how to implement SPF

[sadiq007]

any more idea?

[phoenix]

anybody there to help me?

I thought I'd answered that earlier? You'll find that perl-Mail-SPF (Mail::SPF) is not perl-Mail-SPF-Query (Mail::SPF::Query), you have installed perl-Mail-SPF and therefore running the command:

Code:

perl -e 'require Mail::SPF::Query'

is returning the correct results because it isn't installed nor should it be (it's not been maintained for years).

[sadiq007]

sorry bill you are right,
i had installed perl-Mail-SPF so i need to run perl -e 'require Mail::SPF' only, not perl -e 'require Mail::SPF::Query'
and now perl -e 'require Mail::SPF' return with no error , so i think it installed correctlly... apart from this for SPF implementation i added following lines in to salocal.cf and salocal.cf.in
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
SPF plugin is already enabled in /opt/zimbra/conf/spamassassin/init.pre
My domain contain following txt record for SPF "v=spf1 ip4:203.77.192.0/24 ip4:61.16.226.0/24 ~all"
after zmamavisdctl restart zimbra.log showing me
mail amavis[32374]: Module Mail::SPF v2.006
but yet if i send fake mail from site like ANONYMAILER | Send Fake Mail Pranks Anonymously as a fake local user of my mail-server to my another local user.... then my mail server is still receiving such mail and delevering it to inbox.
So how can i test more that my SPF is configured ok or still something missing? simply how to test that SPF working or not?

####This is my regular mail header which showing SPF test also####

X-Virus-Scanned: amavisd-new at mydomain.com
X-Spam-Flag: NO
X-Spam-Score: -1.186
X-Spam-Level:
X-Spam-Status: No, score=-1.186 tagged_above=-10 required=6.6
tests=[BAYES_40=-0.185, RCVD_IN_DNSWL_LOW=-1, SPF_PASS=-0.001]
autolearn=ham
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 9M0AIEVRXnYt for <zmtest@mydomain.com>;
Sat, 3 Jul 2010 17:19:36 +0530 (IST)
Received: from mail.mydomain.com (mail.mydomain.com [219.64.84.60])
by mail.mydomain.com (Postfix) with ESMTP id C83E51678024
for <zmtest@mydomain.com>; Sat, 3 Jul 2010 17:19:36 +0530 (IST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id C14423370471
for <zmtest@mydomain.com>; Sat, 3 Jul 2010 16:48:09 +0530 (IST)
X-Virus-Scanned: amavisd-new at mail.mydomain.com

####This is fake mail header sending from anonymailer.net ( why there is no sPF test in this header?)##

X-Virus-Scanned: amavisd-new at mydomain.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-10 required=6.6
tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 2-Fd8g+VeXVe for <zmtest@mydomain.com>;
Sat, 3 Jul 2010 17:21:15 +0530 (IST)
Received: from WEB23.corp.parking.ru (web23.corp.parking.ru [195.128.121.26])
by mail.mydomain.com (Postfix) with ESMTP id E2F571678024
for <zmtest@mydomain.com>; Sat, 3 Jul 2010 17:21:14 +0530 (IST)
Received: from WEB23 ([127.0.0.1]) by WEB23.corp.parking.ru with Microsoft SMTPSVC(7.0.6002.18222);
Sat, 3 Jul 2010 15:49:12 +0400

why still my server receiving mail for local user from another local user but not send my my mail-server?

[phoenix]

Sorry, I've only just realised what you are trying to do. That article isn't valid for ZCS 6.x and you don't need to install that perl module any more as it's supplied with Zimbra and the SPF scoring is handled by Spamassassin from the following rule:

Code:

cat /opt/zimbra/conf/spamassassin/50_scores.cf | grep SPF

score RCVD_IN_IADB_SPF 0 -0.001 0 -0.059 # n=0 n=2
ifplugin Mail::SpamAssassin::Plugin::SPF
score USER_IN_SPF_WHITELIST -100.000
score USER_IN_DEF_SPF_WL -7.500
score ENV_AND_HDR_SPF_MATCH -0.5
endif # Mail::SpamAssassin::Plugin::SPF
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2
score SPF_HELO_FAIL 0 0.001 0 0.001 # n=0 n=2
score SPF_HELO_NEUTRAL 0 0.001 0 0.112 # n=0 n=2
score SPF_HELO_SOFTFAIL 0 0.896 0 0.732 # n=0 n=2
score SPF_NEUTRAL 0 0.652 0 0.779 # n=0 n=2
score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
endif # Mail::SpamAssassin::Plugin::SPF

.... and this one:

Code:

cat /opt/zimbra/conf/spamassassin/25_spf.cf
# SpamAssassin - SPF rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

# Requires the Mail::SpamAssassin::Plugin::SPF plugin be loaded.

ifplugin Mail::SpamAssassin::Plugin::SPF

# SPF support:
#   "pass" is nice
#   "neutral" is somewhat bad
#   "fail" is bad
#   "softfail" is bad, but not as bad as "fail"
# These are more trustworthy results than the SPF_HELO rules.

header SPF_PASS                 eval:check_for_spf_pass()
header SPF_NEUTRAL              eval:check_for_spf_neutral()
header SPF_FAIL                 eval:check_for_spf_fail()
header SPF_SOFTFAIL             eval:check_for_spf_softfail()

# NOTE: SPF_HELO_PASS is not incredibly hard to fake, so shouldn't
# provide much in the way of points compared to SPF_PASS et al.
# However, a *failure* is still a very good spamsign.

header SPF_HELO_PASS            eval:check_for_spf_helo_pass()
header SPF_HELO_NEUTRAL         eval:check_for_spf_helo_neutral()
header SPF_HELO_FAIL            eval:check_for_spf_helo_fail()
header SPF_HELO_SOFTFAIL        eval:check_for_spf_helo_softfail()

describe SPF_PASS               SPF: sender matches SPF record
describe SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
describe SPF_FAIL               SPF: sender does not match SPF record (fail)
describe SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
describe SPF_HELO_PASS          SPF: HELO matches SPF record
describe SPF_HELO_NEUTRAL       SPF: HELO does not match SPF record (neutral)
describe SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
describe SPF_HELO_SOFTFAIL      SPF: HELO does not match SPF record (softfail)

# these are "userconf" so that scores are set by hand
tflags SPF_PASS                 nice userconf net
tflags SPF_HELO_PASS            nice userconf net
tflags SPF_NEUTRAL              net
tflags SPF_FAIL                 net
tflags SPF_SOFTFAIL             net
tflags SPF_HELO_NEUTRAL         net
tflags SPF_HELO_FAIL            net
tflags SPF_HELO_SOFTFAIL        net

# rules from earlier than current release that can be reused
reuse  SPF_PASS
reuse  SPF_FAIL
reuse  SPF_SOFTFAIL
reuse  SPF_HELO_PASS
reuse  SPF_HELO_FAIL
reuse  SPF_HELO_SOFTFAIL
reuse  SPF_NEUTRAL
reuse  SPF_HELO_NEUTRAL

endif   # Mail::SpamAssassin::Plugin::SPF

[sadiq007]

you mean with ZCS 6.x or higher there is no need to install perl-Mail-SPF just need to score high for SPF fail to reject mails?
Simply how can i test SPF with zimbra working or not ?

[phoenix]

you mean with ZCS 6.x or higher there is no need to install perl-Mail-SPF just need to score high for SPF fail to reject mails?

That's correct.

Simply how can i test SPF with zimbra working or not ?

You've already done that according to the headers you posted earlier. You can also send an email from a service that uses SPF (such as gmail) and look at the headers for an SPF setting.

[damjanster]

How should I fix those scores to have SPF_FAIL and SPF_HELO_FAIL tagged mail rejected?
I have tried to use:
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
but it does not seem to work. I've put these values in the local.cf.in.

I have installed Zimbra 7.1x which is set behind a firewall. It has a local private-range IP address with just the needed ports forwarded through the fw. I am wondering if that could be the problem, since I have set the private subnet and the 127.0.0.1 to the "trusted networks". Could that interfere with spam detection in any way? I am thinking about unsetting the trusted networks settings.