Mail is not being rejected with check_policy_server when SPF fails?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Mail is not being rejected with check_policy_server when SPF fails?

lists42

I installed the policyd-spf milter with Postfix 3.1.  It also has postscreen.

I want to reject email that does not pass the SPF check.

In the main.cf configuration I added

    smtpd_relay_restrictions =
                [...]
                reject_unauth_destination
                check_policy_service unix:private/policy
                [...]

In the mail I get I alway see the headers

    [...]
    Authentication-Results: mail.example.com ...
    [...]

so that's good.

But on one recent spam that was delivered and was under investigation for the reasons I caught this

    [...]
    Authentication-Results: mail.example.com; spf=fail (SPF fail - not authorized) smtp.mailfrom=cantv.com (client-ip=213.160.81.59; helo=mail.ddd-server1.de; [hidden email]; receiver=[hidden email])
    [...]

I am wondering why the policy is checked but the email still did not get rejected?

Since the configuration is in the main.cf I think its postscreen that would do it?

Is that the wrong way?

Or maybe I need to move it to a different section like

    smtpd_recipient_restrictions =
                [...]
                reject_unauth_destination
                check_policy_service unix:private/policy
                [...]

What do I need to reject the email as soon as it fails the spf like that?

Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

Noel Jones-2
On 5/11/2016 5:18 PM, [hidden email] wrote:

>
> I installed the policyd-spf milter with Postfix 3.1.  It also has
> postscreen.
>
> I want to reject email that does not pass the SPF check.
>
> In the main.cf configuration I added
>
>     smtpd_relay_restrictions =
>                 [...]
>                 reject_unauth_destination
>                 check_policy_service unix:private/policy
>                 [...]
>
> In the mail I get I alway see the headers
>
>     [...]
>     Authentication-Results: mail.example.com ...
>     [...]
>
> so that's good.
>
> But on one recent spam that was delivered and was under
> investigation for the reasons I caught this
>
>     [...]
>     Authentication-Results: mail.example.com; spf=fail (SPF fail -
> not authorized) smtp.mailfrom=cantv.com (client-ip=213.160.81.59;
> helo=mail.ddd-server1.de; envelope-from=[hidden email]
> <mailto:envelope-from=[hidden email]>; receiver=[hidden email])
>     [...]
>
> I am wondering why the policy is checked but the email still did not
> get rejected?
>
> Since the configuration is in the main.cf I think its postscreen
> that would do it?
>
> Is that the wrong way?
>
> Or maybe I need to move it to a different section like
>
>     smtpd_recipient_restrictions =
>                 [...]
>                 reject_unauth_destination
>                 check_policy_service unix:private/policy
>                 [...]
>
> What do I need to reject the email as soon as it fails the spf like
> that?
>


Configure your policy service to reply with REJECT if you wish for
it to reject mail that fails SPF.

The rest of your configuration is fine.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

Alice Wonder
On 05/11/2016 03:51 PM, Noel Jones wrote:

> On 5/11/2016 5:18 PM, [hidden email] wrote:
>>
>> I installed the policyd-spf milter with Postfix 3.1.  It also has
>> postscreen.
>>
>> I want to reject email that does not pass the SPF check.
>>
>> In the main.cf configuration I added
>>
>>      smtpd_relay_restrictions =
>>                  [...]
>>                  reject_unauth_destination
>>                  check_policy_service unix:private/policy
>>                  [...]
>>
>> In the mail I get I alway see the headers
>>
>>      [...]
>>      Authentication-Results: mail.example.com ...
>>      [...]
>>
>> so that's good.
>>
>> But on one recent spam that was delivered and was under
>> investigation for the reasons I caught this
>>
>>      [...]
>>      Authentication-Results: mail.example.com; spf=fail (SPF fail -
>> not authorized) smtp.mailfrom=cantv.com (client-ip=213.160.81.59;
>> helo=mail.ddd-server1.de; envelope-from=[hidden email]
>> <mailto:envelope-from=[hidden email]>; receiver=[hidden email])
>>      [...]
>>
>> I am wondering why the policy is checked but the email still did not
>> get rejected?
>>
>> Since the configuration is in the main.cf I think its postscreen
>> that would do it?
>>
>> Is that the wrong way?
>>
>> Or maybe I need to move it to a different section like
>>
>>      smtpd_recipient_restrictions =
>>                  [...]
>>                  reject_unauth_destination
>>                  check_policy_service unix:private/policy
>>                  [...]
>>
>> What do I need to reject the email as soon as it fails the spf like
>> that?
>>
>
>
> Configure your policy service to reply with REJECT if you wish for
> it to reject mail that fails SPF.
>
> The rest of your configuration is fine.
>
>

I've found that legitimate mail fails SPF too often to reject. Problem
is system administrators don't keep the policy up to date as the network
changes, or they don't understand SPF.

I think SPF is good for spam score but shouldn't reject based on it alone.

Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

lists42

Configure your policy service to reply with REJECT if you wish for
it to reject mail that fails SPF.


I think that I have that correct already


    [...]
    HELO_reject = Fail
    Mail_From_reject = Fail
    PermError_reject = True
    TempError_Defer = False
    [...]


The rest of your configuration is fine.


Okay, So I will have to investigate that some more.


I've found that legitimate mail fails SPF too often to reject. Problem is system administrators don't keep the policy up to date as the network changes, or they don't understand SPF.

I think SPF is good for spam score but shouldn't reject based on it alone.


I have discussed this so many times with other server owners!  I have changed my mind on this more than once now.


Finally I think I believe in the practice that if the SPF, or DKIM, or DMARC record is published then its the system administrators job and responsibility to make it correct.  Or dont publish it, period.  Its too much work for me to be the spam police for my network AND be the system administrator police for other networks.


I think that if they are responsible and just make a mistake then they will see the replies in the logs and fix it.  If they do not fix it then they are not responsible and there is probably more from that network that I dont want.


On content in the body I agree of course that only scoring is the best approach to it.

Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

James B. Byrne
In reply to this post by Alice Wonder

On Wed, May 11, 2016 19:18, Alice Wonder wrote:

>
> I've found that legitimate mail fails SPF too often to reject. Problem
> is system administrators don't keep the policy up to date as the
> network changes, or they don't understand SPF.
>
> I think SPF is good for spam score but shouldn't reject based on it
> alone.
>
>

We take the position that any domain that implements SPF with the -all
tag is telling us to reject anything purporting to come from them that
fails spf, which we do.  Likewise, any domain that has enabled spf has
committed to maintain a valid spf configuration in their zone file or
we will reject their mail per the spf rules.

SPF is essentially a performance contract which the sender domain has
voluntarily entered into with their correspondents. If poor spf
configuration causes problems for them they can either fix the problem
or disable spf altogether.  There is no point in us enabling a
crippled spf configuration to persist without repair. We are not doing
them or their other correspondents any favour should we do so.

Depending on the site we will often send a message to both the sender
and to the postmaster address detailing the issue that they are
having.  Although empirically we see that many, many sites have no way
of receiving email addressed to [hidden email].  The humorous
thing is that often the non-delivery notice is sent from, you guessed
it, [hidden email].

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

Noel Jones-2
In reply to this post by lists42
On 5/11/2016 7:41 PM, [hidden email] wrote:
>
>         Configure your policy service to reply with REJECT if you
>         wish for
>         it to reject mail that fails SPF.
>
>
> I think that I have that correct already

Obviously not.
It's adding headers with a PREPEND command, rather than rejecting
the mail with REJECT.

Sorry, I don't use policyd-spf, so I can't point out the error in
your policy config.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

Scott Kitterman-4


On May 11, 2016 10:42:17 PM EDT, Noel Jones <[hidden email]> wrote:

>On 5/11/2016 7:41 PM, [hidden email] wrote:
>>
>>         Configure your policy service to reply with REJECT if you
>>         wish for
>>         it to reject mail that fails SPF.
>>
>>
>> I think that I have that correct already
>
>Obviously not.
>It's adding headers with a PREPEND command, rather than rejecting
>the mail with REJECT.
>
>Sorry, I don't use policyd-spf, so I can't point out the error in
>your policy config.

The OP's configuration looked correct to me.

To the original poster:

Please ask this here:

https://answers.launchpad.net/pypolicyd-spf

I think it's gone beyond what's on topic for this list.  I'll try and help you sort it out.

Scott K

Reply | Threaded
Open this post in threaded view
|

Re: Mail is not being rejected with check_policy_server when SPF fails?

Brett @Google
In reply to this post by lists42
On Thu, May 12, 2016 at 10:41 AM, <[hidden email]> wrote:

    [...]
    HELO_reject = Fail
    Mail_From_reject = Fail
    PermError_reject = True
    TempError_Defer = False
    [...]


What about checking seedOnly = x, if that set wrongly the policyd will put headers in emails and log failures, but not actually reject mail.

http://manpages.ubuntu.com/manpages/wily/man5/policyd-spf.conf.5.htm

Cheers
Brett