Enabling SPF checks with CHECK_RCPT_SPF doesn't work

Note: this bug relates to inbound IPv4 addresses. IPv6 addresses are affected by a separate bug: #2056443

Hi Dominic,

Thanks for taking the time to submit this bug report and make Ubuntu better!

Where are you setting the variable CHECK_RCPT_SPF = true ?

Doing a quick google search I found[0] which looks like it may be useful. It says to do the following -

1) Add `CHECK_RCPT_SPF = true` to the top of /etc/exim4/exim4.conf.template
2) Run `update-exim4.conf`
3) Run `systemctl restart exim4`

If you could supply all the steps on how you configured your server and reproduced the issue, that may be helpful as well.

[0] - https://j11g.com/2023/07/24/correctly-configuring-incoming-spf-in-exim-on-debian/

Hi Mitchell,

I am setting CHECK_RCPT_SPF = true in /etc/exim4/exim4.conf.localmacros where local macros are typically set.

I have run `update-exim4.conf` and `systemctl restart exim4`.

Then I send myself an email from an outlook.com account, which has SPF enabled, and the headers report:

Received-SPF: none

I am expecting to see:

Received-SPF: pass

Could you provide your config file? Also state if you applied any customization in your set up? Those things would be useful to reproduce what you described locally.

exim4.conf.template is completely unmodified from stock mantic.

Bug can be replicated by:

1. Installing mantic
2. Installing exim4 and spf-tools-perl
3. `dpkg-reconfigure exim4-config` and make it accept mail
4. Adding CHECK_RCPT_SPF = true to /etc/exim4/exim4.conf.localmacros
5. Sending yourself an email from Gmail or Outlook and checking the spf header

That's all I did.

Also: `update-exim4.conf` and restart exim before sending mail to yourself.

Hi Dominic,

Thanks for the additional information.

Are you using exim4-daemon-heavy or exim4-daemon-light? In case you are using the light version, could you try it with the heavy one as well and report it back here?

I'm using exim4-daemon-heavy.

$ apt list --installed | grep exim4

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

exim4-base/mantic-updates,mantic-security,now 4.96-17ubuntu2.2 amd64 [installed,automatic]
exim4-config/mantic-updates,mantic-security,now 4.96-17ubuntu2.2 all [installed,automatic]
exim4-daemon-heavy/mantic-updates,mantic-security,now 4.96-17ubuntu2.2 amd64 [installed,automatic]
exim4/mantic-updates,mantic-security,now 4.96-17ubuntu2.2 all [installed]

According to the exim4 changelog, the spf logic was modified in Aug 2023.

exim4 (4.96-17ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2030098). Remaining changes:
     - Disable external SPF support to avoid Build-Depends on libspf2-dev
       (only available in universe). SPF can still be implemented via
       spf-tools-perl, as documented in exim4.conf.template. This reverts
       Vcs-Git commit 494f1fe, first released in 4.95~RC0-1.
       (LP #1952738)
       + d/control: drop Build-Depends on libspf2-dev.
       + d/EDITME.exim4-heavy.diff: disable support for libspf2.
       + d/d/c/a/30_exim4-config_check_rcpt: restore SPF logic based
         on spfquery.mail-spf-perl from spf-tools-perl, but without
         the previously supported helo detection.

Hello Dominic,

The fact that you get that

  Received-SPF: none

headers means that spf-tools-perl gets called by exim4. What I suggest to debug this is to manually call spfquery.mail-spf-per with the relevant parameters (see the spfquery.mail-spf-perl manpage), and check if what kind of reply you get for your incoming outlook mail. The tool's help screen (spfquery.mail-spf-perl --help) has examples on how to invoke it.

I get the correct result when running spfquery.mail-spf-perl manually.

$ /usr/bin/spfquery.mail-spf-perl --ip 40.92.113.65 --scope mfrom --identity <email address hidden>
pass
outlook.com: Sender is authorized to use '<email address hidden>' in 'mfrom' identity (mechanism 'include:spf.protection.outlook.com' matched)
outlook.com: Sender is authorized to use '<email address hidden>' in 'mfrom' identity (mechanism 'include:spf.protection.outlook.com' matched)
Received-SPF: pass (outlook.com: Sender is authorized to use '<email address hidden>' in 'mfrom' identity (mechanism 'include:spf.protection.outlook.com' matched)) receiver=alpha.cress.org.uk; identity=mailfrom; <email address hidden>"; client-ip=40.92.113.65

Still an issue in noble / 24.04.

"Received-SPF: none" is reported in the headers of received mail for senders known to have an spf record configured.

Also, this should not be marked as "incomplete" as I have supplied all the required information.

Dominic, did you upgrade to mantic and start seeing this failure, or did you make a new mantic install and set things up from scratch?

I wonder if some logic elsewhere was changed in Debian that we missed, or has this always been broken?

This scenario would also be a nice thing to have a dep8 test going forward if that can be setup, I'm just not sure if that's feasible in the testbed.

It was a clean install of Noble, for some reason the spf check always returns "none". It is very easily reproducible, as per my comment #5.

Possibly related to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1998678

I was looking into bug #1998678 as a potential reason, do you see any concerning logs in your /var/log/exim4/mainlog (or wherever your logs are)?

No errors in /var/log/exim4/mainlog, just normal mail flow logs.

I suspect some sort of error was introduced in the code for the #1998678 fix.

That could be a possibility.

On a side note, I tried to setup a testbed to reproduce this (and start working on a dep8 test) and can't seem to get the setup working correctly. I followed the steps in bug #1998678, see the mail in `/var/mail/ubuntu` but don't see any Received-SPF headers at all, is that expected? I think I must be missing something in my setup.

No, you should be seeing a header. Are the steps you followed the same as that which I wrote in comment #5 of this report?

(and comment #6)

Hi, just want to add a quick comment that I’m on vacation until the end of the week so don’t expect a reply from me until then. Also will be attending the Canonical sprint next week so might not be able to update this next week either.

Feel free to take a stab at this if you are triaging this bug without me.