.c:66 Debug: DNS[exim] found record
spf_dns.c:69 Debug: DOMAIN: testdomain.com TYPE: TXT (16)
spf_dns.c:76 Debug: TTL: 120 RR found: 1 herrno: 0 source: exim
spf_dns.c:94 Debug: - TXT: v=spf1 mx -all
spf_dns.c:66 Debug: DNS[cache] found record
spf_dns.c:69 Debug: DOMAIN: testdomain.com TYPE: TXT (16)
spf_dns.c:76 Debug: TTL: 120 RR found: 1 herrno: 0 source: exim
spf_dns.c:94 Debug: - TXT: v=spf1 mx -all
spf_server.c:412 Debug: get_record(testdomain.com): NETDB_SUCCESS
spf_server.c:457 Debug: found SPF record: v=spf1 mx -all
spf_compile.c:1210 Debug: Compiling record v=spf1 mx -all
spf_compile.c:1314 Debug: Name starts at mx -all
spf_compile.c:1408 Debug: Adding mechanism type 2
spf_compile.c:847 Debug: SPF_c_mech_add: type=2, value= -all
spf_compile.c:1314 Debug: Name starts at all
spf_compile.c:1408 Debug: Adding mechanism type 8
spf_compile.c:847 Debug: SPF_c_mech_add: type=8, value=
spf_dns.c:54 Debug: DNS[cache] lookup: testdomain.com MX (15)
spf_dns.c:54 Debug: DNS[exim] lookup: testdomain.com MX (15)
18265 SPF_dns_exim_lookup
18265 DNS lookup of testdomain.com (MX) succeeded
spf_dns.c:66 Debug: DNS[exim] found record
spf_dns.c:69 Debug: DOMAIN: (null) TYPE: ANY (255)
spf_dns.c:76 Debug: TTL: 86400 RR found: 0 herrno: 1 source:
exim
spf_dns.c:66 Debug: DNS[cache] found record
spf_dns.c:69 Debug: DOMAIN: (null) TYPE: ANY (255)
spf_dns.c:76 Debug: TTL: 86400 RR found: 0 herrno: 1 source:
exim
spf_interpret.c:824 Debug: found 0 MX records for testdomain.com (herrno: 1)
18265 SPF result is fail (3)
18265 warn: condition test succeeded in ACL "acl_check_mail"
18265 LOG: MAIN
18265 H=monitoring.mrhost.ca [3.136.56.244] Warning: ---> SPF CHECK RESULTS:
fail - Received-SPF: fail (mx10.mrhost.ca: domain of testdomain.com does not
designate 3.136.56.244 as permitted sender) client-ip=3.136.56.244;
envelope-from=m$
It looks like it finds the SPF entry in the TXT record, and finds the MX
mechanism, then attempts to look up the MX records for testdomain.com, which
looks successful on the exim side, but then spf_dns.c sees a ANY RR rather an
MX or A.
I confirmed using Mail::SPF that the DNS records are working when checked
directly through the libspf2 library, and rolling back to exim 4.92.2 resolves
the issue as well.
I assume there's an issue in spf.c when passing the data back to libspf2 in the
SPF_dns_exim_lookup() call-back, but I haven't had a chance to debug further
yet.
Mike
--
You are receiving this mail because:
You are on the CC list for the bug.
