You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clay Irving <cl...@panix.com> on 2005/08/07 03:58:51 UTC
SPF implementation
Has anyone sucessfully implemented SPF scoring? I have it working with 3.0.4,
but everything is a "trusted relay" -- From debug:
debug: registering glue method for check_for_spf_helo_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0xa26763c))
debug: SPF: message was delivered entirely via trusted relays, not required
I also noticed in spf.cf the rules aren't scored.
Documentation seems to be lacking.
--
Clay Irving <cl...@panix.com>
There is nothing more agreeable in life than to make peace with the
establishment -- and nothing more corrupting.
- Alan John Percivale Taylor
Re: SPF implementation
Posted by jdow <jd...@earthlink.net>.
From: "Clay Irving" <cl...@panix.com>
> On Sat, Aug 06, 2005 at 09:39:24PM -0500, Steve Martin wrote:
>
> > It works for me. If the message only went through relays listed in
> > "internal_networks" and "trusted_networks" per your configuration, it
> > won't do the tests since you have explicitly told it that those
> > relays are trusted.
> >
> > You should be seeing "ALL_TRUSTED" as one of the rules that fired on
> > the messages it isn't checking.
>
> I set ALL_TRUSTED to 0.0
If there is more than one wrong way to solve the problem you got what is
perhaps the most wrong of all.
It's a pain to set it up properly. But I highly recommend you do. A lot
of good features will suddenly begin to work.
{o.o}
Re: SPF implementation
Posted by JamesDR <ro...@bellsouth.net>.
Ilan Aisic wrote:
> Just my 2 cents:
>
> I don't see the ALL_TRUSTED ever in action because at my MTA level
> (Exim 4.5), I don't direct mail that comes from my internal network
> through SA.
> Anyone sees a reason to do so?
>
> I do recommend directing all the internal email through an anti-virus
> (ClamAV in my case). I thought this was redundant but was burnt when
> someone inadvertently brought a virus on her laptop and once inside
> and behind the firewall, it started to send itself to everyone.
> Luckily, in addition to having Clam on the server, most people also
> run Norton or something else on their PCs.
>
> The chances of someone inadvertently bringing in ratware that works as
> a virus is a lot smaller.
>
>
I do exactly what you say..
Incoming Spam+Clam
Outgoing Clam
The biggest reason I do this is because all users must auth to send mail
internally, port 25 in/out is blocked except to/from the mail server.
If someone gets a virus/ratware inside I use the clueX4 BOFH style :-D
But seriously, I do this mostly to save processing. There is a lot of
traffic outbound that is well over the 300KB cutoff of my scanner, so
sending everything outbound through is a waste of time/cpu (as far as
spam goes.) I do scan for viruses in/out just as a matter of course. We
are a small org, so it's easy to see if a user is misbehaving. You will
have to adjust for your org, and environment.
--
Thanks,
JamesDR
Re: SPF implementation
Posted by Ilan Aisic <ia...@gmail.com>.
Just my 2 cents:
I don't see the ALL_TRUSTED ever in action because at my MTA level
(Exim 4.5), I don't direct mail that comes from my internal network
through SA.
Anyone sees a reason to do so?
I do recommend directing all the internal email through an anti-virus
(ClamAV in my case). I thought this was redundant but was burnt when
someone inadvertently brought a virus on her laptop and once inside
and behind the firewall, it started to send itself to everyone.
Luckily, in addition to having Clam on the server, most people also
run Norton or something else on their PCs.
The chances of someone inadvertently bringing in ratware that works as
a virus is a lot smaller.
--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org
Re: SPF implementation
Posted by Kelson <ke...@speed.net>.
Clay Irving wrote:
> I set ALL_TRUSTED to 0.0
That helps explain it. The SPF implementation depends on a properly set
up trust path. If you were seeing misfires on ALL_TRUSTED, that
probably means your trust path was incorrect.
The proper solution is to set your trusted_networks and
internal_networks correctly (see the docs), then re-enable ALL_TRUSTED.
If you're still having problems with ALL_TRUSTED misfiring, run
spamassassin -D on a problem message and see if there's a problem
parsing the Received: headers. That will also cause problems with the
trust path and anything that depends on it (SPF included)
A lot of SA features -- not just ALL_TRUSTED -- depend on a correct
trust path. Disabling ALL_TRUSTED won't fix those.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SPF implementation
Posted by Clay Irving <cl...@panix.com>.
On Sat, Aug 06, 2005 at 09:39:24PM -0500, Steve Martin wrote:
> It works for me. If the message only went through relays listed in
> "internal_networks" and "trusted_networks" per your configuration, it
> won't do the tests since you have explicitly told it that those
> relays are trusted.
>
> You should be seeing "ALL_TRUSTED" as one of the rules that fired on
> the messages it isn't checking.
I set ALL_TRUSTED to 0.0
--
Clay Irving <cl...@panix.com>
My pessimism extends to the point of even suspecting the sincerity of
other pessimists.
- Jean Rostand
Re: SPF implementation
Posted by Steve Martin <st...@planomartins.com>.
It works for me. If the message only went through relays listed in
"internal_networks" and "trusted_networks" per your configuration, it
won't do the tests since you have explicitly told it that those
relays are trusted.
You should be seeing "ALL_TRUSTED" as one of the rules that fired on
the messages it isn't checking.
On Aug 6, 2005, at 8:58 PM, Clay Irving wrote:
> Has anyone sucessfully implemented SPF scoring? I have it working
> with 3.0.4,
> but everything is a "trusted relay" -- From debug:
>
> debug: registering glue method for check_for_spf_helo_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa26763c))
> debug: SPF: message was delivered entirely via trusted relays,
> not required
>
>
> I also noticed in spf.cf the rules aren't scored.
>
> Documentation seems to be lacking.
>
> --
> Clay Irving <cl...@panix.com>
> There is nothing more agreeable in life than to make peace with the
> establishment -- and nothing more corrupting.
> - Alan John Percivale Taylor
>
--
Steve Martin http://www.cheezmo.com/
Smart Calibration, LLC http://www.smartcalibration.com/
The Widescreen Movie Center http://www.widemovies.com/
Letterboxed Movie TV Schedule http://www.widemovies.com/lbx.html