haraka / haraka-plugin-spf Goto Github PK

Hello

There is a bug with this plugin. The SPF is correct, the settings are correct, and the check is from myself, not the sender. All other domains with the same SPF records pass, but this specific plugin denies this one. Any ideas why?

The IP in 'mfrom' is correct (Haraka's self-outbound IP), but for some reason, only for this specific domain does the plugin decide to check with the wrong IP. Although the IP appears correct in the output, it is wrong in the mail failure notification. When the SPF plugin is removed, the email is sent and delivered successfully with an SPF pass.

2024-05-07T20:04:03.170Z [INFO] [ACFFFD10-801B-4FA4-AFA7-E7AE81AB92BE.1] [spf] identity=mfrom ip=15.x.x.x <------------------------- Correct IP domain="some-domain.com" mfrom=<[email protected]> result=Fail

2024-05-07T20:04:03.170Z [INFO] [ACFFFD10-801B-4FA4-AFA7-E7AE81AB92BE.1] [spf] scope: mfrom, result: Fail, domain: some-domain.com

2024-05-07T20:04:03.171Z [INFO] [ACFFFD10-801B-4FA4-AFA7-E7AE81AB92BE.1] [core] hook=mail plugin=spf function=hook_mail params=<[email protected]> retval=DENY msg="[object Object]"

Mail failure (Should not check for this IP, this is the domain MX IP):

host relay.x.com [15.x.x.x]
SMTP error from remote mail server after pipelined MAIL FROM:<[email protected]> SIZE=2560:
550 [ACFFFD@relay] 5.7.1 http://www.openspf.org/Why?s=mfrom&[email protected]&ip=38.x.x.x    <----- wrong IP check
HelloTesting email delivery

I can clearly see with the MX toolbox that the SPF is valid.

Basically,

[core] Error
    at callback (/Haraka/plugins.js:482:34)
    at Plugin.exports.return_results (Haraka/plugins/spf.js:295:20)
    at ch_cb (Haraka/plugins/spf.js:214:16)
    at mech_chain_caller (Haraka/spf.js:316:28)
    at QueryReqWrap.callback (Haraka/spf.js:507:56)
    at QueryReqWrap.onresolve [as oncomplete] (dns.js:203:10)

This is happening because of the following events chain:

        net_utils.get_mx(domain, (err, mxes) => {
            for (let a=0; a<mxes.length; a++) {
                dns[resolve_method](mx, (err4, addrs) => {
                            default:            return cb(null, self.SPF_TEMPERROR);

When there are multiple MX, and some of them fail (or maybe even when some fail, some succeed), we invoke CB which doesn't put a stopper on further invocations.

System Info:

2.8.27

• populate [files] in package.json. Delete .npmignore.
• automated code linting. #3308
  • dep: eslint-plugin-haraka -> @haraka/eslint-config
  • update 'lint' script in package.json
  • verify 'lint' CI test config
• lint: remove duplicate / stale rules from .eslintrc
• automated code formatting (see also #3308)
• automated CI testing.
  • mostly done, verify that local copy of ci.yml is up-to-date.
• CONTRIBUTORS: see 3309
• consistent naming of "special" files like CHANGELOG.md.
• CHANGELOG: verify links at bottom (due to inconsistent tag naming)
  • latest .release does this, fixes most, and warns of errors it can't fix
• verify GitHub repo About link points to npm package
• convert test suites to mocha "style"
  • works great today and with node --test in v18+

Edit: It works if I comment out the uses of skip_hosts

Any idea why this is crashing?

The content of my plugins

...
spf
...

The content of my spf.ini

[relay]
context=sender   (default: sender)

system info

Expected behavior

Plugin doesn't crash

Observed behavior

I've noticed two issues and I suspect that they are related. They happen when the domain does not have an A record for its MX server.

1. The plugin crashes with a TypeError.
   This is all that shows up in the log:
   Jun 22 05:39:29 mx4 haraka[868630]: [ERROR] [ED649910-3907-4B08-865B-A764A7617251] [TypeError]

2. The SPF test tool, as described in this plugin's readme, also fails with this error:

/usr/lib/node_modules/Haraka/node_modules/haraka-plugin-spf/lib/spf.js:504
      self.log_debug(`mech_mx: mx=${mx} addresses=${addrs.join(',')}`);
                                                          ^

TypeError: Cannot read properties of undefined (reading 'join')
    at SPF.mech_mx (/usr/lib/node_modules/Haraka/node_modules/haraka-plugin-spf/lib/spf.js:504:59)
    at async SPF.check_host (/usr/lib/node_modules/Haraka/node_modules/haraka-plugin-spf/lib/spf.js:290:22)

Steps to reproduce

1. receive email from a domain that doesn't have an A record for its MX server.

2. .../haraka-plugin-spf/bin/spf -ip 57.129.0.61 --domain nagomigyouza.com

Hi,

I want to deny incoming messages that violate SPF.

I already have spf in config/plugins.

I'm reading the doc, but it's unclear what's the next step.

How to deny incoming messages that violate SPF?

Thanks!