Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: remote user+smtp -> zimbra:spf=fail

  1. #1
    Join Date
    Jun 2007
    Location
    Czech Republic, Prague
    Posts
    66
    Rep Power
    8

    Default remote user+smtp -> zimbra:spf=fail

    Hi,
    i'm using zimbra 5.0RC2. I enabled spf (Improving Anti-spam system - Zimbra :: Wiki). Everything is working fine, but not for remote smtp users. They get X-Spam-Status: SPF_FAIL.

    Example:
    zimbra.log:
    ..Dec 13 16:37:28 dog saslauthd[5350]: auth_zimbra: user@example.com auth OK..

    from mail header:
    X-Spam-Status: ... SPF_FAIL=10..
    Received: from COM (ip-160-218-136-115.isp.com [xxx.xxx.xxx.xxx])
    by zimbra.exaple.com (Postfix) with ESMTP id DF3E27C2ED
    for <user2@exaple.com>; Thu, 13 Dec 2007 16:37:29 +0100 (CET)
    To: <user2@exaple.com>
    From: <user@example.com>


    my spf record:
    v=spf1 +a +mx +ptr -all

    Why zimbra check spf for authorized users? Is it ok?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Are you sure that all your DNS records are OK? You can also check your SPF by sending an email to auth-results@verifier.port25.com and see what it gives as a response. Zimbra will check any email going through it because you've enabled SPF checks in the spamassassin local.cf file.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Jun 2007
    Location
    Czech Republic, Prague
    Posts
    66
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    Zimbra will check any email going through it because you've enabled SPF checks in the spamassassin local.cf file.
    Is it posible and is it good idea to disable spamassasin for authorized users? Because why i check my users for spam?

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by boblin View Post
    Is it posible and is it good idea to disable spamassasin for authorized users? Because why i check my users for spam?
    In my opinion, no it's not a good idea. How do you know none of your users have been infected with a virus? As always, that really is a policy decision you have to make.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Jun 2007
    Location
    Czech Republic, Prague
    Posts
    66
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    Are you sure that all your DNS records are OK?
    i have this in my spf record:
    v=spf1 +a +mx +ptr -all

    If some remote laptop user with local account on zimbra want to send email from remote via zimbra:smtp, spf fail. I'm not sure if this spf record is ok for this situation. What is your recomended solution?

    Thanks.


    Quote Originally Posted by phoenix View Post
    You can also check your SPF by sending an email to auth-results@verifier.port25.com and see what it gives as a response.
    Code:
    <auth-results@verifier.port25.com>  delivery failed; will not continue trying
    
    Final-Recipient: rfc822;auth-results@verifier.port25.com
    Action: failed
    Status: 5.1.1 (bad destination mailbox address)
    X-PowerMTA-BounceCategory: bad-mailbox

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Have a look in the show original for the test message and you should see if the spf test failed or was accepted.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Join Date
    Jun 2007
    Location
    Czech Republic, Prague
    Posts
    66
    Rep Power
    8

    Default

    spf is ok:

    Code:
    X-Spam-Status: No, score=-4.362 tagged_above=-10 required=6.6
    	tests=[ALL_TRUSTED=-1.8, AWL=0.037, BAYES_00=-2.599]
    ...
    Received: from zimbra.mydomain.com (localhost [127.0.0.1])
    	by zimbra.mydomain.com (Postfix) with ESMTP id D6F9EBC006
    	for <auth-results@verifier.port25.com>; Fri, 14 Dec 2007 14:35:51 +0100 (CET)
    Date: Fri, 14 Dec 2007 14:35:51 +0100 (CET)
    From: <me@mydomain.com>
    To: auth-results@verifier.port25.com
    But in this case i tried to send email directly from zimbra. If i send email, from remote smtp via, spf fail.

    I must change my spf record. Nicer solution will be: don't check spf if authorized user, but i understand, it is complicated.

    Thank you for your help.

  8. #8
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Do you host these spf records on your own DNS server hosted DNS service? Why don't you try the following record:

    Code:
    v=spf1 ip4:your_IP_address  a:FQDN_yourserver ~all
    note the ~all is for a soft-fail rather than reject. You can also generate the spf records here via the spf wizard. Once you've done that you can check it with this site: Email Service Provider Coalition by sending a testmail to the address they give and it will display all the results for your mail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    Join Date
    Jan 2008
    Location
    Berlin, Germany
    Posts
    24
    Rep Power
    7

    Default Same Problem for me

    I observe the same Problem: When a local mail delivery is initiated using smtp, SPF will fail because it tries to verify against the dynamic IP adress of the person sending over smtp. It doesn't help to set trusted_networks in spamassassin, as the IP of the sender usually is dynamic. I haven't found a solution, so I set the score of SPF_FAIL to 0 in spamassassin. For a real solution, it would be necessary to skip SPF check for authenticated smtp delivery. In my opinion, the whole spam check can be skipped in that case, as I do not expect spam over authenticated smtp. The virus check should stay enabled, though.
    Regards, Philipp

  10. #10
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Offermann View Post
    I observe the same Problem: When a local mail delivery is initiated using smtp, SPF will fail because it tries to verify against the dynamic IP adress of the person sending over smtp. It doesn't help to set trusted_networks in spamassassin, as the IP of the sender usually is dynamic. I haven't found a solution, so I set the score of SPF_FAIL to 0 in spamassassin. For a real solution, it would be necessary to skip SPF check for authenticated smtp delivery. In my opinion, the whole spam check can be skipped in that case, as I do not expect spam over authenticated smtp. The virus check should stay enabled, though.
    Regards, Philipp
    So what I understand you to be saying is this (please correct me if I haven't understood your post): a remote user connect (and authenticates) to your Zimbra server, they then send an email to a local user and that email fails an SPF check because of the remote users dynamic IP address. Would that be a fair summary?

    I don't observer that problem on my own server, it has correct SPF records and remote users connect to me (from their dynamic IP address) and messages get delivered to local users with no problem from SPF checks, that's via the web client. If a user connects via port 25 and sends an email locally that also does not fail any SPF check.

    The IP that your user is connecting from should be irrelevant to SPF checks and the IP, as far as mail delivery is concerned, should be your localhost or the IP of your server not the dynamic IP of the sender.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 10:19 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •