• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs [PES extension] SPF always passes on incoming email when local SPF rule is set

K

Kaspar

API expert
Plesk Guru
User name: Rasp

TITLE

[PES extension] SPF always passes on incoming email when local SPF rule is set

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

CentOS 7.8.2003, Version 17.8.11 Update #85, Plesk Email Security Extension version 1.0.5-184 (free version)

PROBLEM DESCRIPTION

When the PES Extension is installed when a local SPF rule is set in Plesk all incoming email messages seem to pass the SPF check. Even when messages are send from an unauthorized server/domain with a strict SPF rule.

When looking at the headers of received email message there is always the line:

Code: 
Received-SPF: pass (example.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=my-gmail-account@gmail.com; helo=localhost;

All headers from a received message send from a gmail account.

Code: 
Return-Path: <my-gmail-account@gmail.com>
X-Original-To: test@example.com
Delivered-To: test@example.com
Received: from localhost (unknown [127.0.0.1])
    by example.hostname.com (Postfix) with ESMTP id 951E1852AB1
    for <test@example.com>; Sat, 9 May 2020 10:02:55 +0000 (UTC)
Authentication-Results: example.hostname.com;
    dkim=pass header.d=gmail.com;
    spf=pass (sender IP is 127.0.0.1) smtp.mailfrom=my-gmail-account@gmail.com smtp.helo=localhost
Received-SPF: pass (example.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=my-gmail-account@gmail.com; helo=localhost;
X-Spam-Flag: NO
X-Spam-Score: -0.096
X-Spam-Level:
X-Spam-Status: No, score=-0.096 tagged_above=-9999 required=8
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001,
    TVD_SPACE_RATIO=0.001] autolearn=ham autolearn_force=no
Authentication-Results: example.hostname.com (amavisd-new);
    dkim=pass (2048-bit key) header.d=gmail.com
Received: from example.hostname.com ([127.0.0.1])
    by localhost (example.hostname.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id jqjJG-c4FfaU for <test@example.com>;
    Sat, 9 May 2020 12:02:54 +0200 (CEST)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130])
    by example.hostname.com (Postfix) with ESMTPS id 71C5A81BD3D
    for <test@example.com>; Sat, 9 May 2020 12:02:54 +0200 (CEST)
Received-SPF: none (example.hostname.com: no valid SPF record)
Received: by mail-il1-x130.google.com with SMTP id b18so3784340ilf.2
    for <test@example.com>; Sat, 09 May 2020 03:02:54 -0700 (PDT)
X-Received: by 1001:xxx:xxx:: with SMTP id b16mr7111433ilf.297.1589018571852;
    Sat, 09 May 2020 03:02:51 -0700 (PDT)
MIME-Version: 1.0
From: The best server Admin <my-gmail-account@gmail.com>
Date: Sat, 9 May 2020 12:02:40 +0200
Message-ID: <CAGRcP3+EdyYgoNmicEYtSRod7mAOOC+zwRbuBR89p0Czt3hihA@mail.gmail.com>
Subject: Hello world
To: test@example.com

STEPS TO REPRODUCE

1) Set a local SPF rule (I've set include:spf.antispamcloud.com)
2) Install the Plesk Email Security Extension (free version)
3) Setup an domain and a mailbox (if you do not have one already)
4) Send an email to that mailbox and view the email headers of that message

ACTUAL RESULT

Email messages always pass SPF check

EXPECTED RESULT

PES should adhere to the SPF rules

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Last edited:
From developer:

Plesk Email Security does not remove the SPF handler provided by Plesk. You can run the command

plesk sbin mail_handlers_control --list

to see whether the SPF handler is active:

| X | | 10 | all-recipients | spf | global | before-queue |

If there is this entry, then the handler is executed according to the rules set in the Mail Server Settings.

Additionally, I cannot reproduce the header information using my Plesk mail account and a Google Mail account. In both cases the "Received-SPF" header is set properly, in case of PES, it is added one more time due to the Amavis integration within the mail transport chain.

Without PES:

Received-SPF: pass (mail.example.com: domain of googlemail.com designates 209.85.167.181 as permitted sender) client-ip=209.85.167.181; envelope-from=example@googlemail.com; helo=mail-oi1-f181.google.com;

With PES:

Received-SPF: pass (mail.example.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=example@googlemail.com; helo=plesk.code-sprint.de;
[...]
Received-SPF: pass (mail.example.com: domain of googlemail.com designates 209.85.167.179 as permitted sender) client-ip=209.85.167.179; envelope-from=example@googlemail.com; helo=mail-oi1-f179.google.com;
 
Thank you for the explanation. However I do think there is something not quite working right. I have run some new tests on VPS with a fresh Plesk install and encountered the same issue. I am only able to reproduce the same results from the developer when no Local SPF rules are used.

When I run # plesk sbin mail_handlers_control --list i get:
| X | | 10 | all-recipients | spf | global | before-queue |

The mail header results I get are:

Without PES
No local SPF value specified in Plesk
Received-SPF: pass (test.hostname.com: domain of gmail.com designates 2607:f8b0:4864:20::e34 as permitted sender) client-ip=2607:f8b0:4864:20::e34; envelope-from=my-gmail-account@gmail.com; helo=mail-vs1-xe34.google.com;
Click to expand...

Without PES
Local SPF value specified in Plesk (include:spf.antispamcloud.com)
Received-SPF: none (test.hostname.com: no valid SPF record)
Click to expand...


With PES
No local SPF value specified in Plesk
Received-SPF: pass (test.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=my-gmail-account@gmail.com; helo=test.hostname.com;
[...]
Received-SPF: pass (test.hostname.com: domain of gmail.com designates 2607:f8b0:4864:20::92c as permitted sender) client-ip=2607:f8b0:4864:20::92c; envelope-from=my-gmail-account@gmail.com; helo=mail-ua1-x92c.google.com;
Click to expand...

With PES
Local SPF value specified in Plesk (include:spf.antispamcloud.com)
Received-SPF: pass (test.hostname.com: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=my-gmail-account@gmail.com; helo=test.hostname.com;
[...]
Received-SPF: none (test.hostname.com: no valid SPF record)
Click to expand...

So it seems something goes wrong when a local SPF rule is specified. From what I understand from the documentation the local SPF rule is concatenated to the actual senders domain. So imagine the SPF rule gets rewritten to v=spf1 redirect=_spf.google.com include:spf.antispamcloud.com. Which, as far as I can tell from the rfc7208 specification is a valid syntax. But some how it seems to fail the SPF check in Plesk.
 
Hey Rasp,

just for my understanding:

With PES and your local SPF rule, the email was not handled correctly (like without having PES installed)? Or what exactly is the difference? If Plesk's SPF handler is enabled, it is always applied first, before PES gets the email for the content filter checks.

I compared your header information and don't see a difference in the main entry SPF string (with PES it is the second entry in your example, but chronologically it is the first SPF entry).

Amavis also adds a local SPF header ("localhost is always allowed"), this header is independent of any local SPF rules and is only used for internal communication with the connected filters (SpamAssassin and ClamAV).

Cheers
 
Hi @Viktor Vogel, I have to apologize for any confusion caused. I initially was under the impression that this was a PES related issue. It's not. As you rightfully pointed out the SPF results are actually the same, whether PES is installed or not.

The issue (SPF cannot be checked in some cases when a local rule is set because the rule becomes invalid) seems to related to the general SPF checking mechanism used in Plesk. I'll open a new bug report for this.
 
Last edited:
You must log in or register to reply here.

Similar threads

E
Question Is multiple HELO registration possible?
Replies
2
Views
616
emrekoc
E
D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
2K
drdna
D
mapodec
Resolved Emails sent from Plesk accounts are not delivering only to Google Workspace
Replies
2
Views
689
mapodec
mapodec
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
985
EnriqueR
EnriqueR
ilogus
Resolved Incoming email DKIM issue
Replies
4
Views
564
ilogus
ilogus
Back
Top