Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
SPF skipped for whitelisted relay domain
mysqlstudent at gmail
May 5, 2022, 3:01 PM
Post #1 of 10 (785 views)
Permalink
Hi,

I'm trying to understand why some domains are not whitelisted even
though they pass SPF and are in my local welcomelist_auth entries. I'm
using policyd-spf with postfix, and it appears to be adding the
following header:

X-Comment: SPF skipped for whitelisted relay domain -
client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>

I realize this may not necessarily be directly related to SA, but it's
apparently affecting my ability to process SPF headers with
amavisd/SA, and I hoped someone could help.

What's happening where the mail passes SPF but still bypasses my
welcomelist entries? My skip_addresses list doesn't include this
particular IP:
skip_addresses =
139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10


My welcomelist entry in SA for this specific email is as:
welcomelist_auth reply@support.meridianlink.com

The amavisd headers show it passed SPF:

Return-Path: <reply@support.meridianlink.com>
X-Spam-Status: No, score=-2.491 tagged_above=-200 required=5
tests=[.BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, EXTRACTTEXT=0.001,
FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
LOC_IMGSPAM=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_SENDERSCORE_90_100=-0.6, RELAYCOUNTRY_US=0.01,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=0.016] autolearn=disabled

This one didn't need to be added to the welcomelist, but others do.
The last header received before reaching our server is as:

Received: from smtp14-ph2-sp4.mta.salesforce.com
(smtp14-ph2-sp4.mta.salesforce.com [13.110.6.221])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail01.example.com (Postfix) with ESMTPS id 5FC7010024E93
for <adesus@example.com>; Thu, 5 May 2022 12:01:59 -0400 (EDT)

salesforce is also listed in their SPF record:
$ dig +short txt support.meridianlink.com
"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"

Thanks,
Alex
Re: SPF skipped for whitelisted relay domain [ In reply to ]
kmcgrail at apache
May 5, 2022, 8:35 PM
Post #2 of 10 (784 views)
Permalink
Hi Alex, sometimes I see this when the envelope from doesn't match the
header from. So what you think might pass SPF does not. That's my only
guess from looking at the example you posted. That example looked like it
would work perfectly. KAM

On Thu, May 5, 2022, 18:02 Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> I'm trying to understand why some domains are not whitelisted even
> though they pass SPF and are in my local welcomelist_auth entries. I'm
> using policyd-spf with postfix, and it appears to be adding the
> following header:
>
> X-Comment: SPF skipped for whitelisted relay domain -
> client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
> envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
>
> I realize this may not necessarily be directly related to SA, but it's
> apparently affecting my ability to process SPF headers with
> amavisd/SA, and I hoped someone could help.
>
> What's happening where the mail passes SPF but still bypasses my
> welcomelist entries? My skip_addresses list doesn't include this
> particular IP:
> skip_addresses =
>
> 139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10
>
>
> My welcomelist entry in SA for this specific email is as:
> welcomelist_auth reply@support.meridianlink.com
>
> The amavisd headers show it passed SPF:
>
> Return-Path: <reply@support.meridianlink.com>
> X-Spam-Status: No, score=-2.491 tagged_above=-200 required=5
> tests=[.BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, EXTRACTTEXT=0.001,
> FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01,
> HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> LOC_IMGSPAM=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
> RCVD_IN_SENDERSCORE_90_100=-0.6, RELAYCOUNTRY_US=0.01,
> SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=0.016] autolearn=disabled
>
> This one didn't need to be added to the welcomelist, but others do.
> The last header received before reaching our server is as:
>
> Received: from smtp14-ph2-sp4.mta.salesforce.com
> (smtp14-ph2-sp4.mta.salesforce.com [13.110.6.221])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by mail01.example.com (Postfix) with ESMTPS id 5FC7010024E93
> for <adesus@example.com>; Thu, 5 May 2022 12:01:59 -0400 (EDT)
>
> salesforce is also listed in their SPF record:
> $ dig +short txt support.meridianlink.com
> "v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com
> -all"
>
> Thanks,
> Alex
>
Re: SPF skipped for whitelisted relay domain [ In reply to ]
uhlar at fantomas
May 6, 2022, 12:58 AM
Post #3 of 10 (783 views)
Permalink
On 05.05.22 18:01, Alex wrote:
>I'm trying to understand why some domains are not whitelisted even
>though they pass SPF and are in my local welcomelist_auth entries. I'm
>using policyd-spf with postfix, and it appears to be adding the
>following header:
>
>X-Comment: SPF skipped for whitelisted relay domain -
>client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
>envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>

you seem to have domain listed in whitelist policyd-spf whitelist.
salesforce.com probably?

I'm not sure if this is needed, policyd-spf could add Received-SPF: header
that SA could use (and avoid duplicate lookups)

>I realize this may not necessarily be directly related to SA, but it's
>apparently affecting my ability to process SPF headers with
>amavisd/SA, and I hoped someone could help.
>
>What's happening where the mail passes SPF but still bypasses my
>welcomelist entries? My skip_addresses list doesn't include this
>particular IP:
>skip_addresses =
>139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10
>
>
>My welcomelist entry in SA for this specific email is as:
>welcomelist_auth reply@support.meridianlink.com

is this in spamassassin's local.cf ?

>The amavisd headers show it passed SPF:
>
>Return-Path: <reply@support.meridianlink.com>
>X-Spam-Status: No, score=-2.491 tagged_above=-200 required=5
> tests=[.BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, EXTRACTTEXT=0.001,
> FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01,
> HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
> LOC_IMGSPAM=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
> RCVD_IN_SENDERSCORE_90_100=-0.6, RELAYCOUNTRY_US=0.01,
> SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=0.016] autolearn=disabled
>
>This one didn't need to be added to the welcomelist, but others do.
>The last header received before reaching our server is as:
>
>Received: from smtp14-ph2-sp4.mta.salesforce.com
>(smtp14-ph2-sp4.mta.salesforce.com [13.110.6.221])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by mail01.example.com (Postfix) with ESMTPS id 5FC7010024E93
> for <adesus@example.com>; Thu, 5 May 2022 12:01:59 -0400 (EDT)
>
>salesforce is also listed in their SPF record:
>$ dig +short txt support.meridianlink.com
>"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"

SPF_PASS idicates that the SPF hit.

however, posting full headers could help us a bit.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Re: SPF skipped for whitelisted relay domain [ In reply to ]
me at junc
May 6, 2022, 1:12 AM
Post #4 of 10 (783 views)
Permalink
On 2022-05-06 05:35, Kevin A. McGrail wrote:
> Hi Alex, sometimes I see this when the envelope from doesn't match the
> header from. So what you think might pass SPF does not. That's my only
> guess from looking at the example you posted. That example looked like
> it would work perfectly.

we wait for spamassassin 4.0.0 :=)

amavisd does not know anything about spf btw

>> X-Comment: SPF skipped for whitelisted relay domain -
>> client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com [1];
>> envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>

mail::spf does not know this header, its seen as no spf is done

set pypolicyspf to add A-R headers
Re: SPF skipped for whitelisted relay domain [ In reply to ]
kmcgrail at apache
May 6, 2022, 1:58 PM
Post #5 of 10 (781 views)
Permalink
> we wait for spamassassin 4.0.0 :=)
>
> 4.0.0 is in pre-release now and in production for a few of us. Start
stress testing it now so we can shake out the bugs and get it out the door!

Regards,
KAM
Re: SPF skipped for whitelisted relay domain [ In reply to ]
mysqlstudent at gmail
May 7, 2022, 10:29 AM
Post #6 of 10 (780 views)
Permalink
> >I'm trying to understand why some domains are not whitelisted even
> >though they pass SPF and are in my local welcomelist_auth entries. I'm
> >using policyd-spf with postfix, and it appears to be adding the
> >following header:
> >
> >X-Comment: SPF skipped for whitelisted relay domain -
> >client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
> >envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
>
> you seem to have domain listed in whitelist policyd-spf whitelist.
> salesforce.com probably?

I figured out where it's whitelisted, but still don't understand how it works.

It's somehow referencing the postscreen access list I'm using:

postscreen_access_list =
permit_mynetworks, cidr:$config_directory/postscreen_access.cidr

In that file are cidr entries like:
13.110.208.0/21 permit
13.110.216.0/22 permit
13.110.224.0/20 permit

This file is auto-generated from my postwhite script that gathers IPs
for the "too big to fail" providers like salesforce and google and
microsoft.

which match the client IP for salesforce:
client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com

I was aware of this access list, but I wasn't aware that the policy
daemon was also using it as well as postscreen.

The problem now is that I don't know _how_ it's using it, and how to
prevent it from affecting my welcomelist_auth entries. I don't see any
reference in the code that would indicate it's somehow getting this
info from postscreen/postfix and using it when making these decisions.

The unmodified original messages also no longer pass SPF - shouldn't
they? It does still pass DKIM from the command-line, and therefore my
welcomelist_auth entry, but not when it's first received.

There was a reason I added this email to the welcomelist in the first
place. Perhaps a temporary solution would be to just remove the
postscreen access lists for now? Other ideas? Someone would like to
help me troubleshoot this? I'm thinking the fact that the IP is
whitelisted in postscreen is somehow being passed through the socket
to policyd-spf in a structure somewhere.

> >My welcomelist entry in SA for this specific email is as:
> >welcomelist_auth reply@support.meridianlink.com
>
> is this in spamassassin's local.cf ?

Yes

> >salesforce is also listed in their SPF record:
> >$ dig +short txt support.meridianlink.com
> >"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"
>
> SPF_PASS idicates that the SPF hit.
>
> however, posting full headers could help us a bit.

https://pastebin.com/TvTx6KzY

$ spamassassin --version
SpamAssassin version 4.0.0-r1889518
running on Perl version 5.32.1
Re: SPF skipped for whitelisted relay domain [ In reply to ]
uhlar at fantomas
May 9, 2022, 4:17 AM
Post #7 of 10 (779 views)
Permalink
>> >I'm trying to understand why some domains are not whitelisted even
>> >though they pass SPF and are in my local welcomelist_auth entries. I'm
>> >using policyd-spf with postfix, and it appears to be adding the
>> >following header:
>> >
>> >X-Comment: SPF skipped for whitelisted relay domain -
>> >client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
>> >envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
>>
>> you seem to have domain listed in whitelist policyd-spf whitelist.
>> salesforce.com probably?

On 07.05.22 13:29, Alex wrote:
>I figured out where it's whitelisted, but still don't understand how it works.
>
>It's somehow referencing the postscreen access list I'm using:
>
>postscreen_access_list =
> permit_mynetworks, cidr:$config_directory/postscreen_access.cidr
>
>In that file are cidr entries like:
>13.110.208.0/21 permit
>13.110.216.0/22 permit
>13.110.224.0/20 permit

this is just postscreen whitelist, potscreen does not look up for SPF
unless something else uses this file somehow, this is not the problem.

I also sayt that the message says that "whitelisted relay domain", so it's
apparently not the IP address but the domain that is whitelisted.

Still,

>I was aware of this access list, but I wasn't aware that the policy
>daemon was also using it as well as postscreen.

>The problem now is that I don't know _how_ it's using it, and how to
>prevent it from affecting my welcomelist_auth entries. I don't see any
>reference in the code that would indicate it's somehow getting this
>info from postscreen/postfix and using it when making these decisions.
>
>The unmodified original messages also no longer pass SPF - shouldn't
>they? It does still pass DKIM from the command-line, and therefore my
>welcomelist_auth entry, but not when it's first received.

you must search in policy daemon configuration and docs, this is not done by
postfix.

>There was a reason I added this email to the welcomelist in the first
>place. Perhaps a temporary solution would be to just remove the
>postscreen access lists for now? Other ideas? Someone would like to
>help me troubleshoot this? I'm thinking the fact that the IP is
>whitelisted in postscreen is somehow being passed through the socket
>to policyd-spf in a structure somewhere.

I still have no idea who and how whitelists this sender, so I can't tell you
what whitelist to remove.

>> >My welcomelist entry in SA for this specific email is as:
>> >welcomelist_auth reply@support.meridianlink.com
>>
>> is this in spamassassin's local.cf ?
>
>Yes

have you reloaded amavisd after you added it?


>> >salesforce is also listed in their SPF record:
>> >$ dig +short txt support.meridianlink.com
>> >"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"
>>
>> SPF_PASS idicates that the SPF hit.
>>
>> however, posting full headers could help us a bit.
>
>https://pastebin.com/TvTx6KzY

X-Comment: SPF skipped for whitelisted relay domain - client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com; envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
X-Greylist: whitelisted by SQLgrey-1.8.0

isn't it possible that it's sqlgrey that whitelisted your domain?

>$ spamassassin --version
>SpamAssassin version 4.0.0-r1889518
> running on Perl version 5.32.1

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
Re: SPF skipped for whitelisted relay domain [ In reply to ]
mysqlstudent at gmail
May 9, 2022, 5:11 AM
Post #8 of 10 (779 views)
Permalink
Hi,


> >https://pastebin.com/TvTx6KzY
>
> X-Comment: SPF skipped for whitelisted relay domain -
> client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
> envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
> X-Greylist: whitelisted by SQLgrey-1.8.0
>
> isn't it possible that it's sqlgrey that whitelisted your domain?
>

Yes, I suppose that's possible - meridianlink.com is listed in
my clients_fqdn_whitelist.local file, but how would policyd-spf interpret
that it should whitelist SPF? How would that communication even occur? That
"SPF skipped for whitelisted relay domain" content is coming from
policyd-spf.

The problem here is that something appears to be preventing my
welcomelist_auth entries from working properly, but I don't really
understand how.

Thanks so much for your help.
Re: SPF skipped for whitelisted relay domain [ In reply to ]
uhlar at fantomas
May 9, 2022, 6:19 AM
Post #9 of 10 (779 views)
Permalink
>> >https://pastebin.com/TvTx6KzY
>>
>> X-Comment: SPF skipped for whitelisted relay domain -
>> client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
>> envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
>> X-Greylist: whitelisted by SQLgrey-1.8.0
>>
>> isn't it possible that it's sqlgrey that whitelisted your domain?

On 09.05.22 08:11, Alex wrote:
>Yes, I suppose that's possible - meridianlink.com is listed in
>my clients_fqdn_whitelist.local file, but how would policyd-spf interpret
>that it should whitelist SPF? How would that communication even occur? That
>"SPF skipped for whitelisted relay domain" content is coming from
>policyd-spf.

this is question for policyd-spf and its configuration.

>The problem here is that something appears to be preventing my
>welcomelist_auth entries from working properly, but I don't really
>understand how.

I guess it's the whitelist in policyd-spf.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
Re: SPF skipped for whitelisted relay domain [ In reply to ]
mysqlstudent at gmail
May 9, 2022, 9:27 AM
Post #10 of 10 (779 views)
Permalink
Hi,


> this is question for policyd-spf and its configuration.
>
> >The problem here is that something appears to be preventing my
> >welcomelist_auth entries from working properly, but I don't really
> >understand how.
>
> I guess it's the whitelist in policyd-spf.


Is it possible that it's somehow being passed through the port it uses to
communicate with postfix, and it's somehow using some postfix whitelist?

It most certainly isn't coming from a whitelist in policyd-spf, because it
happens even when it's completely removed.

I've also asked on the policyd-spf github page with no response.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal