Mailing List Archive

exim spfquery config
Hi, compile exim with support for spfquery, but not work.

I read this documentation:

https://github.com/Exim/exim/wiki/SPF



I send a test email with the an invalid from address but not work

spfquery --sender=soyspam@gmail.com --ip=200.58.112.191
softfail
domain owner discourages use of this host
('spfquery:', 'transitioning domain of gmail.com does not designate 200.58.112.191 as permitted sender')
('Received-SPF:', 'SoftFail (spfquery: transitioning domain of gmail.com does not designate 200.58.112.191 as permitted sender) client-ip=200.58.112.191; envelope-from="soyspam@gmail.com"; receiver=spfquery; mechanism=~all; identity=mailfrom')

exim configure:

deny message = $sender_host_address is not allowed to send mail from $sender_address_domain
spf = fail

any ideas.?

Regards,



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim spfquery config [ In reply to ]
Hi, Emanuel -

On Tue, 12 Feb 2019 at 15:42, Emanuel Gonzalez via Exim-users <
exim-users@exim.org> wrote:

> Hi, compile exim with support for spfquery, but not work.
>
> I read this documentation:
> https://github.com/Exim/exim/wiki/SPF


The above documentation says that the right hand side of Exim's "spf"
keyword can be "pass", "fail", "softfail" and so on.


spfquery --sender=soyspam@gmail.com --ip=200.58.112.191
> softfail
> domain owner discourages use of this host
>

The output above says that the result of the SPF test for your message is
"softfail".



> deny message = $sender_host_address is not allowed to send mail from
> $sender_address_domain
> spf = fail
>

But here you are saying that if the SPF result is "fail" then deny the
message.

Perhaps you should use "softfail" instead?
Or, if you want to deny messages that fail or softfail, use a list of
values as per the documentation? Eg,

spf = softfail:fail


However do please be cautious about denying messages that only softfail.
This result is often used by organisations who are still working on
transitioning to a strong SPF policy of fail, and are still working on
identifying sending sources. Generally a softfail should be interpreted as
"accept, but treat with extra caution" (eg, change the thresholds at which
you consider a message to be spam).

Cheers,
Mike B-)

--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim spfquery config [ In reply to ]
> However do please be cautious about denying messages that only softfail.

I disagree with this. So many organizations that have had softfail for
several tens of years for no apparent reason. Gmail is no exception.

-----

C:\Users\Sebastian Nielsen>nslookup -type=TXT gmail.com
Server: fw.sebbe.eu
Address: 192.168.4.1
Non-authoritative answer:
gmail.com text =
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
gmail.com text =
"v=spf1 redirect=_spf.google.com"
C:\Users\Sebastian Nielsen>nslookup -type=TXT _spf.google.com
Server: fw.sebbe.eu
Address: 192.168.4.1
Non-authoritative answer:
_spf.google.com text =
"v=spf1 include:_netblocks.google.com
include:_netblocks2.google.com include:_netblocks3.google.com ~all"
C:\Users\Sebastian Nielsen>

-----

If you don't mind expending some disk storage, create a custom
application that will, upon seeing a softfail for a domain, append the
domain into a disk file along with year+month of first seen softfail,
IF NOT: the domain is already in file (and treat as softfail). IF
domain is already in file, IF the year+month is 2 months away or more,
treat as hardfail. Else treat as softfail.

Then every organization that touch your mailserver will get anywhere
from 1-2 months to ensure any mailserver they use is added to their
SPF, after that, you will forcefully hardfail their "softfail".

I Personally treat softfail as hardfail on my mailserver sebbe.eu. It
works very well and I haven't seen a "false positive" yet where a
email that is not obviosly spoofed, had been rejected.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim spfquery config [ In reply to ]
On 12 Feb 2019, at 21:56, Sebastian Nielsen via Exim-users <exim-users@exim.org> wrote:
> I disagree with this. So many organizations that have had softfail for
> several tens of years for no apparent reason. Gmail is no exception.

There’s no way in the SPF definition to indicate “apparent reason”.

You either have a hard fail, or a soft fail, or something else. You as a remote viewer cannot determine intent by the assertion of a domain’s SPF policy; that way madness lies.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim spfquery config [ In reply to ]
On Tue, 12 Feb 2019 23:36:26 +0000 Graeme Fowler via Exim-users wrote:

[.we do hatez the mangling and inability to just reply to this ML anymore]
> On 12 Feb 2019, at 21:56, Sebastian Nielsen via Exim-users <exim-users@exim.org> wrote:
> > I disagree with this. So many organizations that have had softfail for
> > several tens of years for no apparent reason. Gmail is no exception.
>
> There’s no way in the SPF definition to indicate “apparent reason”.
>
> You either have a hard fail, or a soft fail, or something else. You as a remote viewer cannot determine intent by the assertion of a domain’s SPF policy; that way madness lies.
>
> Graeme

I can only repeat this a thousand times.

We can't and won't use/publish SPF/DKIM/DMARC for long term established
domains that have users forwarding left right and center, participate in
mailing lists and goat knows what else PRECISELY because people out there
will ignore our policy settings and use any such published records to
filter things hard based on was at best a subtle hint in an inherently
broken design.

See also my next post later today.

Regards,

Christian
--
Christian Balzer Network/Systems Engineer
chibi@gol.com Rakuten Communications

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/