1

Topic: SPF_FAIL = 5 for e-mails from google.com, outlook.com, ...

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: CentOS 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

E-mails from google.com, outlook.com, seznam.cz got penalization SPF_FAIL=5.
When I check SPF records with https://www.kitterman.com/spf/validate.html, all is OK

(outlook.com: Email from chlup@cinex.info from IP 40.107.20.115
google.com: Email from zdenek.haf@gmail.com from IP 209.85.217.50)

Amavis log of e-mail from outlook.com:
----------------------------------------------------------------------------------------
Nov 18 08:17:42 mail8 amavis[280566]: (280566-15) Passed CLEAN {RelayedInbound}, [40.107.20.115]:38944 [40.107.20.115] ESMTP/ESMTP <SRS0=afnM=EY=cinex.info=chlup@sea.cz> -> <dohled@sea.cz>, (ESMTPS://[40.107.20.115]:38944), Queue-ID: 4CbYzl6bYFz8yXQ, Message-ID: <AM0PR09MB2226B4C566B14E8F9E7ACAD5C1E10@am0pr09mb2226.eurprd09.prod.outlook.com>, mail_id: q20QF0RWbv1r, b: HGHN4Ao4V, Hits: 3.905, size: 100198, queued_as: 4CbYzp0vlzz8yXf, Subject: "TIMOCOM-OFFER: (19.11.2020) DE, 26122 Oldenburg ---> DE, 09322 Penig", From: <chlup@cinex.info>, helo=EUR05-DB8-obe.outbound.protection.outlook.com, Tests: [BAYES_00=-1.9,DKIMWL_WL_MED=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.249,HTML_IMAGE_RATIO_04=0.556,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_MSPIKE_H2=-0.001,SPF_FAIL=5,SPF_HELO_PASS=-0.001], autolearn=no autolearn_force=no, autolearnscore=5.86, dkim_i=@cinexsro2.onmicrosoft.com, dkim_sd=selector2-cinexsro2-onmicrosoft-com:cinexsro2.onmicrosoft.com, 1984 ms
Nov 18 08:17:42 mail8 amavis[280566]: (280566-15) Passed CLEAN, <SRS0=afnM=EY=cinex.info=chlup@sea.cz> -> <dohled@sea.cz>, Hits: 3.905, tag=-999, tag2=6.2, kill=6.9, queued_as: 4CbYzp0vlzz8yXf, L/Y/0/0
Nov 18 08:17:42 mail8 postfix/amavis/smtp[280552]: 4CbYzl6bYFz8yXQ: to=<dohled@sea.cz>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.4, delays=0.33/0/0/2.1, dsn=2.0.0, status=sent (250 2.0.0 fro
----------------------------------------------------------------------------------------

Begin of e-mail headers from outlook.com:
----------------------------------------------------------------------------------------
Return-Path: <SRS0=afnM=EY=cinex.info=chlup@sea.cz>
Delivered-To: dohled@sea.cz
Received: from mail8.sea.cz (localhost [127.0.0.1])
    by mail.sea.cz (Postfix) with ESMTP id 4CbYzp0vlzz8yXf
    for <dohled@sea.cz>; Wed, 18 Nov 2020 08:17:42 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail8.sea.cz
X-Spam-Flag: NO
X-Spam-Score: 3.905
X-Spam-Level: ***
X-Spam-Status: No, score=3.905 tagged_above=-999 required=6.2
    tests=[BAYES_00=-1.9, DKIMWL_WL_MED=0.001, DKIM_SIGNED=0.1,
    DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
    HTML_IMAGE_RATIO_04=0.556, HTML_MESSAGE=0.001,
    RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_FAIL=5,
    SPF_HELO_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail8.sea.cz (amavisd-new); dkim=pass (1024-bit key)
    header.d=cinexsro2.onmicrosoft.com
Received: from mail.sea.cz ([127.0.0.1])
    by mail8.sea.cz (mail8.sea.cz [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id q20QF0RWbv1r for <dohled@sea.cz>;
    Wed, 18 Nov 2020 08:17:40 +0100 (CET)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2115.outbound.protection.outlook.com [40.107.20.115])
    by mail.sea.cz (Postfix) with ESMTPS id 4CbYzl6bYFz8yXQ
    for <dohled@sea.cz>; Wed, 18 Nov 2020 08:17:39 +0100 (CET)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=O+xoRki0OepvZb3SWq3cl6ufQkasOco4JZR3ixV/l1/P7TWrKZB3hQAUnw2YyRKqZKAWKULKLrrH8vTvz4rbkZnE9n64MGkW/ffHh9tm8+p9mTPrZkFVhuGxyQRSK3XksduCk+TlZ2TmDL5LX/+jW8Yw6628pSb6f9pEWXPwFDm1zQolouGRETiUNokIv9pBeDw8QptXx8ThMh4Bf8QhOimIBAd3vP3tJcqpDyR3+fiqwUaX9JIU+T0A+yhNtdJ3BtZp6ousC+0Wb23Byqlhr6ShHCifMS+HzoMDvI5HAcK82G10j4q8SlvTSxgForqG5O3mDXUH9Lvo8QYj5LYY8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3Xdg3FR8s8KKuHJUo/PWd/HKHQ2m0fckvRyOA+jz+ZE=;
b=TPTrL/yqoaO+L0ojVMZcL4egu9/qGIWg6a2EgfjGcCWFiEknfkCxXxTavQ+pC5tVNQLd/kWEtWWXj66eXd4BFzo1T1quyBhH4RZIqEkMYvtnxDKVD49cLN3KDgXT3EtQqL7j/RlpTFj++1DuUYX3/WwrX4N3RGeKQad3UK76EW8boS8aTKPeVaiMijZU0EwgL+y/djJkqjvvWHq1QV6HA+8vAqrIt6pxb4N5HB9k0r+1kw9RVa4239uB9NxnI99kqC9WLIwfebF8hqJDthkzQbdj68LVjsT1Jg2UXwiHCWuqqtuYSpAnpmIVzhQvENLaSrj/f9betq6gfxwqo4eQBA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=cinex.info; dmarc=pass action=none header.from=cinex.info;
dkim=pass header.d=cinex.info; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=cinexsro2.onmicrosoft.com; s=selector2-cinexsro2-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3Xdg3FR8s8KKuHJUo/PWd/HKHQ2m0fckvRyOA+jz+ZE=;
b=fabNTmflPCw+YlzkUT14mNczYPBW48l8PBhGJT4CxhNPpFHS4Kpt6Ch4OuFtu8Mm1vBtC+vJkYCmDLeKKlv2vq/U9cBMKFlIYtSKKBG7uIaadBCyKRi+GH3RFJjr5ZV3cd05CeDUZgsG37BPjpQTX4gwP0F8QsHBPZLiNU3S5kc=
Received: from AM0PR09MB2226.eurprd09.prod.outlook.com (2603:10a6:208:e1::14)
by AM0PR09MB2929.eurprd09.prod.outlook.com (2603:10a6:208:127::26) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.28; Wed, 18 Nov
2020 07:17:38 +0000
Received: from AM0PR09MB2226.eurprd09.prod.outlook.com
([fe80::654a:89dd:3a56:a802]) by AM0PR09MB2226.eurprd09.prod.outlook.com
([fe80::654a:89dd:3a56:a802%5]) with mapi id 15.20.3564.028; Wed, 18 Nov 2020
07:17:38 +0000
From: =?iso-8859-2?Q?Zden=ECk_Chlup?= <chlup@cinex.info>
----------------------------------------------------------------------------------------

Begin of e-mail headers from google.com
----------------------------------------------------------------------------------------
Return-Path: <SRS0=tF/E=EX=gmail.com=zdenek.haf@sea.cz>
Delivered-To: havranek@sea.cz
Received: from mail8.sea.cz (localhost [127.0.0.1])
    by mail.sea.cz (Postfix) with ESMTP id 4CbD0532LVz8yXZ
    for <havranek@sea.cz>; Tue, 17 Nov 2020 18:46:45 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail8.sea.cz
X-Spam-Flag: NO
X-Spam-Score: 5.952
X-Spam-Level: *****
X-Spam-Status: No, score=5.952 tagged_above=-999 required=6.2
    tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001,
    FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
    HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_MSPIKE_H2=-0.001, SPF_FAIL=5, TVD_SPACE_RATIO=0.001]
    autolearn=no autolearn_force=no
Authentication-Results: mail8.sea.cz (amavisd-new); dkim=pass (2048-bit key)
    header.d=gmail.com
Received: from mail.sea.cz ([127.0.0.1])
    by mail8.sea.cz (mail8.sea.cz [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id HJDBmcTTH861 for <havranek@sea.cz>;
    Tue, 17 Nov 2020 18:46:44 +0100 (CET)
Received: from mail-vs1-f50.google.com (mail-vs1-f50.google.com [209.85.217.50])
    by mail.sea.cz (Postfix) with ESMTPS id 4CbD036rJdz6L7w
    for <havranek@sea.cz>; Tue, 17 Nov 2020 18:46:43 +0100 (CET)
Received: by mail-vs1-f50.google.com with SMTP id f7so11536402vsh.10
        for <havranek@sea.cz>; Tue, 17 Nov 2020 09:46:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=07YPV+ctRw47KSutYxl2Twfr0WVfvCy7n9GR4TVJ36M=;
        b=T7S8I053OhJihd8AjQof795PzZW41Pf8vVYwGkIIPH4+nKTiCpXMJe5vYdz/ffAAyV
         FiX30trViSQ4eXyFkmOi2WYzGmg4eBLeeFDrzV2mk2D1FXH2XiRWSvgyBUtbl2wrikhR
         UE+iqEfr7Y7vpHhY+445SMlnjnYVubWvbPOnYbXJ9lWQ2ae+vguVrPTfCTKr4xP3RR/R
         n6fIB1Zso0IhLXoADB1x1eicajVg6/AJX/dytfg+O5y/EY68jNh4mPspCyxDIRbrXjmy
         z+cQkN6vsYTCB/S/7AGvxNHQDkT3zMmIJZw0CfdJ4UycMXmdOBmY1k5ZaehSwYbwA1YG
         daJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=07YPV+ctRw47KSutYxl2Twfr0WVfvCy7n9GR4TVJ36M=;
        b=LEG5/j+mIEaXVQ8BgOZkemPox1ygf6uNOWfoKNMlCoX0TfGIxgtlUgZfcSh5fPuDsW
         zycX0I/pobxOVc0a/4jWfpwpqTVIiwhhb4EvmYj3jC+W925CB23k2H9WOywJaT3kTX4Z
         fEjlmpDylF9M9i/X7nrOP7FNPkXCMPoskE7C0Mp4xE0lXZNTDyQLvJuUYPGaws2aOk9Z
         zoheTpex5nUFmLZGD+AyLIfuOdaglemihGEduEj7vm5y04G4OofgD/LEOQLyO8LNsjKZ
         CvDCxD+bJu1cQjaz3gCRYh7ofx+a+D8hzikGXYDSq5920mjX81JuehrY9xUU/j7lULhF
         00iQ==
X-Gm-Message-State: AOAM532BWi1UqxlUgxb13Yf+989gB/1HHU7yccqRsNffc9KmGDTsNLgn
    uinNMMTeG2vDYIRcydHClBVVsdJnXyp+Bx+nWuR7SscRvMA=
X-Google-Smtp-Source: ABdhPJzc29bD37p5SS/mNyD85/DCvDUil0Y2ZY2pNTSTEbPZSgQML3BjoZENYVGkGcnOVVTOB3SAWnOUmj12KIvBOEY=
X-Received: by 2002:a67:6996:: with SMTP id e144mr549935vsc.23.1605635195663;
Tue, 17 Nov 2020 09:46:35 -0800 (PST)
MIME-Version: 1.0
From: Zdenek Havranek <zdenek.haf@gmail.com>
Date: Tue, 17 Nov 2020 18:46:25 +0100
Message-ID: <CAD7jfktQjZ_JsoW+NV06HyWPEucN9_uqw7zX_Hedxkv-HO6KBA@mail.gmail.com>
----------------------------------------------------------------------------------------

2

Re: SPF_FAIL = 5 for e-mails from google.com, outlook.com, ...

The problem is caused by the implementation of the SRS. Amavisd not only logs overwritten addresses, but also uses them for the SRS test. When I turn off SRS in postfix, amavisd starts behaving normally. Here is info from /var/log/maillog:

messge with SRS

... amavis[294381]: (294381-04) Passed CLEAN {RelayedInbound}, [77.75.76.89]:24617 [46.29.224.184] ESMTP/ESMTP <SRS0=cbOk=EY=email.cz=havranek@sea.cz> -> <havranek@sea.cz>, ... Tests: [...,SPF_FAIL=5], ...

messge without SRS

... [294226]: (294226-06) Passed CLEAN {RelayedInbound}, [77.75.76.89]:47257 [46.29.224.184] ESMTP/ESMTP <havranek@email.cz> -> <havranek@sea.cz>, ... Tests: [...,SPF_PASS=-0.001], ...

3

Re: SPF_FAIL = 5 for e-mails from google.com, outlook.com, ...

hmm, then you have to disable SRS.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

4

Re: SPF_FAIL = 5 for e-mails from google.com, outlook.com, ...

SRS deserves a better and smoother implementation only in outgoing mail. For example, let the main instance of postfix do all the current work (without SRS) and use another instance of postfix to send messages "to the world" that would do SRS and send the message. Either using the postfix parameter 'relayhost' in main.cf or using 'mtaTransport'. Maybe a single instance of postfix on another port can handle this with the appropriate parameters specified in master.cf.