Zimbra Tips : How To Enable SPF Checking for Incoming Connection

Home » Zimbra » Zimbra Tips : How To Enable SPF Checking for Incoming Connection
Zimbra 50 Comments

Usually, i am configure spf to my server for outgoing purpose. The spf records are defined in public dns use txt records. But, how to enable spf checking if there connection to my server?

The following is step by step how to enable spf checking for incoming connection.

You need to enable cbpolicyd as in the following guides : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. After enable policyd, please open policyd webui (http://IPZIMBRA:7780/webui/index.php) and create some groups, policy and spf.

# Create Groups

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups

# Create Policy

Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query

policy-spf

select new policy has been made and select members on action. Add member and fill on source/destination with group that has been made. See the following example

policy-spf-members

Above configuration only check spf if email connection come from external domain (Gmail, Yahoo and etc) to my internal domain. If email connection come from internal domain to internal domain, or internal domain to external domain, spf checking will be ignore/skip. make sure disabled status is no

# Create SPF Check

Select SPF Checks | Configure. Select Add on Action and configure like follow. Then Submit

spf-configure

Make sure disabled status is no. Enable policyd checkspf and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled TRUE
zmcbpolicydctl restart

SPF checking for incoming connection has been enabled and configured. Please see zimbra.log if getting spf fail.

The following is example when getting spf fail

Mar 10 18:45:43 smtp postfix/smtpd[28068]: NOQUEUE: reject: RCPT from c117-167.nanaonet.jp[119.18.167.117]: 554 5.7.1 <shaftssg@onet.pl>: Sender address rejected: Failed SPF check; Please see http://www.openspf.org/Why?s=mfrom;id=shaftssg%40onet.pl;ip=119.18.167.117;r=smtp.imanudin.net; onet.pl, Sender is not authorized by default to use 'shaftssg@onet.pl' in 'mfrom' identity (mechanism '-all' matched); from=<shaftssg@onet.pl> to=<xxxx@imanudin.net> proto=ESMTP helo=<[119.18.167.117]>

Good luck and hopefully useful 😀

50 thoughts on - Zimbra Tips : How To Enable SPF Checking for Incoming Connection

  • Dear Ahmad. I’ve been testing Zimbra for a couple of days now and im looking at the server monitor that the outgoing message count is very high and currently the server only has two test users. How is this possible? Maybe my server is compromised?

    Thanks

  • Hello! You have great posts and I am glad to have found your page.

    I have a question about the above setup. Users that have outlook connected via Imap can not sent messages. They fail the SPF check even though they are authenticated via SMTP. error looks like this.

    Server error: ‘554 5.7.1 : Sender address
    rejected: Failed SPF check; Please see
    http://www.openspf.org/Why?s=mfrom;id=user%40example.com;ip=96.X.Y.Zip
    ;r=mail.example.net; example.com, Sender is not authorized by default to use
    ‘user@example.com’ in ‘mfrom’ identity (mechanism ‘-all’ matched)’

    What can I do to account for these users. Activate sync and web work with no issues.

  • Sorry for late reply. I did not get notification of your comment. The IP 96.x.y.z is actually the public IP from where the computer with outlook is sitting. Here is an example show more information.

    ## imap user showing home comcast IP when sending to another internal user ##
    Received-SPF: fail (example.com: Sender is not authorized by default to use ‘sanga.c@example.com’ in ‘mfrom’ identity (mechanism ‘-all’ matched)) receiver=mail.example.net; identity=mailfrom; envelope-from=”sanga.c@example.com”; helo=DESKTOP4OH085B; client-ip=75.74.180.166
    Received: from DESKTOP4OH085B (c-75-74-180-166.hsd1.fl.comcast.net [75.74.180.166])

    Basically when I have outlook configured with IMAP, the email going to internal address gets rejected. But going to external address like gmail.

    ## imap user showing correct mail server public IP when sending to gmail ##
    Received-SPF: pass (google.com: domain of sanga.c@example.com designates 74.299.135.46 as permitted sender) client-ip=74.299.135.46;
    Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of sanga.c@example.com designates 74.299.135.46 as permitted sender) smtp.mailfrom=sanga.c@example.com

    Not sure if its my SPF setting or IMAP settings

    • Hello Sangamc,

      It’s seems strange to me. The Public IP should sent from your server instead of from your public IP that used to connect. Please check SMTP outgoing configuration on your Outlook

  • Not sure why the comment is not saving, but here goes again.

    The IP 96.x.y.z is showing as the public IP where the computer with outlook is connecting from. So for example if I am using outlook connected with IMAP from home, the IP that shows is my home Comcast internet IP

  • Ok i have figured out the issue. The main reason I wanted to enable SPF was to block people masquerading as accounting@mydomain.com (a mailbox that does not exist) and sending mail to my staff with cryptovirus.

    I enabled policyD SPF with one extra setting !%internal_ip in addition to !%list_domain.

    This blocked the fake mail as I expected but also blocked IMAP users from outlook since they match the !%internal_ip setting.

    What really needs to be done is:
    – Reject mail from false senders
    https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses#Zimbra_Collaboration_8.5_and_above

    &
    – Enforce match between from and SASL username
    https://wiki.zimbra.com/wiki/Enforcing_a_match_between_the_FROM_address_and_the_sasl_username

    Lastly
    – Configure SPF with only the !%list_domain option.

    Now All is working correctly.

  • hi iman ,
    thanks for your reply
    how can i add particular domain to pass spf to receive mail
    is there any way to get mails from those users

    thanks
    amith

  • Hi Iman ,
    for example hdfcbank.com mails are rejectes
    so i should create group under list_domain like @hdfcbank.com
    and by pass the mail right

    Amith

  • Finally got this working on ZCS 8.7
    1. Install fails, the sqlite database is missing two key tables. The script that imports the tsql files to populate /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb database does not work, the last line fails ie ./convert-tsql sqlite core.tsql > /tmp/core.sql.

    Had to replace the line above with this:
    grep -v “#” /tmp/core.sql | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb

    Then import all the tsql files in /opt/zimbra/common/share/database
    The Zimbra Wiki details what tables should be n this database
    https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd

    2. Still did not appear to be working, /opt/zimbra/log/cbpolicyd.log initialising but no traffic. Also needed this:
    zmprov ms $(zmhostname) zimbraMtaEnableSmtpdPolicyd TRUE

    Now can see QUOTA and CheckSPF processing in cbpolicyd log

    Thanks iman

    Regards
    Geoffrey

  • Hello Iman,

    good to see you in this wall after long time.

    I am on requirement to block the sender domain sending mail without MX record. can you help me on this..??

    Awaiting your response..!!

  • Hi Iman,
    I like your post – nice and very useful job. So my question is about starting services. When you configure policy,
    rule etc is it not equal with starting service? Do we have to start it form cmd line (..) zimbraCBPolicydCheckSPFEnabled TRUE (…).? So what about Amvis Integration? When we configure i.e. new policy with blacklist domain do we have to start something from cmd?

  • Hello I have a question, spf check block mails from domains if who using softfail (im using fail),
    but this domain using email from hosting pop3 and they dont know how to do all this..

    i can take them domains to trusted or whitelist for spf check ?
    if yes 🙂 How ?

    • Hi Ali Dogan,

      SPF checking by default will reject if have spf fail (hard fail). If you have another domain and want to whitelist, you can add your domain into list_domain on group policy

  • Mas butuh pencerahan nya,,kenapa email yg saya kirim dari mail server zimbra saya selalu dianggap spam oleh gmail maupun yahoo? padahal saya sudah setting PTR, DKIM, SPF, DMARC dengan benar,,saya tes lewat mxtool juga hasil nya pass semua,,di header email nya pun spf,,dkim,,dmarc status nya pass…saya cek lewat mail-tester juga dapat score 10/10…
    reputasi IP pun saya cek di talos hasil nya neutral…apakah ada yang kurang dari konfigurasi saya?mohon bimbingannya mas…terima kasih…

  • Hi iman,
    I set up the SPF check, but all incoming mail was rejected, I checked the incoming mail, there was the SPF record. For example: gmail, qq, 163 and so have been rejected, which is why?

  • Hi iman
    zimbra.log:
    Jul 13 09:12:24 webmail postfix/smtpd[30761]: connect from mail.cyagen.net[172.16.251.254]
    Jul 13 09:12:24 webmail postfix/smtpd[18824]: NOQUEUE: reject: RCPT from mail.cyagen.net[172.16.251.254]: 554 5.7.1 : Sender address rejected: Failed SPF check; qq.com, Sender is not authorized by default to use ‘78123538@qq.com’ in ‘mfrom’ identity, however domain is not currently prepared for false failures (mechanism ‘~all’ matched); from= to= proto=ESMTP helo=
    Jul 13 09:12:24 webmail saslauthd[14833]: zmauth: authenticating against elected url ‘https://webmail.cyagen.net:7073/service/admin/soap/’ …
    Jul 13 09:12:24 webmail postfix/smtpd[18824]: disconnect from mail.cyagen.net[172.16.251.254] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
    Jul 13 09:12:24 webmail saslauthd[14833]: zmpost: url=’https://webmail.cyagen.net:7073/service/admin/soap/’ returned buffer->data=’soap:Senderauthentication failed for [cangcuiman]account.AUTH_FAILEDqtp649734728-11790:1499908344438:6e45d5c677204ab7′, hti->error=”
    Jul 13 09:12:24 webmail saslauthd[14833]: auth_zimbra: cangcuiman auth failed: authentication failed for [cangcuiman]
    Jul 13 09:12:24 webmail saslauthd[14833]: do_auth : auth failure: [user=cangcuiman] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
    Jul 13 09:12:24 webmail postfix/smtpd[30761]: warning: mail.cyagen.net[172.16.251.254]: SASL LOGIN authentication failed: authentication failure
    Jul 13 09:12:24 webmail postfix/smtpd[30761]: lost connection after AUTH from mail.cyagen.net[172.16.251.254]
    Jul 13 09:12:24 webmail postfix/smtpd[30761]: disconnect from mail.cyagen.net[172.16.251.254] ehlo=1 auth=0/1 commands=1/2
    Jul 13 09:12:24 webmail postfix/postscreen[17910]: CONNECT from [172.16.251.254]:52814 to [172.16.10.195]:25
    Jul 13 09:12:24 webmail postfix/postscreen[17910]: PASS OLD [172.16.251.254]:52814
    qq.com Bounce:
    host mail2.cyagen.net[223.112.80.227] said: 554 5.7.1 : Sender address rejected: Failed SPF check; qq.com, Sender is not authorized by default to use ‘78123538@qq.com’ in ‘mfrom’ identity, however domain is not currently prepared for fals
    Thanks iman

          • No, my domain is cyagen.net
            This information is QQ mailbox bounce information:

            host mail2.cyagen.net[223.112.80.227] said: 554 5.7.1 : Sender address rejected: Failed SPF check; qq.com, Sender is not authorized by default to use ‘78123538@qq.com’ in ‘mfrom’ identity, however domain is not currently prepared for fals

            Thanks

          • Hi Ken,
            It’s so strange. Because qq.com use ~ instead of – on their SPF records. Could you check/make sure qq.com come from their IP? is there any information in the log about IP address of qq.com?

  • Mas Iman,
    Saya sudah coba terapkan Check SPF incoming email.
    Dampaknya beberapa domain customer saya ikut terblokir padahal domain2 dengan reputasi baik seperti kawasaki.co.id, hino-motors.co.id, dan bbrapa domain lain.
    Apakah ada cara untuk me-white list domain2 tersebut agar tidak ikut kena Check SPF ?

    Terima kasih sebelumnya.

LEAVE A COMMENT