Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Leader
Leader

SPF with MTA

Dear CheckMates,

has anyone running SPF with MTA following MTA support for Sender Policy Framework (SPF)  ?

After enabling, all messages from senders with configured SPF are bounced. Only messages without or with "allow all" or "neutral" SPF record are passing through MTA.

Looks like something replaces the senders IP with 127.0.0.1 and these is checked against SPF, which failed.

 

### log from Dasboard:
Interface Direction: inbound
Interface Name: MTA
Sequencenum: 83
Source: 127.0.0.1                      << should be the sending mailserver
Destination: 192.168.XXXXX    << internal IP of the gateway running MTA
Destination Port: 25
IP Protocol: 6
Email Spam Category: Spam
Email Control: SPF
Email Control Analysis: SPF failure
Email Session ID: 5ECBADD7-0-FBE99C50-4B48
Email ID: 1
Sender: XXX@XXXX.de
Email Recipients Number:0
Action: Reject
Type: Log
Policy Name: Standard
Db Tag: {F7B72303-65BF-914E-ABED-46EC62E402D3}
Blade: Anti-Spam and Email Security
Service: TCP/25
Product Family: Network
Marker: @A@@B@1590357600@C@5864361
Log Server Origin: 192.168.XXXXXOrig Log Server Ip: 192.168.XXXXX
Interface: MTA
Description: Spam Rejected

 

Any help appreciated,

Wolfgang

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Guessing a TAC case might be in order.
0 Kudos
liorj
Employee
Employee

Hi, 

several questions:

a. which MTA take/update are you using and which blades are currently enabled.

b. could you copy paste here the spf configuration you used in $FWDIR/conf/mail_security_config file.

c. The scenario where emails are being bounced because of SPF check failure shouldn't happen - instead those emails should be dropped. Neither the 'source' field in the log should be 127.0.0.1 as you said. Could you follow sk139892 and enable the debugs with debug toppic 'ALL'. Then send one email for example to replicate the issue and send over the mta debugs(located under $FWDIR/log/mtad.elg*) and files named maillog under '/var/log'. 

I'll go over the debugs and try to find out what is the reason for the issue you are experiencing.

d. in addition, if you have a"special "environment or any additional information you can add about your environment(changes you did maybe lately) it would be good to know.   

0 Kudos
Wolfgang
Leader
Leader

@liorj ,

the answers:

a. which MTA take/update are you using and which blades are currently enabled.

MTA Version => 8030.991002055

blades => ASPAM, AntiBot, URLF, APPLC, AntiVirus, IPS, Firewall, VPN, MOB, HTTPS inspection (no ThreatPrevention, no ThreatEmulation)

b. could you copy paste here the spf configuration you used in $FWDIR/conf/mail_security_config file.

[spf]
enforce=1
action_spam=reject
action_suspected_spam=monitor-only
track_non_spam=log
track_spam=log
track_suspected_spam=log

c. The scenario where emails are being bounced because of SPF check failure shouldn't happen - instead those emails should be dropped. Neither the 'source' field in the log should be 127.0.0.1 as you said. Could you follow sk139892 and enable the debugs with debug toppic 'ALL'. Then send one email for example to replicate the issue and send over the mta debugs(located under $FWDIR/log/mtad.elg*) and files named maillog under '/var/log'. 

We had TAC involved and case is open. These debugs are done, I'll PM you the SR number.

d. in addition, if you have a"special "environment or any additional information you can add about your environment(changes you did maybe lately) it would be good to know.   

no special configuration there

 

Wolfgang

0 Kudos
Benedikt_Weissl
Advisor

We have the same issue, did you ever find a solution?

Regards

0 Kudos
Wolfgang
Leader
Leader

Hello @Benedikt_Weissl ,

the problem still exists. SPF-checking does not really work on the gateway. TAC case is open since some month, they found the problem and they're able to replicate. But the solution needs a lot of new coding. 

We tried the same with R81but same problem. If you want I can provide the case number.

Wolfgang

0 Kudos
Benedikt_Weissl
Advisor

Thanks for the update, I've also raised a ticket.

Lets hope for the best.

Regards,

0 Kudos