Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 10618 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF setup (or internal) question

Henk-Jan Kloosterman

Hello, 

We have our utm setup as an incoming mail relay for various domains.

Problem is now that when someone spoofs the from adres, as one of our internals, it gets passed thourgh,

In the past we had some issue;s whn turning on SPF check.

My question now i, what if we turn on SPF check again. 

 

What happens to mail from domains that have no SPF at all???

 

Henk-Jan



This thread was automatically locked due to age.
  • 0

    SPF enforcement should have no effect on domains with no SPF record.

    SPF only checks the SMTP From, not the header From seen by users.  So it may help with sone but not all of the spam.

    The SMTP From is supposed to represent the logged in user at the sending system.  Some websites that use your email as login think that gives them the right to send mail on your behalf using your email address.  This violates SPF, so watch for desired mail getting blocked.

    Plenty of businesses have SPF entries that end in maybe (?all) or softfail (~all) .  These are probably handled by UTM the same as no SPF arecord at all

  • 0 in reply to DouglasFoster

    So in a UTM, when you choose to use SPF, the mail with no SPF will be marked as spam? 

     

     
     
    So if some of the people who mail us, did not add an SPF record for their domain, their messages will not be flagged as spam or even denied?
     
    Unfortunatly I have no way of testing the SPF behavious on a UTM for incoming mail.
    So I wanted to know what risk I might be facing.
  • 0 in reply to Henk-Jan Kloosterman

    If no SPF is set up for a domain the email passes normal. I think this would be RFC conform in every system.

    In my mind SPF is a system without very harmful potential, but with even not 100% guaranteed protection. So give it a try.

    Best

    Alex

    -

  • 0 in reply to Henk-Jan Kloosterman

    We use SPF check on our UTM since long and also receiving mail on 4 different domains on the UTM.

    SPF-check checks the sending domain's domain for an existing SPF-record. If none exists there simply is nothing to check and mail is accepted.

    If a record does exist and ends in -all (reject all others) then the UTM will reject (quarantine) mail that is sent from somewhere it is not configured to be sent from by the domain owner of the sending domain.

    In our experience those domains ending in -all usually have the record pretty nicely configured and mail will come through. We once had a client that switched internet provider and forgot about the SPF-record. This was a reason form all mails from this client to be quarantined until they reconfigured their SPF-record again.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thanks, we have a simular setup. 

    Only problem we encounter now, is that for the internal email adressen, I need to apply "strict" rules.

    Somehow the UTM accepts it when you do to xyz@abc.com from xyz@abc.com (abc.com is an internal domain)

    When I set SPF check and create a strict rule all is ok.

    Is there another way to prevent outside adresses to spoof internal adresses? 

     

    (Tested it with https://www.wormly.com/test-smtp-server)

     

  • 0 in reply to Henk-Jan Kloosterman

    What do you mean by a "strict rule"?   Do you mean "Strict Reverse DNS", or something else?   I do not see a "Strict" setting for SPF. 

    Strict reverse DNS will block some traffic, but for unrelated reasons.   The experts at IETF think it is not an effective spam defense.  See RFC 7601, section 2.7.3 on "iprev", for additional information.

    SPF is designed to check the SMTP From information, which is part of the headers that the user never sees.   It is designed to be checked before the whole message is received, which means that it occurs before the FROM Header (the one seen by the user) is transmitted.

    Your problem is most likely occurring because the FROM Header is fraudulent.   I don't know how to fix that with UTM.  I don't think the Exim engine inside UTM is capable of checking the FROM Header.   (I have made this assertion on other occasions in this forum, and it has not yet been disputed or confirmed.)

  • 0 in reply to DouglasFoster

    Correct, 

    The from header is fraudulent. (from external IP adresses) they spoof "internal" domain(s) 

    Only way to fix this to use "strict" SPF. 

  • 0

    Hoi Henk-Jan and welcome to the UTM Community!

    Guys, please vote for and comment on In Anti-Spam, Expression-check everything after DATA or include From .

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML