Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)

Sebastian Nielsen via Exim-users Thu, 07 May 2020 16:51:11 -0700

How does exim handle DNSSEC when traversing SPF?
Does it simply trust the ad flag from the local stub resolver, or does exim 
walk DNSSEC itself?


Thinking if my stub resolver and upstream resolver obviously validates DNSSEC 
propely, while exim itself might have some invalid trust anchor or similiar 
loaded?


-----Ursprungligt meddelande-----
Från: Jeremy Harris via Exim-users <[email protected]> 
Skickat: den 8 maj 2020 01:16
Till: [email protected]
Ämne: Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in 
SPF handler in exim)

On 07/05/2020 23:34, Sebastian Nielsen via Exim-users wrote:
> I got the following weird SPF rejection in my logs (im using the built-in
> SPF handler in exim):
> 
> 2020-05-07 11:14:35 H=mxcluster2.lansforsakringar.se [194.16.160.133]
> X=TLS1.2:ECDHE_SECP521R1__RSA_SHA512__AES_256_GCM:256 CV=no rejected MAIL
> <[email protected]>: SPF check failed: sebbe.eu: domain of
> lansforsakringar.se does not designate 194.16.160.133 as permitted sender

Running a query for that under the testsuite, and with debug, it seems
to pass:

 ╭considering: ${lookup {[email protected]} spf {194.16.160.133}}
  ╭considering: [email protected]} spf {194.16.160.133}}
  ├──expanding: [email protected]
  ╰─────result: [email protected]
  ╭considering: 194.16.160.133}}
  ├──expanding: 194.16.160.133
  ╰─────result: 194.16.160.133
 search_open: spf "194.16.160.133"
spf_compile.c:523    Debug: Parsing macro starting at 
Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210   Debug: Compiling record v=spf1 
 search_find: file="194.16.160.133"
   key="[email protected]" partial=-1 affix=NULL starflags=0 opts=NULL
 LRU list:
 internal_search_find: file="194.16.160.133"
   type=spf key="[email protected]" opts=NULL
 file lookup required for [email protected]
   in 194.16.160.133
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se SPF (99)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se SPF (99)
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: SPF (99)
spf_dns.c:70         Debug:     TTL: 0  RR found: 0  herrno: 4  source: exim
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: SPF (99)
spf_dns.c:70         Debug:     TTL: 0  RR found: 0  herrno: 4  source: exim
spf_server.c:370     Debug: get_record(lansforsakringar.se): NO_DATA
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se TXT (16)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se TXT (16)
DNS lookup of lansforsakringar.se (TXT) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176697
fakens returned PASS_ON
passing lansforsakringar.se on to res_search()
DNS lookup of lansforsakringar.se (TXT) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: TXT (16)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 1  herrno: 0  source: exim
spf_dns.c:94         Debug:     - TXT: v=spf1 mx -all
spf_server.c:412     Debug: get_record(lansforsakringar.se): NETDB_SUCCESS
spf_server.c:457     Debug: found SPF record: v=spf1 mx -all
spf_compile.c:1210   Debug: Compiling record v=spf1 mx -all
spf_compile.c:1314   Debug: Name starts at  mx -all
spf_compile.c:1407   Debug: Adding mechanism type 2
spf_compile.c:846    Debug: SPF_c_mech_add: type=2, value= -all
spf_compile.c:1314   Debug: Name starts at  all
spf_compile.c:1407   Debug: Adding mechanism type 8
spf_compile.c:846    Debug: SPF_c_mech_add: type=8, value=
spf_dns.c:52         Debug: DNS[cache] lookup: lansforsakringar.se MX (15)
spf_dns.c:52         Debug: DNS[exim] lookup: lansforsakringar.se MX (15)
DNS lookup of lansforsakringar.se (MX) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176698
fakens returned PASS_ON
passing lansforsakringar.se on to res_search()
DNS lookup of lansforsakringar.se (MX) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: MX (15)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 4  herrno: 0  source: exim
spf_dns.c:90         Debug:     - MX: mxcluster2.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster1.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster4.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster3.lansforsakringar.se
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: lansforsakringar.se  TYPE: MX (15)
spf_dns.c:70         Debug:     TTL: 3377  RR found: 4  herrno: 0  source: exim
spf_dns.c:90         Debug:     - MX: mxcluster2.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster1.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster4.lansforsakringar.se
spf_dns.c:90         Debug:     - MX: mxcluster3.lansforsakringar.se
spf_interpret.c:823  Debug: found 4 MX records for lansforsakringar.se  
(herrno: 0)
spf_dns.c:52         Debug: DNS[cache] lookup: mxcluster2.lansforsakringar.se A 
(1)
spf_dns.c:52         Debug: DNS[exim] lookup: mxcluster2.lansforsakringar.se A 
(1)
DNS lookup of mxcluster2.lansforsakringar.se (A) using fakens
fresh-exec forking for fakens-search
postfork: fakens-search
fresh-exec forked for fakens-search: 176699
fakens returned PASS_ON
passing mxcluster2.lansforsakringar.se on to res_search()
DNS lookup of mxcluster2.lansforsakringar.se (A) succeeded
spf_dns.c:66         Debug: DNS[exim] found record
spf_dns.c:67         Debug:     DOMAIN: mxcluster2.lansforsakringar.se  TYPE: A 
(1)
spf_dns.c:70         Debug:     TTL: 3378  RR found: 1  herrno: 0  source: exim
spf_dns.c:80         Debug:     - A: 194.16.160.133
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:67         Debug:     DOMAIN: mxcluster2.lansforsakringar.se  TYPE: A 
(1)
spf_dns.c:70         Debug:     TTL: 3378  RR found: 1  herrno: 0  source: exim
spf_dns.c:80         Debug:     - A: 194.16.160.133
spf_interpret.c:854  Debug: 0: found 1 A records for 
mxcluster2.lansforsakringar.se  (herrno: 0)
spf_interpret.c:489  Debug: ip_match:  194.16.160.133 == 194.16.160.133  (/32 
255.255.255.255):  1
 (no errors)
 lookup yielded: pass
 ├──expanding: ${lookup {[email protected]} spf {194.16.160.133}}
 ╰─────result: pass
pass





How does the equivalent debug look on your system?  If it is materially 
different,
how?

$ exim -d-all+expand+lookup+dns -be '${lookup {[email protected]} spf 
{194.16.160.133}}'


-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

smime.p7s
Description: S/MIME Cryptographic Signature

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Weird SPF rejection - what can be the cause of it? (buiilt-in SPF handler in exim)

Reply via email to