An email with the following From header was accepted by my MIB instance:

From: "Someone someone@junk.com"@mydomain.com

The server a.b.c.d from which this email was sent to my port 25 is a valid (according to SPF) server for "junk.com", but not for "mydomain.com". The domain "mydomain.com" is hosted on my MIB.

I would have expected this to fail, as a.b.c.d is not a permitted sender for "mydomain.com" according to SPF records. But my MIB probably looked at the "@junk.com" part and decided this was allowed. There is no SPF message in the headers of the received message.

Two questions:

1. Why did this message not get rejected based on SPF?
2. If this is not a bug, is there a way to reject messages on port 25 which are from a locally hosted domain?

Thanks,
Kasper

I tried replicating the issue but couldn't. In mail.log I get:

Jun  7 11:52:28 box opendmarc[100151]: 196238BC: SPF(mailfrom): domain_with_passing_spf"@domain_with_failing_spf fail

when I send a message from "word1 test@domain_with_passing_spf"@domain_with_failing_spf. (A message from test@domain_with_passing_spf passes SPF.)

What version of Mail-in-a-Box are you running (or what version of Ubuntu, really)?

Yes, that's what I was expecting to happen. I am running Power Mail-in-a-Box v56.4 on Ubuntu 20.04.

The from line actually reads

 From: "Someone <someone@junk.com>"@mydomain.com

(my original message had the pointy brackets stripped).

Ah! Seems like the brackets made the difference. Now I get:

Jun  7 19:21:15 box opendmarc[100151]: 708EC8EB: SPF(mailfrom): domain_with_passing_spf>"@domain_with_failing_spf pass

We use OpenDMARC to process DMARC and, via that, SPF records. I think you could open an issue for this at https://github.com/trusteddomainproject/OpenDMARC/issues. (I read through the titles of the open issues and didn't see one about this already.) If you do, please paste a link to the new issue here so I can track it.