Loading ...
Sorry, an error occurred while loading the content.

Re: question re. SPF interactions

Expand Messages
  • Miles Fidelman
    ... Well, it turns out that we have a non-problem. The only time the SPF test fails, and matters, is when someone sends from an authenticated client to an
    Message 1 of 10 , Oct 31, 2006
    • 0 Attachment
      Noel Jones wrote:
      > At 07:51 PM 10/29/2006, Miles Fidelman wrote:
      >> In addition, I have a small number of mail accounts hosted on the
      >> machine, 1 of which logs in and uses pine, the other two use remote
      >> clients (Thunderbird) - authenticated via MD5 challenge -response.
      >>
      >> I've just stated to add SPF records to all the domains I support and
      >> I realize I have a small problem: For the mail server, and the
      >> pine-based email account, everything works just fine, but mail that
      >> originates from Thunderbird fails SPF checks - presumably because
      >> it's originating from the IP address client (dynamically assigned)
      >> rather than from the server.
      >>
      >> Which leads to a question: can Postfix be configured to make the
      >> Thunderbird-originated mail look like it originated on the server for
      >> purposes of SPF?
      >
      > Two choices:
      > - use a header_checks IGNORE action to remove the offending header.
      > - use smtpd_sasl_authenticated_header to report that the mail was
      > submitted using AUTH. Most SPF implementations will ignore such a
      > header. This requires postfix 2.3 or newer.
      > http://www.postfix.org/postconf.5.html#smtpd_sasl_authenticated_header
      >
      Well, it turns out that we have a non-problem. The only time the SPF
      test fails, and matters, is when someone sends from an authenticated
      client to an address on the local host. What happens is:
      - SPF test fails on initial received header
      - since the domain is listed in @local_domains_acl (in
      /etc/amavis/amavis.conf) - the line is left in and seen for local delivery
      - but... if the mail goes on to our list server, or to an outside
      address, the SPF fail header is stripped out and the envelope header is
      now set to the mail server, which is listed in the SPF record, and all
      is copacetic

      So... looked like we had a problem, but it really isn't - learned a lot
      about postfix, amavis, and spamassassin, and SPF along the way, though.

      Thanks to all who offered help!

      Miles
    Your message has been successfully submitted and would be delivered to recipients shortly.