Re: [exim] Weird SPF rejection - what can be the cause ofi…

Got fail.
Very weird.
What the cause of it, I cannot see. Looks like it has some trouble with DNS lookup for some reason?

root@sebastian-desktop:/etc/exim4# exim -d-all+expand+lookup+dns -be '${lookup {noreply@???} spf {194.16.160.133}}'
Exim version 4.93 uid=0 gid=0 pid=3332445 D=10120
Support for: crypteq iconv() IPv6 Perl GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP SPF DMARC TCP_Fast_Open Experimental_DSN_info
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch passwd
Authenticators: cram_md5 cyrus_sasl dovecot external plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply pipe smtp
Malware: clamd sock cmdline
Fixed never_users: 0
Configure owner: 1001:1001
Size of off_t: 8
Compiler: GCC [9.3.0]
Library version: Glibc: Compile: 2.31
                        Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
                      Runtime: Berkeley DB 5.3.28: (September  9, 2013)
Library version: GnuTLS: Compile: 3.6.13
                         Runtime: 3.6.13
Library version: IDN2: Compile: 2.2.0
                       Runtime: 2.2.0
Library version: Stringprep: Compile: 1.33
                             Runtime: 1.33
Library version: Cyrus SASL: Compile: 2.1.27
                             Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
Total 12 lookups
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
adding PATH=/bin:/usr/bin
configuration file is /etc/exim4/exim4.conf
log selectors = 0000cffc 19005022 00000007
trusted user
admin user
dropping to exim gid; retaining priv uid
 ╭considering: ${lookup {noreply@???} spf {194.16.160.133}}
  ╭considering: noreply@???} spf {194.16.160.133}}
  ├──expanding: noreply@???
  ╰─────result: noreply@???
  ╭considering: 194.16.160.133}}
  ├──expanding: 194.16.160.133
  ╰─────result: 194.16.160.133
 search_open: spf "194.16.160.133"
spf_compile.c:523    Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210   Debug: Compiling record v=spf1
 search_find: file="194.16.160.133"
   key="noreply@???" partial=-1 affix=NULL starflags=0
 LRU list:
 internal_search_find: file="194.16.160.133"
   type=spf key="noreply@???"
 file lookup required for noreply@???
   in 194.16.160.133
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se TXT (16)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se TXT (16)
DNS lookup of lansforsakringar.se (TXT) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 496  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 496  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_server.c:402     Debug: get_record(lansforsakringar.se): NETDB_SUCCESS
spf_server.c:443     Debug: found SPF record: v=spf1 mx -all
spf_compile.c:1210   Debug: Compiling record v=spf1 mx -all
spf_compile.c:1314   Debug: Name starts at  mx -all
spf_compile.c:1407   Debug: Adding mechanism type 2
spf_compile.c:846    Debug: SPF_c_mech_add: type=2, value= -all
spf_compile.c:1314   Debug: Name starts at  all
spf_compile.c:1407   Debug: Adding mechanism type 8
spf_compile.c:846    Debug: SPF_c_mech_add: type=8, value=
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se MX (15)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se MX (15)
DNS lookup of lansforsakringar.se (MX) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: (null)  TYPE: ANY (255)
spf_dns.c:70         Debug:     TTL: 86400  RR found: 0  herrno: 1  source: exim
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: (null)  TYPE: ANY (255)
spf_dns.c:70         Debug:     TTL: 86400  RR found: 0  herrno: 1  source: exim
spf_interpret.c:823  Debug: found 0 MX records for lansforsakringar.se  (herrno: 1)
 lookup yielded: fail
 ├──expanding: ${lookup {noreply@???} spf {194.16.160.133}}
 ╰─────result: fail
            ╰──(tainted)
fail
search_tidyup called

>>>>>>>>>>>>>>>> Exim pid=3332445 (main: expansion test) terminating with rc=0 >>>>>>>>>>>>>>>>
root@sebastian-desktop:/etc/exim4#



-----Ursprungligt meddelande-----
Från: Jeremy Harris via Exim-users <exim-users@???>
Skickat: den 8 maj 2020 01:16
Till: exim-users@???
Ämne: Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)

On 07/05/2020 23:34, Sebastian Nielsen via Exim-users wrote:
> I got the following weird SPF rejection in my logs (im using the built-in
> SPF handler in exim):
>
> 2020-05-07 11:14:35 H=mxcluster2.lansforsakringar.se [194.16.160.133]
> X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no rejected MAIL
> <noreply@???>: SPF check failed: sebbe.eu: domain of
> lansforsakringar.se does not designate 194.16.160.133 as permitted sender

Running a query for that under the testsuite, and with debug, it seems
to pass:

 ╭considering: ${lookup {noreply@???} spf {194.16.160.133}}
  ╭considering: noreply@???} spf {194.16.160.133}}
  ├──expanding: noreply@???
  ╰─────result: noreply@???
  ╭considering: 194.16.160.133}}
  ├──expanding: 194.16.160.133
  ╰─────result: 194.16.160.133
 search_open: spf "194.16.160.133"
spf_compile.c:523    Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210   Debug: Compiling record v=spf1 
 search_find: file="194.16.160.133"
   key="noreply@???" partial=-1 affix=NULL starflags=0 opts=NULL
 LRU list:
 internal_search_find: file="194.16.160.133"
   type=spf key="noreply@???" opts=NULL
 file lookup required for noreply@???
   in 194.16.160.133
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se SPF (99)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se SPF (99)
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: SPF (99)
spf_dns.c:70         Debug:     TTL: 0  RR found: 0  herrno: 4  source: exim
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: SPF (99)
spf_dns.c:70         Debug:     TTL: 0  RR found: 0  herrno: 4  source: exim
spf_server.c:370     Debug: get_record(lansforsakringar.se): NO_DATA
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se TXT (16)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se TXT (16)
DNS lookup of lansforsakringar.se (TXT) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176697
fakens returned PASS_ON
passing lansforsakringar.se on to res_search()
DNS lookup of lansforsakringar.se (TXT) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_server.c:412     Debug: get_record(lansforsakringar.se): NETDB_SUCCESS
spf_server.c:457     Debug: found SPF record: v=spf1 mx -all
spf_compile.c:1210   Debug: Compiling record v=spf1 mx -all
spf_compile.c:1314   Debug: Name starts at  mx -all
spf_compile.c:1407   Debug: Adding mechanism type 2
spf_compile.c:846    Debug: SPF_c_mech_add: type=2, value= -all
spf_compile.c:1314   Debug: Name starts at  all
spf_compile.c:1407   Debug: Adding mechanism type 8
spf_compile.c:846    Debug: SPF_c_mech_add: type=8, value=
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se MX (15)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se MX (15)
DNS lookup of lansforsakringar.se (MX) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176698
fakens returned PASS_ON
passing lansforsakringar.se on to res_search()
DNS lookup of lansforsakringar.se (MX) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: MX (15)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 4  herrno: 0  source: exim
spf_dns.c:90         Debug:     - MX: mxcluster2.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster1.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster4.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster3.lansforsakringar.se
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: MX (15)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 4  herrno: 0  source: exim
spf_dns.c:90         Debug:     - MX: mxcluster2.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster1.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster4.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster3.lansforsakringar.se
spf_interpret.c:823  Debug: found 4 MX records for lansforsakringar.se  (herrno: 0)
spf_dns.c:52         Debug: DNS[cache] lookup: mxcluster2.lansforsakringar.se A (1)
spf_dns.c:52         Debug: DNS[exim] lookup: mxcluster2.lansforsakringar.se A (1)
DNS lookup of mxcluster2.lansforsakringar.se (A) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176699
fakens returned PASS_ON
passing mxcluster2.lansforsakringar.se on to res_search()
DNS lookup of mxcluster2.lansforsakringar.se (A) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: mxcluster2.lansforsakringar.se  TYPE: A (1)
spf_dns.c:70         Debug:     TTL: 3378  RR found: 1  herrno: 0  source: exim
spf_dns.c:80         Debug:     - A: 194.16.160.133
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: mxcluster2.lansforsakringar.se  TYPE: A (1)
spf_dns.c:70         Debug:     TTL: 3378  RR found: 1  herrno: 0  source: exim
spf_dns.c:80         Debug:     - A: 194.16.160.133
spf_interpret.c:854  Debug: 0: found 1 A records for mxcluster2.lansforsakringar.se  (herrno: 0)
spf_interpret.c:489  Debug: ip_match:  194.16.160.133 == 194.16.160.133  (/32 255.255.255.255):  1
 (no errors)
 lookup yielded: pass
 ├──expanding: ${lookup {noreply@???} spf {194.16.160.133}}
 ╰─────result: pass
pass

How does the equivalent debug look on your system? If it is materially different,
how?

$ exim -d-all+expand+lookup+dns -be '${lookup {noreply@???} spf {194.16.160.133}}'


--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/