1 (edited by Stubby066 2022-09-18 09:12:56)

Topic: SPF rate limiting

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Ubuntu FOCAL 20.04.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Web server (Apache or Nginx): APACHE
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I received the below message in my postmaster account.  I'm curious where this is controlled in iRedMail.  I added a SPF policy to postfix (https://help.ubuntu.com/community/Postfix/SPF), but it might also be amavis.

Hello,
We are a group of security researchers at Virginia Tech. We are conducting a research study on how the SMTP servers out in the wild verify the SPF records and while doing so, we have found a security vulnerability at your end that may allow an attacker to launch a denial-of-service attack using SPF referrals.

An attacker may use an infinite number of SPF referrals in his/her SPF setting and can send an email to your mail server which would make your SMTP server make a lot of DNS queries. By exploiting this vulnerability, an attacker can block your SMTP queue, flood the associated recursive resolver, or any DNS authoritative server.

According to RFC recommendations (https://datatracker.ietf.org/doc/html/rfc7208#section-4.6), a few DNS lookup limits exist that an SMTP server needs to maintain while resolving an SPF record. That is, SPF implementations MUST limit the total number of query-causing terms to 10 and the number of void lookups to 2 to avoid unreasonable load on the DNS.

According to our study, your mail server software violates at least one of these limits, which may pave the way for an attacker to misuse your server and launch a DoS attack that might affect DNS and SMTP services.

Hence, we are sending this email as part of a private disclosure. Please patch your mail server software and the associated SPF milter and update it to the latest version, if possible. If any customization to query limits has been made by an administrator manually, please check it and rectify it as soon as possible.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPF rate limiting

This is fixed in latest iRedAPD release, it limits the max DNS queries for SPF.