ZCS ignoring SPF records

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Labsy
Outstanding Member
Outstanding Member
Posts: 346
Joined: Sat Sep 13, 2014 12:52 am

ZCS ignoring SPF records

Postby Labsy » Thu Jul 07, 2016 4:52 pm

Hi,

in past few days some of Zimbra users (different domains) receive a lot of ransomware attachments, sent TO and FROM their own domain. Of course, all those should be blocked by SPF which I have set with -all hard fail.
But somehow Zimbra simply does not look at SPF, and SPF result is not in any of those mail headers:

Code: Select all

Return-Path: info@domain.com
Received: from my.zimbraserver.com (LHLO my.zimbraserver.com)
 (11.22.33.44) by my.zimbraserver.com with LMTP; Thu, 7 Jul 2016
 14:29:28 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
   by my.zimbraserver.com (Postfix) with ESMTP id A687320C001;
   Thu,  7 Jul 2016 14:29:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at my.zimbraserver.com
X-Spam-Flag: NO
X-Spam-Score: 5.081
X-Spam-Level: *****
X-Spam-Status: No, score=5.081 tagged_above=-10 required=6.6
   tests=[BAYES_05=-0.5, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335,
   RDNS_NONE=0.793, SPF_FAIL=0.001, TO_EQ_FM_DOM_SPF_FAIL=0.001,
   TO_EQ_FM_SPF_FAIL=0.001, TVD_SPACE_RATIO=0.001]
   autolearn=no autolearn_force=no
Received: from my.zimbraserver.com ([127.0.0.1])
   by localhost (my.zimbraserver.com [127.0.0.1]) (amavisd-new, port 10024)
   with ESMTP id BN9_mawt4ox3; Thu,  7 Jul 2016 14:29:28 +0200 (CEST)
Received: from [106.77.161.170] (unknown [106.77.161.170])
   by my.zimbraserver.com (Postfix) with ESMTP id 17C4123C2014
   for <info@domain.com>; Thu,  7 Jul 2016 14:26:32 +0200 (CEST)
Content-Type: multipart/mixed; boundary=Apple-Mail-43B20AD9-045D-A92F-0411-5393CBE19E22
Content-Transfer-Encoding: 7bit
From: <info@domain.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 07 Jul 2016 17:56:07 +0530
Subject: B80C3C088B
Message-Id: <4AAB739F-9BD8-579C-1200-208D3024A68E@domain.com>
To: <info@domain.com>
X-Mailer: iPhone Mail (13F69)


Any idea where did SPF check go?


gizlonk
Posts: 1
Joined: Mon Jul 25, 2016 7:41 am

Re: ZCS ignoring SPF records

Postby gizlonk » Mon Jul 25, 2016 7:44 am

I too am experiencing this issue. Can anybody help?
User avatar
DualBoot
Outstanding Member
Outstanding Member
Posts: 741
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: ZCS ignoring SPF records

Postby DualBoot » Tue Jul 26, 2016 12:44 pm

As far as I know you must activate cbpolicyd on your Zimbra MTA to check SPF. If CBpolicyd is not enabled or not fully functionnal, by default the system bypass CBpolicyd.
You can check this into the log : /opt/zimbra/cbpolicyd.log and /var/log/zimbra.log (grep 10031).
The Guy - DualBoot

PostMaster - WikiMaster - SysAdmin
"Free Your Mind. Think Open Source"
april.org
Zetalliance Member - zetalliance.org
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1655
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Re: ZCS ignoring SPF records

Postby quanah » Mon Aug 01, 2016 10:31 pm

It's generally a bad idea to just rely on SPF, or to implement SPF blocking. What you want is to do SPF+DKIM signing. If you do that, then Zimbra will correctly score and trash email that was not sent by your domain.

See https://wiki.zimbra.com/wiki/Configuring_for_DKIM_Signing and https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC
--
Quanah Gibson-Mount https://github.com/quanah/
Systems Architect, Synacor http://wwwsynacor.com/
A Zetalliance Founder http://www.zetalliance.org/
OpenLDAP Core team http://www.openldap.org/project/
Mirco Ellis
Posts: 8
Joined: Wed Nov 04, 2015 11:49 am

Re: ZCS ignoring SPF records

Postby Mirco Ellis » Sun Oct 02, 2016 7:20 pm

Hi Labsy,

Have you been able to figure this one out? I am using Zimbra 8.6 and followed a combination of forums to try and get SPF checking going.

https://wiki.zimbra.com/wiki/Cluebringe ... _cbpolicyd

https://imanudin.net/2016/03/11/zimbra- ... connection

Although cbpolicyd is enabled and running I can see no reference to SPF checking in zimbra.log. However, SPF checking is enable in cbpolicyd.conf. The documentation that I have read through is either missing something or I am missing something.

I anybody can assist that would be great.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 24 guests