cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Exclude Backup MX hosts from SPF validation checks

openaccess shared this idea 6 years ago
Open Discussion

This originated in a discussion with cPanel representatives in cPanel ticket#5426895.


Case:

We have two backup MX hosts and they're specified as such in the Exim

Configuration > access lists > backup MX hosts. We also have

"Reject SPF failures" On. When an email from a domain with strict SPF

ruleset (policy ending in -all) is relayed from either backup MX host, it

is rejected with a line like (real examples censored):

2014-09-05 06:57:28 H=BACKUP_MAILSERVER.OUR_DOMAIN.TLD [OUR_IP_ADDRESS]:30988

F=<USERNAME@REMOTE_DOMAIN.TLD> rejected RCPT <USERNAME@OUR_DOMAIN.TLD>:

SPF: OUR_IP_ADDRESS is not allowed to send mail from REMOTE_DOMAIN.TLD


This is unacceptable. The SPF check should have already occurred at the backup MX host to verify that the message is legitimate OR the SPF check should occur after it has been delivered by the backup MX host - the original delivery information should be used when the SPF check occurs. In either case, the point is to cut out the SPF check that occurs when transferring from backup to primary MX. When the backup MX host goes to deliver it to the primary MX, the SPF needs to be excluded, otherwise, it will never pass (because the remote host has no way to give permission to our backup MX, or all cPanel backup MX servers, to deliver mail on their behalf).


Why will it never pass? Because a remote host will NEVER have the destination host's IP explicitly set in their SPF rule. Why? Because there are millions of possibilities for remote hosts. No one is going to manually whitelist the entire internet. That's what SPF is used to simplify.


Why can't you disable SPF checks? SPF checking is extremely necessary for domain ownership validation when sending mail and vital to fighting spam. Removing it should only be done when it is blocking messages en masse, due to a bug or misconfiguration. Also, it cannot be disabled on a per-domain or per-email address basis.


Can't you implement SRS to fix this problem? SRS is used to fix a bug with SPF when forwarding messages from one domain to another. This is a different situation that applies to a more transparent, local handoff of the message.


Why can't you just whitelist your backup MX server in some configuration? Spammers often target backup MX servers directly because they know that they have less security on them. Thus, in some conditions, excluding the backup MX servers from checks will allow spam.


Possible workarounds have been given, but no solution is possible without cPanel coding intervention. cPanel representatives suggested all of the following (these are quotes from cPanel reps):


  • This page lists some options, although installing third party options might cause problems. http://www.tldp.org/HOWTO/Spam-Filtering-for-MX/exim-spf.html
  • The second option here seems the best, although I have not tested it:
  • You would list the hosts that are forwarding to the backup MX in
    sender_domains and then edit the final ACL statement to disregard SPF if
    the host matches:
    http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#SECTaclconditions
  • You might want to use this to make sure the changes are permanent:
    http://documentation.cpanel.net/display/ALD/The+Exim+Advanced+Editor
  • Would it be possible to include the Backup MX IPs in your SPF record for
    the affected domain? You could add [your IP address] to the SPF record
    which would then allow emails to come from that IP for that domain.
  • The only other option would be to disable 'Reject SPF failures'. This
    however would apply to all email/domain globally for the server. You can
    do this by going to your WHM panel: WHM >> Service Configuration >> Exim Configuration Manager -- and under the ACL Options tab you'll see this option.
  • ...add the [remote] host to the Trusted SMTP IP
    addresses list.
  • The other option I thought of was, which may require a bit more work,
    would be to create a custom Exim filter on the destination server which
    would check the host and if it matched an IP in a given list Exim could
    then skip just the SPF check for that piece of incoming mail. That sort
    of solution would be custom though and something you'd have to put
    together from your end.

Best Answer
photo

I definitely see the merits of this request. While I can't guarantee a timeline for the inclusion of this modification to the product, the more votes and interest a given feature request sees will increase the likelihood of its inclusion.


I do want to mention, however, that it is currently possible to modify Exim (in a cPanel sanctioned and supported way) to exempt Backup MX Hosts from SPF validation checks.


  1. Go to WHM
  2. Go to "Exim Configuration"
  3. Go to the "Advanced Editor" tab
  4. Scroll to/locate the section labeled "spf_bl (Reject SPF failures)"
  5. If it is checked, uncheck it (this disabled the default SPF behavior)
  6. Make sure the section just above it labeled "custom_begin_mailauth" is checked (enabled) and paste the below snippet in the text box:

  1. deny
  2. hosts = ! +backupmx_hosts
  3. message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain
  4. spf = fail

This mimics the stock SPF logic, with the addition of the condition that the logic will only apply if the host delivering mail is NOT in the backupmx_hosts list.Note that this workaround does not exempt this feature request from consideration, but I did want to let you know of its existence.

Comments (4)

photo
1

I definitely see the merits of this request. While I can't guarantee a timeline for the inclusion of this modification to the product, the more votes and interest a given feature request sees will increase the likelihood of its inclusion.


I do want to mention, however, that it is currently possible to modify Exim (in a cPanel sanctioned and supported way) to exempt Backup MX Hosts from SPF validation checks.


  1. Go to WHM
  2. Go to "Exim Configuration"
  3. Go to the "Advanced Editor" tab
  4. Scroll to/locate the section labeled "spf_bl (Reject SPF failures)"
  5. If it is checked, uncheck it (this disabled the default SPF behavior)
  6. Make sure the section just above it labeled "custom_begin_mailauth" is checked (enabled) and paste the below snippet in the text box:

  1. deny
  2. hosts = ! +backupmx_hosts
  3. message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain
  4. spf = fail

This mimics the stock SPF logic, with the addition of the condition that the logic will only apply if the host delivering mail is NOT in the backupmx_hosts list.Note that this workaround does not exempt this feature request from consideration, but I did want to let you know of its existence.

photo
1

Why can't WHM / cPanel simply include the IP of the backup MX into the SPF record that is auto generated? A simple addition would be to list the backup MX server (s) configured in much the same way as the servers participating as DNS servers are listed?

photo
1

This is quite an important feature, I mean, it's an important bug.


I'm having the same problem with backup MX relaying mails to my domains when original sender uses "-all" spf parameter


Original sender -> cPanel server = SPF OK

Original sender -> Backup MX -> cPanel server = SPF Error


I need cPanel trust my backup mx servers and I need spf check to accept those servers, even if I need to enter them manually


Same problem comes when using external antispam filtering:


Original sender -> Antispam Cloud -> cPanel server = SPF Error


Please help!

photo
1

Would be nice if this was implemented, just adding a comment for a vote!

Leave a Comment
 
Attach a file