hMailServer passes forged mails through SPF

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

hMailServer passes forged mails through SPF

Post by achlebek » 2019-02-19 11:03

Since some time, even though I have SPF set up, hMailServer passes certain emails with From forged to our own addresses.
Here are sample headers (italics are anonymized):
Return-Path: admin@myclinicspace.com
Received: from ln107mx.myplesk.cc ([204.14.88.171]) by our.hmail.server ; Mon, 18 Feb 2019 17:20:02 +0100
Received: from [host-89-231-32-193.dynamic.mm.pl] (unknown [176.221.116.10]) by ln107mx.myplesk.cc (Postfix) with ESMTPSA id 8196A1FC0FDB for <me@my.domain>; Mon, 18 Feb 2019 11:11:33 -0500 (EST)
Authentication-Results: ln107.myplesk.cc; spf=pass (sender IP is 176.221.116.10) smtp.mailfrom=admin@myclinicspace.com smtp.helo=[host-89-231-32-193.dynamic.mm.pl]
Received-SPF: pass (ln107.myplesk.cc: connection is authenticated)
List-ID: e4ete6mnym2zhiugnx9m7lwlxt3ej
Abuse-Reports-To: abuse@mail.myclinicspace.com
Message-ID: <3uptusfzyqgso2sltqzqs8wt78jx4ol3@czeolqvrjtqeakry6e1hbaywneikch65gw00wymc6z48w7ha44j90aqurolytn2w>
X-Sender-Info: admin@myclinicspace.com
X-aid: 3064502775
Subject: me
Feedback-ID: 649835:55981.309105:un04:d
X-Sender: admin@myclinicspace.com
To: me@my.domain
From: <me@my.domain>
X-CSA-Complaints: whitelistcomplaints@myclinicspace.com
Date: Mon, 18 Feb 2019 17:11:32 +0100
X-Abuse-Reports-To: abuse@mail.myclinicspace.com
X-Priority: Medium
Errors-To: update+ln22sglssvfjv@myclinicspace.com
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=UTF-8
How does it pass SPF? And what can I do to stop that?
HMS 5.3.3-B1879, years of uptime

User avatar
jimimaseye
Moderator
Moderator
Posts: 7860
Joined: 2011-09-08 17:48

Re: hMailServer passes forged mails through SPF

Post by jimimaseye » 2019-02-19 11:21

They get through because THEY have spf set up for their sending address:
(sender IP is 176.221.116.10) smtp.mailfrom=admin@myclinicspace.com
Do YOU have spf records setup for YOUR domain? If so what is it?

Also check your ip ranges to require authentication for local to local deliveries.
[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

Re: hMailServer passes forged mails through SPF

Post by achlebek » 2019-02-19 11:22

Yes I have MX -all
HMS 5.3.3-B1879, years of uptime

achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

Re: hMailServer passes forged mails through SPF

Post by achlebek » 2019-02-19 11:29

LAN requires auth for everything except external to local
127.0.0.1 requires auth for external to external only
All the rest (Internet) requires auth for everything except external to local
HMS 5.3.3-B1879, years of uptime

User avatar
mattg
Moderator
Moderator
Posts: 19630
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer passes forged mails through SPF

Post by mattg » 2019-02-19 11:44

achlebek wrote:
2019-02-19 11:03
How does it pass SPF? And what can I do to stop that?
hMailserver checks the SMTP envelope from, not the from header

This can only be checked in the SMTP logs
ALSO, you don't show your logging so we can't tell if this messages passed or failed SPF checking, and we can't see your SPF and other spam scoring regime.


You should look at these queries
http://www.hmailserver.com/forum/viewto ... 117#p68117
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

Re: hMailServer passes forged mails through SPF

Post by achlebek » 2019-02-19 12:15

Yes it did pass the SPF.
I use all the antispam features except SpamAssassin and tarpitting, including many DNSBLs, still that email scored 0. It would be a fully legitimate email except the forged From and scam content.

What are the chances of hMailServer getting an option of checking From header? I'd rather not use scripts.
HMS 5.3.3-B1879, years of uptime

User avatar
mattg
Moderator
Moderator
Posts: 19630
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer passes forged mails through SPF

Post by mattg » 2019-02-20 02:42

achlebek wrote:
2019-02-19 12:15
What are the chances of hMailServer getting an option of checking From header?
None

SpamAssassin does, if you implemented SpamAssassin. SpamAssassin can't test the SMTP envelope as it doesn't ever see it.

Those scripts I mentioned really are easy to implement.
Also, the great thing about hMailserver is that you can customise it really easily with scripts, and there is little that you can't do
Why are you reluctant to use scripts?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply