[exim] Weird SPF rejection - what can be the cause ofit? (bu…

Top Page
Delete this message
Reply to this message
Author: Sebastian Nielsen
Date:  
To: exim-users
New-Topics: Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)
Subject: [exim] Weird SPF rejection - what can be the cause ofit? (buiilt-in SPF handler in exim)
I got the following weird SPF rejection in my logs (im using the built-in
SPF handler in exim):

2020-05-07 11:14:35 H=mxcluster2.lansforsakringar.se [194.16.160.133]
X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no rejected MAIL
<noreply@???>: SPF check failed: sebbe.eu: domain of
lansforsakringar.se does not designate 194.16.160.133 as permitted sender


First tought it was lansforsakringar.se not having all their server in SPF,
but digging deeper:

root@sebastian-desktop:/var/log/exim# dig TXT lansforsakringar.se

; <<>> DiG 9.16.1-Ubuntu <<>> TXT lansforsakringar.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1663
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lansforsakringar.se.           IN      TXT


;; ANSWER SECTION:
lansforsakringar.se.    3296    IN      TXT     "JH4-GH3-AL4"
lansforsakringar.se.    3296    IN      TXT
"MS=B6AE9E26F69ADFDEFC61FEE14B7F3C9166F854FD"
lansforsakringar.se.    3296    IN      TXT
"citrix.mobile.ads.otp=kgghvt530f3b38s2x1kv"
lansforsakringar.se.    3296    IN      TXT
"MS=30F3DF063E79A0780EE3E42D22207B48CADDC091"
lansforsakringar.se.    3296    IN      TXT
"adobe-idp-site-verification=3da6237fa3e712d20f7c42a63ff3e68e02bd06e72c8aca4
6f22d7279b9227474"
lansforsakringar.se.    3296    IN      TXT     "MS=ms98894870"
lansforsakringar.se.    3296    IN      TXT     "v=spf1 mx -all"


;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: fre maj 08 00:29:50 CEST 2020
;; MSG SIZE rcvd: 397

root@sebastian-desktop:/var/log/exim#


According to their SPF, MX servers should be accepted.

Okay lets check MX:

root@sebastian-desktop:/var/log/exim# dig MX lansforsakringar.se

; <<>> DiG 9.16.1-Ubuntu <<>> MX lansforsakringar.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11521
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lansforsakringar.se.           IN      MX


;; ANSWER SECTION:
lansforsakringar.se.    3277    IN      MX      20
mxcluster2.lansforsakringar.se.
lansforsakringar.se.    3277    IN      MX      10
mxcluster3.lansforsakringar.se.
lansforsakringar.se.    3277    IN      MX      10
mxcluster1.lansforsakringar.se.
lansforsakringar.se.    3277    IN      MX      20
mxcluster4.lansforsakringar.se.


;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: fre maj 08 00:30:19 CEST 2020
;; MSG SIZE rcvd: 156

root@sebastian-desktop:/var/log/exim#

root@sebastian-desktop:/var/log/exim# dig A mxcluster2.lansforsakringar.se

; <<>> DiG 9.16.1-Ubuntu <<>> A mxcluster2.lansforsakringar.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8914
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mxcluster2.lansforsakringar.se.        IN      A


;; ANSWER SECTION:
mxcluster2.lansforsakringar.se. 3237 IN A       194.16.160.133


;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: fre maj 08 00:30:59 CEST 2020
;; MSG SIZE rcvd: 75

root@sebastian-desktop:/var/log/exim#


So whats the problem? Why are the mail rejected? Clearly 194.16.160.133 is
listed as authorized server.