3

I have a web server that sends out webform type emails via Postfix 3.3.0. No inbound. No extras.

Receiving mail server is running same Postfix (but with amavis-new/spamassassin + dovecot/etc). These are both on the same domain, but different subdomains ('www.' & 'mail.').

When a test email is sent (using postfix sendmail command) from web server to mail server, everything is perfect except for the scoring on the HELO/EHLO. I keep getting a FORGED_SPF_HELO. I've never encountered this one before and there is little documentation to be found. Seems self-explanatory, though, that it is not passing SPF lookup on HELO.

The original DNS was simply 'www.' as CNAME to apex A record.
The apex SPF includes the 'a' record: "v=spf1 a mx ~all"

The HELO from log is: helo=www.example.net, Tests:[ALL_TRUSTED=-1,FORGED_SPF_HELO=1,MISSING_HEADERS=1.207,MISSING_SUBJECT=1.767]

I adjusted the 'www.' record so it was an A record and added an SPF TXT record for it separately.

Now I get: helo=www.example.net, Tests: [ALL_TRUSTED=-1,FORGED_SPF_HELO=1,MISSING_HEADERS=1.207,MISSING_SUBJECT=1.767,SPF_HELO_PASS=-0.001]

Forged and Passed?

Main question:
Can anyone explain why in first instance the a in the SPF isn't allowing the CNAME 'www.' to pass? Secondarily, can anyone explain how you can have a "forged" and "pass" at same time?

B. Shea
  • 1,009
  • 11
  • 22

1 Answers1

4

The rule FORGED_SPF_HELO came from Spamassassin updates. By grepping your configuration folder (/var/lib/spamassassin at least on Debianoids) you'll see the definition:

meta    FORGED_SPF_HELO     __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
header  __HELO_NOT_RDNS     X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!\1)\S/
header   SPF_PASS           eval:check_for_spf_pass()
header   SPF_HELO_PASS      eval:check_for_spf_helo_pass()

You fail rule __HELO_NOT_RDNS (the reverse DNS lookup for the host www.example.net is not www.example.net) and you don't have SPF_PASS (the host is not authorized to send e-mail on behalf of your domain).

Since you certainly don't want to add www.example.net to the list of your official mail server, configure it to send e-mails with senders of the form user@www.example.net.

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
  • Thank you for the explanation. Before I asked, I had grep-ed in `/usr/share/spamassassin/*` and didn't see it. Forgot updates area. So, it 'shorted out' before the '&&' at rDNS. Wish it would just say 'rDNS' in log. Another answer would be getting an rDNS entry from AWS (on an elastic IP) in my case. But, I finally opted to avoid it all: Since the only thing coming out of this www box is form submissions, I put the www host IP in "MYNETS" and used a Amavis policy bank to pass it all/no scans. I just have to be careful clicking url's from submissions. But, that's a given anyway. ;-) – B. Shea Jan 02 '20 at 01:07
  • "Can anyone explain why in first instance the `a` in the SPF isn't allowing the CNAME 'www.' to pass?" Still not sure why SPF wasn't passed in first place when 'www' was a CNAME to apex. – B. Shea Jan 02 '20 at 01:09