Re: question re. SPF interactions
- Noel Jones wrote:
> At 07:51 PM 10/29/2006, Miles Fidelman wrote:Well, it turns out that we have a non-problem. The only time the SPF
>> In addition, I have a small number of mail accounts hosted on the
>> machine, 1 of which logs in and uses pine, the other two use remote
>> clients (Thunderbird) - authenticated via MD5 challenge -response.
>> I've just stated to add SPF records to all the domains I support and
>> I realize I have a small problem: For the mail server, and the
>> pine-based email account, everything works just fine, but mail that
>> originates from Thunderbird fails SPF checks - presumably because
>> it's originating from the IP address client (dynamically assigned)
>> rather than from the server.
>> Which leads to a question: can Postfix be configured to make the
>> Thunderbird-originated mail look like it originated on the server for
>> purposes of SPF?
> Two choices:
> - use a header_checks IGNORE action to remove the offending header.
> - use smtpd_sasl_authenticated_header to report that the mail was
> submitted using AUTH. Most SPF implementations will ignore such a
> header. This requires postfix 2.3 or newer.
test fails, and matters, is when someone sends from an authenticated
client to an address on the local host. What happens is:
- SPF test fails on initial received header
- since the domain is listed in @local_domains_acl (in
/etc/amavis/amavis.conf) - the line is left in and seen for local delivery
- but... if the mail goes on to our list server, or to an outside
address, the SPF fail header is stripped out and the envelope header is
now set to the mail server, which is listed in the SPF record, and all
So... looked like we had a problem, but it really isn't - learned a lot
about postfix, amavis, and spamassassin, and SPF along the way, though.
Thanks to all who offered help!