SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

I have domain hosted at google apps, and my domain have recomended by 
google txt record "v=spf1 include:_spf.google.com ~all". So far when I 
receive mail from this domain spamassassin doesn't trigger rule SPF_PASS 
nor SPF_SOFTFAIL, is this normal?
I'm running 3.3.1 version

Re: SPF_PASS doesn't trigered

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>> On ons 15 dec 2010 19:20:28 CET, Nikolay Shopik wrote
>>> I did play more with gmail as example, and notice. If I send email
>>> from web interface SPF always matched and OK. If I'm using MUA to send
>>> mail via SMTP it never fail or pass SPF rule. Probably new "Received:"
>>> header is related, any ideas?

> On 15.12.2010 21:28, Benny Pedersen wrote:
>> sendmail vs smtp ?

On 15.12.10 21:34, Nikolay Shopik wrote:
> I probably mean "sent" word, I don't use sendmail. My MUA is Thunderbird.

do you send that mail via gmail SMTP or via your SMTP?

Does your SMTP belong to your internal_networks?

In such case, the SPF can't be checked because the mail did not come from
outside but originated in your network. In such case, it should match
ALL_TRUSTED and verification of the sender must be done by your SMTP server.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

On 16/12/10 01:04, Benny Pedersen wrote:
> so more then one header is needed in your case ?

Well SA only see first header, second header added after mail 
re-inserted into queue after SA check.
What I don't understand is why it was working for some hosts before, 
because there always at least one trusted_hosts which prevent SA to do 
SPF checks.

Re: SPF_PASS doesn't trigered

[Benny Pedersen <me...@junc.org>]

On ons 15 dec 2010 22:58:29 CET, Nikolay Shopik wrote

> Problem was in "spf: relayed through one or more trusted relays,  
> cannot use header-based Envelope-From"
> always_trust_envelope_sender 1 is helps in my case, both of my  
> trusted relays are 127.0.0.1.

so more then one header is needed in your case ?

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

Problem was in "spf: relayed through one or more trusted relays, cannot 
use header-based Envelope-From"
always_trust_envelope_sender 1 is helps in my case, both of my trusted 
relays are 127.0.0.1.

On 15.12.10 22:29, Benny Pedersen wrote:
> On ons 15 dec 2010 20:05:46 CET, Nikolay Shopik wrote
>> Both using smtp when delivering mail to my server, difference is only
>> in headers.
>
> no logs ?
>
> have you configured envelope sender in spamassassin ?
>
> or better yet readed
>
> perldoc Mail::SpamAssassin::Conf
> perldoc Mail::SpamAssassin::Plugin::SPF
>
> have you installed Mail::SPF::Query or Mail::SPF ?
>
> first one is depricated
>

Re: SPF_PASS doesn't trigered

[Benny Pedersen <me...@junc.org>]

On ons 15 dec 2010 20:05:46 CET, Nikolay Shopik wrote
> Both using smtp when delivering mail to my server, difference is  
> only in headers.

no logs ?

have you configured envelope sender in spamassassin ?

or better yet readed

perldoc Mail::SpamAssassin::Conf
perldoc Mail::SpamAssassin::Plugin::SPF

have you installed Mail::SPF::Query or Mail::SPF ?

first one is depricated

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

On 15.12.2010 21:48, Benny Pedersen wrote:
> thunderbird use smtp, web apps does not use smtp ?
>
> that would explain why its working or not
>
> logs please

Both using smtp when delivering mail to my server, difference is only in 
headers.

Re: SPF_PASS doesn't trigered

[Benny Pedersen <me...@junc.org>]

On ons 15 dec 2010 19:34:12 CET, Nikolay Shopik wrote

> I probably mean "sent" word, I don't use sendmail. My MUA is Thunderbird.

thunderbird use smtp, web apps does not use smtp ?

that would explain why its working or not

logs please

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

On 15.12.2010 21:28, Benny Pedersen wrote:
> On ons 15 dec 2010 19:20:28 CET, Nikolay Shopik wrote
>> I did play more with gmail as example, and notice. If I send email
>> from web interface SPF always matched and OK. If I'm using MUA to send
>> mail via SMTP it never fail or pass SPF rule. Probably new "Received:"
>> header is related, any ideas?
>>
>
> sendmail vs smtp ?
>

I probably mean "sent" word, I don't use sendmail. My MUA is Thunderbird.

Re: SPF_PASS doesn't trigered

[Benny Pedersen <me...@junc.org>]

On ons 15 dec 2010 19:20:28 CET, Nikolay Shopik wrote
> I did play more with gmail as example, and notice. If I send email  
> from web interface SPF always matched and OK. If I'm using MUA to  
> send mail via SMTP it never fail or pass SPF rule. Probably new  
> "Received:" header is related, any ideas?
>

sendmail vs smtp ?

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

On 15.12.2010 20:33, Benny Pedersen wrote:
> On ons 15 dec 2010 18:08:20 CET, Nikolay Shopik wrote
>
>> my mx have public ip and not behind nat, should i add public ip of my
>> mx into internal_networks?
>
> no, just trusted (you trust your own server, and forwarding ips)
>
> internal is more if you use servers in rfc1918 ip ranges
>
> other then that check envelope sender header is correct in spammassin
>

I did play more with gmail as example, and notice. If I send email from 
web interface SPF always matched and OK. If I'm using MUA to send mail 
via SMTP it never fail or pass SPF rule. Probably new "Received:" header 
is related, any ideas?

Re: SPF_PASS doesn't trigered

[Benny Pedersen <me...@junc.org>]

On ons 15 dec 2010 18:08:20 CET, Nikolay Shopik wrote

> my mx have public ip and not behind nat, should i add public ip of  
> my mx into internal_networks?

no, just trusted (you trust your own server, and forwarding ips)

internal is more if you use servers in rfc1918 ip ranges

other then that check envelope sender header is correct in spammassin

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: SPF_PASS doesn't trigered

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 15.12.10 20:08, Nikolay Shopik wrote:
> my mx have public ip and not behind nat, should i add public ip of my mx into internal_networks?

Your internal_networks should contain IP addresses of all MX servers, and
also all servers your mail server passes before it is checked by
spamassassin, that is, also your internal mail infrastructure not in MX.

It applies for their outgoing IP addresses in case those servers send mail
from different IP then MX points at.

SPF validation is done at your MX border - gmail delivers mail to one of MX
servers for your domain and that is where SPF must be validated. Domains
will not have your MX servers in their SPF records, that's why.

So, spamassassin must be able to track which addresses belong to your
internal network - it must walk through the header to see from which hosts
was the mail received and validate if it is internal or not, therefore if
apply SPF check there. The SPF check can be validated at only one point -
where the remote SMTP passes the mail to your MX.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

my mx have public ip and not behind nat, should i add public ip of my mx into internal_networks?

"Matus UHLAR - fantomas" <uh...@fantomas.sk> wrote:

>>> On 15.12.10 10:59, Nikolay Shopik wrote:
>>>> I have domain hosted at google apps, and my domain have recomended
>by
>>>> google txt record "v=spf1 include:_spf.google.com ~all". So far
>when I
>>>> receive mail from this domain spamassassin doesn't trigger rule
>SPF_PASS
>>>> nor SPF_SOFTFAIL, is this normal?
>
>> On 15/12/10 12:04, Matus UHLAR - fantomas wrote:
>>> do you have SPF plugin loaded?
>>> do you have Mail-SPF perl module installed?
>>> do you have internal_networks properly configured?
>
>On 15.12.10 12:31, Nikolay Shopik wrote:
>> SPF plugin working just fine for other domains. To make it more
>clear,  
>> i've running SA at my domain and receiving mail from domain which is 
>
>> hosted at google apps (and have TXT record) so internal_networks has 
>
>> nothing to do with this.
>
>oh yes, it has. The SPF check must be done on your network border, so
>properly set internal_networks is a must.
>-- 
>Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>- Holmes, what kind of school did you study to be a detective?
>- Elementary, Watson.  -- Daffy Duck & Porky Pig

Re: SPF_PASS doesn't trigered

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>> On 15.12.10 10:59, Nikolay Shopik wrote:
>>> I have domain hosted at google apps, and my domain have recomended by
>>> google txt record "v=spf1 include:_spf.google.com ~all". So far when I
>>> receive mail from this domain spamassassin doesn't trigger rule SPF_PASS
>>> nor SPF_SOFTFAIL, is this normal?

> On 15/12/10 12:04, Matus UHLAR - fantomas wrote:
>> do you have SPF plugin loaded?
>> do you have Mail-SPF perl module installed?
>> do you have internal_networks properly configured?

On 15.12.10 12:31, Nikolay Shopik wrote:
> SPF plugin working just fine for other domains. To make it more clear,  
> i've running SA at my domain and receiving mail from domain which is  
> hosted at google apps (and have TXT record) so internal_networks has  
> nothing to do with this.

oh yes, it has. The SPF check must be done on your network border, so
properly set internal_networks is a must.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig

Re: SPF_PASS doesn't trigered

[Nikolay Shopik <sh...@inblock.ru>]

On 15/12/10 12:04, Matus UHLAR - fantomas wrote:
> On 15.12.10 10:59, Nikolay Shopik wrote:
>> I have domain hosted at google apps, and my domain have recomended by
>> google txt record "v=spf1 include:_spf.google.com ~all". So far when I
>> receive mail from this domain spamassassin doesn't trigger rule SPF_PASS
>> nor SPF_SOFTFAIL, is this normal?
>
> do you have SPF plugin loaded?
> do you have Mail-SPF perl module installed?
> do you have internal_networks properly configured?
>
>

SPF plugin working just fine for other domains. To make it more clear, 
i've running SA at my domain and receiving mail from domain which is 
hosted at google apps (and have TXT record) so internal_networks has 
nothing to do with this.

Re: SPF_PASS doesn't trigered

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 15.12.10 10:59, Nikolay Shopik wrote:
> I have domain hosted at google apps, and my domain have recomended by  
> google txt record "v=spf1 include:_spf.google.com ~all". So far when I  
> receive mail from this domain spamassassin doesn't trigger rule SPF_PASS  
> nor SPF_SOFTFAIL, is this normal?

do you have SPF plugin loaded?
do you have Mail-SPF perl module installed?
do you have internal_networks properly configured?


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759