1 Topic by rob.ired

  • rob.ired
  • Member
  • Offline
  • Registered: 2017-05-09
  • Posts: 36

Topic: Unable to whitelist using spf_to_greylist_whitelists.py

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?  N
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I had iRedAPD 3.5 and have upgraded to iRedAPD 5.0.3 before repeating tests (same result) and logging ticket.

I am attempting to add a domain to the greylist whitelist using spf_to_greylist_whitelists.py
It reports "* No IP address/network found. Exit."
But there is a valid SPF v1 record.

Test validation here: 

https://www.kitterman.com/spf/validate.html

and here: 

https://mxtoolbox.com/spf.aspx

Investigation is as follows:

This info from my maillog

Domain: virginmoneysuper.superfacts.com
ehlo: mx55.marsh.com
src IP: 168.168.42.35

Run this command:

/opt/iredapd/tools/spf_to_greylist_whitelists.py --debug --submit virginmoneysuper.superfacts.com
* 1 mail domains in total.
    + [virginmoneysuper.superfacts.com]
        + SPF -> v=spf1 include:VirginMoneySuper.superfacts.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all
        + Result: set()
* No IP address/network found. Exit.

The include that DOES match an IP4: is the second one, that has the %{} macros.
To prove this, substitute the %{d}omain, %{h}elo, %{i}p and run dig for the TXT record as follows:

dig +short VirginMoneySuper.superfacts.com._nspf.vali.email txt
"v=spf1 -all"
dig +short 168.168.42.35._ip.mx55.marsh.com._ehlo.virginmoneysuper.superfacts.com._spf.vali.email txt
"v=spf1 ip4:168.168.42.0/24 -all"

This means that the spf_to_greylist_whitelists.py CANNOT update the whitelist because it only has the DOMAIN, and not the IP or the HELO.

I see that the person that created that SPF record has overly complicated the implementation, but clearly it exists and follows the RFC.

The question is:
Is there a way to know the HELO and IP for a DOMAIN after the actual SMTP session is closed and gone.
Yes, it will be in the maillog, but that doesn't help when you run spf_to_greylist_whitelists.py with no parameters and update the existing whitelist.
Or, is it saved (or could it be saved) in the database as a list of recent valid connections?

Clearly one option is - you can't whitelist these macro SPF records, and we just ignore it.

Your thoughts.

Thanks, Rob

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Unable to whitelist using spf_to_greylist_whitelists.py

iRedAPD doesn't support the %{} macros yet, and unfortunately, we have no plan to support it shortly.

rob.ired wrote:

Or, is it saved (or could it be saved) in the database as a list of recent valid connections?

Check SQL table "iredapd.smtp_sessions".