Re: [exim] Weird SPF rejection - what can be the cause ofi…

Top Page
Delete this message
Reply to this message
Author: Sebastian Nielsen
Date:  
To: exim-users
Old-Topics: Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)
New-Topics: Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)
Subject: Re: [exim] Weird SPF rejection - what can be the cause ofit? (buiilt-in SPF handler in exim)
How does exim handle DNSSEC when traversing SPF?
Does it simply trust the ad flag from the local stub resolver, or does exim walk DNSSEC itself?

Thinking if my stub resolver and upstream resolver obviously validates DNSSEC propely, while exim itself might have some invalid trust anchor or similiar loaded?


-----Ursprungligt meddelande-----
Från: Jeremy Harris via Exim-users <exim-users@???>
Skickat: den 8 maj 2020 01:16
Till: exim-users@???
Ämne: Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)

On 07/05/2020 23:34, Sebastian Nielsen via Exim-users wrote:
> I got the following weird SPF rejection in my logs (im using the built-in
> SPF handler in exim):
>
> 2020-05-07 11:14:35 H=mxcluster2.lansforsakringar.se [194.16.160.133]
> X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no rejected MAIL
> <noreply@???>: SPF check failed: sebbe.eu: domain of
> lansforsakringar.se does not designate 194.16.160.133 as permitted sender


Running a query for that under the testsuite, and with debug, it seems
to pass:

 ╭considering: ${lookup {noreply@???} spf {194.16.160.133}}
  ╭considering: noreply@???} spf {194.16.160.133}}
  ├──expanding: noreply@???
  ╰─────result: noreply@???
  ╭considering: 194.16.160.133}}
  ├──expanding: 194.16.160.133
  ╰─────result: 194.16.160.133
 search_open: spf "194.16.160.133"
spf_compile.c:523    Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210   Debug: Compiling record v=spf1 
 search_find: file="194.16.160.133"
   key="noreply@???" partial=-1 affix=NULL starflags=0 opts=NULL
 LRU list:
 internal_search_find: file="194.16.160.133"
   type=spf key="noreply@???" opts=NULL
 file lookup required for noreply@???
   in 194.16.160.133
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se SPF (99)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se SPF (99)
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: SPF (99)
spf_dns.c:70         Debug:     TTL: 0  RR found: 0  herrno: 4  source: exim
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: SPF (99)
spf_dns.c:70         Debug:     TTL: 0  RR found: 0  herrno: 4  source: exim
spf_server.c:370     Debug: get_record(lansforsakringar.se): NO_DATA
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se TXT (16)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se TXT (16)
DNS lookup of lansforsakringar.se (TXT) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176697
fakens returned PASS_ON
passing lansforsakringar.se on to res_search()
DNS lookup of lansforsakringar.se (TXT) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_server.c:412     Debug: get_record(lansforsakringar.se): NETDB_SUCCESS
spf_server.c:457     Debug: found SPF record: v=spf1 mx -all
spf_compile.c:1210   Debug: Compiling record v=spf1 mx -all
spf_compile.c:1314   Debug: Name starts at  mx -all
spf_compile.c:1407   Debug: Adding mechanism type 2
spf_compile.c:846    Debug: SPF_c_mech_add: type=2, value= -all
spf_compile.c:1314   Debug: Name starts at  all
spf_compile.c:1407   Debug: Adding mechanism type 8
spf_compile.c:846    Debug: SPF_c_mech_add: type=8, value=
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se MX (15)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se MX (15)
DNS lookup of lansforsakringar.se (MX) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176698
fakens returned PASS_ON
passing lansforsakringar.se on to res_search()
DNS lookup of lansforsakringar.se (MX) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: MX (15)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 4  herrno: 0  source: exim
spf_dns.c:90         Debug:     - MX: mxcluster2.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster1.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster4.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster3.lansforsakringar.se
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: MX (15)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 4  herrno: 0  source: exim
spf_dns.c:90         Debug:     - MX: mxcluster2.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster1.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster4.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster3.lansforsakringar.se
spf_interpret.c:823  Debug: found 4 MX records for lansforsakringar.se  (herrno: 0)
spf_dns.c:52         Debug: DNS[cache] lookup: mxcluster2.lansforsakringar.se A (1)
spf_dns.c:52         Debug: DNS[exim] lookup: mxcluster2.lansforsakringar.se A (1)
DNS lookup of mxcluster2.lansforsakringar.se (A) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176699
fakens returned PASS_ON
passing mxcluster2.lansforsakringar.se on to res_search()
DNS lookup of mxcluster2.lansforsakringar.se (A) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: mxcluster2.lansforsakringar.se  TYPE: A (1)
spf_dns.c:70         Debug:     TTL: 3378  RR found: 1  herrno: 0  source: exim
spf_dns.c:80         Debug:     - A: 194.16.160.133
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: mxcluster2.lansforsakringar.se  TYPE: A (1)
spf_dns.c:70         Debug:     TTL: 3378  RR found: 1  herrno: 0  source: exim
spf_dns.c:80         Debug:     - A: 194.16.160.133
spf_interpret.c:854  Debug: 0: found 1 A records for mxcluster2.lansforsakringar.se  (herrno: 0)
spf_interpret.c:489  Debug: ip_match:  194.16.160.133 == 194.16.160.133  (/32 255.255.255.255):  1
 (no errors)
 lookup yielded: pass
 ├──expanding: ${lookup {noreply@???} spf {194.16.160.133}}
 ╰─────result: pass
pass






How does the equivalent debug look on your system? If it is materially different,
how?

$ exim -d-all+expand+lookup+dns -be '${lookup {noreply@???} spf {194.16.160.133}}'


--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/