IPv6 and SPF error - ORF Forums

IPv6 and SPF error RSS Back to forum


Even after upgrading to 6.5 I am having issues with SPF and Internal (link-local) IPv6-adresses. Our servers connect using IPv6 adreses with a scope-ID. The address looks like fe80::252f:7437:9f29:bfca%7 and the SPF test fails with a message that this is not a valid IPv4 och IPv6 address.
The connection is internal to the server. It connects to itself when sending an email from postmaster to one regular user.
I can not add this address to the ignore-list in SPF as that tells me it is invalid. If I skip the %7 it looks like valid address, but then it will not match the connecting address even when using wildcards.

by johan.strand 2 months ago

Hello Johan,

I was able to reproduce the error in our lab. It looks like there is an issue with the IPv6 address parser in the SPF Test module which triggers the error message when the test runs at the Before Arrival filtering point. The good news is that the bug does not affect email delivery, since ORF simply skips the SPF Test when the error occurs, and the error only manifests when an internal email is received (via an interface with IPv6 link-local address+scope-ID) which would not be filtered anyway.

If you want to get rid of the SPF error messages until we release the next update, I suggest that you force ORF to run the SPF Test at the On Arrival filtering point, by enabling the "Wait for headers" option in the SPF Test filtering actions dialog:

Filtering > Actions > SPF Test [...] > Reject > [x] "Wait for headers" > Ok

Make sure to save the ORF configuration (Ctrl + S) to apply the new settings.

Thank you for reporting this issue, and sorry for the inconvenience. In case you need further assistance, just let me know.

by Daniel Novak (Vamsoft) 2 months ago

@johan.strand: Just one more thing regarding not being able to add the IPv6 address with the scope-id to the SPF Test IP exceptions. You do not have to that. If you check the "Filtering > Intermediate Hosts" page, you will find that the fe80::/10 range is already there, which means ORF will *whitelist* the email if it finds that the original sender of the email had a IPv6 link-local address. Furthermore, as I mentioned in my previous post, ORF's error handling policy will ensure that the emails will get through.

by Daniel Novak (Vamsoft) 2 months ago
(in reply to this post)


@Daniel Novak (Vamsoft): Yes, I expected the whitelist for intermediate hosts to catch this, but since it didn't I tries explicitly whitelisting in the SPF-filter.
The Issue is caused by a nightly PowerShell-script that collects status information and sends it to interested recipients. I will try to work around the problem by directing the script so send through the backup server instead of the local server. I expect that to resolve the issue until the next release.

by johan.strand 2 months ago
(in reply to this post)


@johan.strand: Could you send us (to ) the ORF log file from the day of the incident for analysis, please? You may find it on the configured logging path (default: C:\ProgramData\ORF Fusion\TextLogs)

If the email originated from an intranet host, it should have been whitelisted at the On Arrival filtering point.

by Daniel Novak (Vamsoft) 2 months ago
(in reply to this post)


@Daniel Novak (Vamsoft): Log files from yesterday (ORF 6.5) and the day before (ORF 6.2.1) have been sent to you.

by johan.strand 2 months ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2