Menu

#106 postfix script doesn't recognize SPF fail - not authorized

v7.5.6
closed
nobody
postfix (3) services (1)
5
2023-07-22
2022-03-20
Antonio Querubin
No

The postfix script doesn't recognize "SPF fail - not authorized" messages:

Unmatched Entries
1 Mar 19 23:45:02 slimemold policyd-spf[27938]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=aqainservidormail4223@gmx.net;ip=190.247.254.147;r=<unknown>
1 Mar 19 20:07:17 slimemold policyd-spf[27245]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=aqainservidormail1609@gmx.net;ip=190.247.254.147;r=<unknown>
1 Mar 19 15:20:58 slimemold policyd-spf[26033]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=talkdatacenter4081@gmx.net;ip=190.247.254.147;r=<unknown>
1 Mar 19 09:07:09 slimemold policyd-spf[24135]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=aqainservidormail9077@gmx.net;ip=190.247.254.147;r=<unknown>
1 Mar 19 13:36:26 slimemold policyd-spf[25529]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=fevindatacenter1004@gmx.net;ip=190.247.254.147;r=<unknown>
1 Mar 19 09:06:58 slimemold policyd-spf[24135]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=aqainservidormail1263@gmx.net;ip=190.247.254.147;r=<unknown>
1 Mar 19 01:49:53 slimemold policyd-spf[20547]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=aqainservidormail9740@gmx.net;ip=190.247.254.147;r=<unknown></unknown></unknown></unknown></unknown></unknown></unknown></unknown>

---------------------- Postfix End -------------------------

Discussion

  • Bjorn

    Bjorn - 2023-05-21

    This does not appear to be a Logwatch issue. Rather, it is signalling a configuration error that needs to be fixed in the email server. My concern about processing it in Logwatch is that it would essentially bury this error.

     

    • Antonio Querubin

      Antonio Querubin - 2023-05-28

      On Sun, 21 May 2023, Bjorn wrote:

      This does not appear to be a Logwatch issue. Rather, it is signalling a
      configuration error that needs to be fixed in the email server. My
      concern about processing it in Logwatch is that it would essentially
      bury this error.

      'not authorized' means retrieved SPF records for the sender's domain
      indicate the mail should be rejected. If SPF record retrieval is failing,
      that's a different type of error message altogether.

      If SPF indicates reject but the mail really is legitimate, whose
      responsibility is it to fix? The receiving mail server's operator has no
      control over the sender's SPF DNS records. That corrective feedback to
      the sender's mail server (and possibly DNS) operator is best handled by
      DMARC reporting.

      Suppose the mail isn't legitimate, eg. a massive SPAMbot DDOS? Then SPF
      rejection is doing it's job but why would you want to explicitly list each
      reject instance in a logwatch report? Better to capture that as a
      statistic in logwatch.

      Antonio Querubin
      e-mail: tony@lavanauts.org

       

  • Antonio Querubin

    Antonio Querubin - 2023-05-28

    'not authorized' means retrieved SPF records for the sender's domain indicate the mail should be rejected. If SPF record retrieval is failing, that's a different type of error message altogether.

    If SPF indicates reject but the mail really is legitimate, whose responsibility is it to fix? The receiving mail server's operator has no control over the sender's SPF DNS records. That corrective feedback to the sender's mail server (and possibly DNS) operator is best handled by DMARC reporting.

    Suppose the mail isn't legitimate, eg. a massive SPAMbot DDOS? Then SPF rejection is doing it's job but why would you want to explicitly list each reject instance in a logwatch report? Better to capture that as a statistic in logwatch.

     

  • Bjorn

    Bjorn - 2023-05-28

    Got it - I thought those error messages were as an originating email sender, not as a receiving email server.

    The postfix script does process some SPF log statements, but apparently not the ones you posted. Looking through the postfix script code, it appears to not expect the "5.7.23" enhance code. Is that a customization?

    I don't use Postfix, so don't know what the standard behavior is, nor can I test it. But it seems that the attached patch might fix it. But let us know how the "5.7.23" got added,. and if the patch worked.

     
    postfix.patch

  • Bjorn

    Bjorn - 2023-07-22
    • status: open --> closed
     

  • Bjorn

    Bjorn - 2023-07-22

    Patch incorporated in 7.9, allowing enhanced codes for those log statements.

     

Log in to post a comment.