IPv6 and SPF error RSS Back to forum
Hello Johan,
I was able to reproduce the error in our lab. It looks like there is an issue with the IPv6 address parser in the SPF Test module which triggers the error message when the test runs at the Before Arrival filtering point. The good news is that the bug does not affect email delivery, since ORF simply skips the SPF Test when the error occurs, and the error only manifests when an internal email is received (via an interface with IPv6 link-local address+scope-ID) which would not be filtered anyway.
If you want to get rid of the SPF error messages until we release the next update, I suggest that you force ORF to run the SPF Test at the On Arrival filtering point, by enabling the "Wait for headers" option in the SPF Test filtering actions dialog:
Filtering > Actions > SPF Test [...] > Reject > [x] "Wait for headers" > Ok
Make sure to save the ORF configuration (Ctrl + S) to apply the new settings.
Thank you for reporting this issue, and sorry for the inconvenience. In case you need further assistance, just let me know.
@johan.strand: Just one more thing regarding not being able to add the IPv6 address with the scope-id to the SPF Test IP exceptions. You do not have to that. If you check the "Filtering > Intermediate Hosts" page, you will find that the fe80::/10 range is already there, which means ORF will *whitelist* the email if it finds that the original sender of the email had a IPv6 link-local address. Furthermore, as I mentioned in my previous post, ORF's error handling policy will ensure that the emails will get through.
@Daniel Novak (Vamsoft):
Yes, I expected the whitelist for intermediate hosts to catch this, but since it didn't I tries explicitly whitelisting in the SPF-filter.
The Issue is caused by a nightly PowerShell-script that collects status information and sends it to interested recipients. I will try to work around the problem by directing the script so send through the backup server instead of the local server. I expect that to resolve the issue until the next release.
@johan.strand:
Could you send us (to ) the ORF log file from the day of the incident for analysis, please? You may find it on the configured logging path (default: C:\ProgramData\ORF Fusion\TextLogs)
If the email originated from an intranet host, it should have been whitelisted at the On Arrival filtering point.
@Daniel Novak (Vamsoft): Log files from yesterday (ORF 6.5) and the day before (ORF 6.2.1) have been sent to you.
Even after upgrading to 6.5 I am having issues with SPF and Internal (link-local) IPv6-adresses. Our servers connect using IPv6 adreses with a scope-ID. The address looks like fe80::252f:7437:9f29:bfca%7 and the SPF test fails with a message that this is not a valid IPv4 och IPv6 address.
The connection is internal to the server. It connects to itself when sending an email from postmaster to one regular user.
I can not add this address to the ignore-list in SPF as that tells me it is invalid. If I skip the %7 it looks like valid address, but then it will not match the connecting address even when using wildcards.