Email from in-house copier junked because of SPF

trinkel · February 16, 2021, 11:07pm

This is a new install. Most of it seems to be working fine, including our SPF.

We have a in-house copier that emails PDF of scanned items to local users. These emails are flagged as spam:

mail.log
Feb 16 16:13:32 mail postfix/smtpd[19070]: connect from unknown[000.000.000.000]
Feb 16 16:13:32 mail postfix/smtpd[19070]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Feb 16 16:13:32 mail postgrey[1625]: action=pass, reason=triplet found, client_name=unknown, client_address=000.000.000.000/32, sender=ricoh@daviesprinting.com, recipient=USER-001@daviesprinting.com
Feb 16 16:13:32 mail postfix/smtpd[19070]: 9BD1DA415BB: client=unknown[000.000.000.000]
Feb 16 16:13:32 mail postfix/cleanup[20075]: 9BD1DA415BB: message-id=<20210216160605C1.DCSML-S000800000.002673140EED@daviesprinting.com>
Feb 16 16:13:32 mail opendmarc[1137]: implicit authentication service: mail.daviesprinting.com
Feb 16 16:13:32 mail opendmarc[1137]: 9BD1DA415BB: SPF(mailfrom): ricoh@daviesprinting.com fail
Feb 16 16:13:32 mail opendmarc[1137]: 9BD1DA415BB: daviesprinting.com fail
Feb 16 16:13:33 mail postfix/qmgr[1753]: 9BD1DA415BB: from=<ricoh@daviesprinting.com>, size=934827, nrcpt=1 (queue active)
Feb 16 16:13:33 mail postfix/smtpd[19070]: disconnect from unknown[000.000.000.000] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Feb 16 16:13:33 lmtp(20102): Info: Connect from 127.0.0.1
Feb 16 16:13:33 mail spampd[9620]: processing message <20210216160605C1.DCSML-S000800000.002673140EED@daviesprinting.com> for <USER-001@daviesprinting.com>
Feb 16 16:13:34 mail spampd[9620]: identified spam <20210216160605C1.DCSML-S000800000.002673140EED@daviesprinting.com> (11.28/5.00) from <ricoh@daviesprinting.com> for <USER-001@daviesprinting.com> in 1.76s, 935081 bytes.
Feb 16 16:13:35 lmtp(USER-001@daviesprinting.com): Info: gNCyAY1DLGCGTgAA1nX8CA: sieve: msgid=<20210216160605C1.DCSML-S000800000.002673140EED@daviesprinting.com>: stored mail into mailbox 'Spam'
Feb 16 16:13:35 lmtp(20102): Info: Disconnect from 127.0.0.1: Successful quit
Feb 16 16:13:35 mail postfix/lmtp[20076]: 9BD1DA415BB: to=<USER-001@daviesprinting.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=2.7, delays=0.4/0/0.01/2.2, dsn=2.0.0, status=sent (250 2.0.0 <USER-001@daviesprinting.com> gNCyAY1DLGCGTgAA1nX8CA Saved)
Feb 16 16:13:35 mail postfix/qmgr[1753]: 9BD1DA415BB: removed

mail header
Return-Path: <ricoh@daviesprinting.com>
Delivered-To: USER-001@daviesprinting.com
Received: from mail.daviesprinting.com ([127.0.0.1])
	by mail.daviesprinting.com with LMTP id gNCyAY1DLGCGTgAA1nX8CA
	for <USER-001@daviesprinting.com>; Tue, 16 Feb 2021 16:13:33 -0600
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	mail.daviesprinting.com
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.3 required=5.0 tests=DMARC_FAIL_QUARANTINE,
	RDNS_NONE,SPF_FAIL,SPF_HELO_NONE,TO_EQ_FM_DOM_SPF_FAIL autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Report: 
	*  5.0 SPF_FAIL SPF check failed
	*  5.0 DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	*  1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
	*  0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF
	*       failed
X-Spam-Score: 11.3
Received: from RNP140EED.daviesprinting.com (unknown [000.000.000.000])
	by mail.daviesprinting.com (Postfix) with SMTP id 9BD1DA415BB
	for <USER-001@daviesprinting.com>; Tue, 16 Feb 2021 16:13:32 -0600 (CST)
Authentication-Results: mail.daviesprinting.com; dmarc=fail (p=quarantine dis=none) header.from=daviesprinting.com
Authentication-Results: mail.daviesprinting.com; spf=fail smtp.mailfrom=ricoh@daviesprinting.com
Authentication-Results: mail.daviesprinting.com; dkim=none;
	dkim-atps=neutral

First of all, the copier is pretty old. I corrected several issues with the copier configuration but they didn’t fix the issue entirely. Some of the configuration can’t be set the same way I would configure a computer.

SMTP from the copier points to the mail server using port 25, originally without authentication.This worked fine on our old server which ran SpamAssassin, but didn’t have SPF configured. Actually all of our computers were set to use port 25, but that errored out with MaiB. Changing them to port 587 fixed that. I changed the copier to port 587 but there was a note in the config that password encryption wouldn’t work without a certificate installed (???). I tried it anyway and the auth was rejected.

So, two questions: any thoughts on configuring an old copier? It is a Ricoh 400C. Or, how do I go about whitelisting the sucker?

TIA

openletter · February 16, 2021, 11:39pm

Seems like this might be what you are looking for:

Note that local.cf may get overwritten on future updates, but I think that spamassassin will load all of the files in /etc/spamassassin/ so you could add a custom whitelist file, but don’t quote me on that.

alento · February 17, 2021, 3:05pm

@trinkel

I think that the easiest approach is going to be changing your SPF and DMARC records accordingly.

I am still trying to formulate what the correct records would be to accomplish this.

Can you easily enough change the email address of the printer to say, ricoh@rnp140eed.daviesprinting.com ? You’d want to add that email to MiaB so that the authentication will work, and that the adjustment of the SPF and DMARC records won’t affect your normal domain email.

I am curious as to why you have entered your DNS MX record(s) the way that you have.

openletter · February 17, 2021, 3:34pm

Yeah, I hadn’t thought about that. The SPF and DMARC records will apply only to their domain or subomain of the record (assuming DMARC isn’t configured to be for all subdomains, IIRC is an option but not used by default MiaB config).

trinkel · February 23, 2021, 4:10pm

Finally getting back to this. I had to play phone geek instead of mail geek for several days.

@alento: I can change the copier address easily, but I’m a bit fuzzy on the logic. One of the issues is that I can’t authenticate on 587 due to the lack of a certificate on the copier (at least that’s what the copier interface says). If I try it, I get an auth error from MaiB. My only option has been sending on port 25 which, as I understand, ends up being anonymous. Thus MiaB sees it as an external or separate server rather than local and the SPF checks kick in?

I suppose one thing that I should clarify, just in case, is that all emails from the copier remain in-house. Nothing should be going to an external server.

On the MX thing, the two listings are a suggestion I came across to make greylisting a little more user friendly. The first try defers, then the sender tries the next MX which presents as a retry and the email is accepted since it has been seen before. That’s the theory anyway. So far, not really working.

alento · February 23, 2021, 5:13pm

So that it is in the same domain. Currently it is using a subdomain.

Received: from RNP140EED.daviesprinting.com (unknown [000.000.000.000])

Yeah, there needs to be a time delay in between. I think MiaB is set at 8 minutes.

Your solution is likely a smtp proxy running locally on your network for the printer/copier to connect to which relays the email to the MiaB server. I linked a post the other day in response to someone else with a similar issue. There are two different local proxy choices out there.

system · March 2, 2021, 5:13pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.