You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Miles Fidelman <mf...@meetinghouse.net> on 2006/10/30 14:15:20 UTC
question re. SPF checks
Hi Folks,
I starting to set up SPF records for the domains I manage, and have run
into a little snag. I hope somebody can suggest an approach:
BASIC CONFIGURATION:
Debian Sarge
Postfix (from stable - so it's a relatively old version, 2.1 I believe)
amavisd-new
spamassassin
clamav
Postfix configured with postfix-tls (SASL) but only for MD-5
authentication of incoming SMTP
For the most part, I use the machine as a list server (Sympa) and web
host, but I also have three email accounts on the box.
The listserver, and one of the email accounts, originate mail on the
host (the email account, using pine) - so, for SPF purposes, the
envelope sender is always the server, and all works just fine.
But... for the other two email accounts, mail originates from desktop
clients (Thunderbird). And here's the rub:
- I want to apply virus and spam checks to incoming mail, but...
- for SPF purposes, the envelope sender is now the dynamic IP of the
desktop clients, so it's hard/impossible to put that in the SPF record
- so, mail submitted from desktop clients is getting marked as failing
the SPF check
So... is there a way to turn off SPF checks for mail coming from
authenticated clients, without turning off all the other checks (as, for
example, would happen if mail was submitted via port 587)?
Thanks very much,
Miles Fidelman
Re: question re. SPF checks
Posted by Miles Fidelman <mf...@meetinghouse.net>.
Well ok... if you want to pick nits :-)
I guess I should have said:
The listserver, and one of the email accounts, originate mail on the
host (the email account, using pine) - so, for SPF purposes, the mail
comes from an IP address listed in the SPF record for the domain in the
envelop sender, and all works just fine.
But... for the other two email accounts, mail originates from desktop
clients (Thunderbird). And here's the rub:
- I want to apply virus and spam checks to incoming mail, but...
- for SPF purposes, the incoming mail comes from the dynamic IP of the
desktop client, so it's hard/impossible to set up an SPF record to match
that IP (unless one wants to pass the check for, say, all email coming
from the broad range of IP addresses used by the local Comcast broadband
service)
- so, mail submitted from desktop clients is getting marked as failing
the SPF check
In any case, I've since received some answers about how to set up
postfix to treat mail from authenticated clients differently that solves
my problem.
Miles
Jo Rhett wrote:
> I'm sorry, but your query below does not parse. The envelope sender
> does not change depending on which host it arrives from when using
> Thunderbird et al. The host from which it arrives changes, but that's
> not part of the envelope.
>
> And yes, you can disable anything with a network profile. rtfm.
>
> Miles Fidelman wrote:
>> I starting to set up SPF records for the domains I manage, and have
>> run into a little snag. I hope somebody can suggest an approach:
>>
>> BASIC CONFIGURATION:
>> Debian Sarge
>> Postfix (from stable - so it's a relatively old version, 2.1 I believe)
>> amavisd-new
>> spamassassin
>> clamav
>> Postfix configured with postfix-tls (SASL) but only for MD-5
>> authentication of incoming SMTP
>>
>> For the most part, I use the machine as a list server (Sympa) and web
>> host, but I also have three email accounts on the box.
>>
>> The listserver, and one of the email accounts, originate mail on the
>> host (the email account, using pine) - so, for SPF purposes, the
>> envelope sender is always the server, and all works just fine.
>>
>> But... for the other two email accounts, mail originates from desktop
>> clients (Thunderbird). And here's the rub:
>> - I want to apply virus and spam checks to incoming mail, but...
>> - for SPF purposes, the envelope sender is now the dynamic IP of the
>> desktop clients, so it's hard/impossible to put that in the SPF record
>> - so, mail submitted from desktop clients is getting marked as
>> failing the SPF check
>>
>> So... is there a way to turn off SPF checks for mail coming from
>> authenticated clients, without turning off all the other checks (as,
>> for example, would happen if mail was submitted via port 587)?
>
Re: question re. SPF checks
Posted by Jo Rhett <jr...@netconsonance.com>.
I'm sorry, but your query below does not parse. The envelope sender
does not change depending on which host it arrives from when using
Thunderbird et al. The host from which it arrives changes, but that's
not part of the envelope.
And yes, you can disable anything with a network profile. rtfm.
Miles Fidelman wrote:
> I starting to set up SPF records for the domains I manage, and have run
> into a little snag. I hope somebody can suggest an approach:
>
> BASIC CONFIGURATION:
> Debian Sarge
> Postfix (from stable - so it's a relatively old version, 2.1 I believe)
> amavisd-new
> spamassassin
> clamav
> Postfix configured with postfix-tls (SASL) but only for MD-5
> authentication of incoming SMTP
>
> For the most part, I use the machine as a list server (Sympa) and web
> host, but I also have three email accounts on the box.
>
> The listserver, and one of the email accounts, originate mail on the
> host (the email account, using pine) - so, for SPF purposes, the
> envelope sender is always the server, and all works just fine.
>
> But... for the other two email accounts, mail originates from desktop
> clients (Thunderbird). And here's the rub:
> - I want to apply virus and spam checks to incoming mail, but...
> - for SPF purposes, the envelope sender is now the dynamic IP of the
> desktop clients, so it's hard/impossible to put that in the SPF record
> - so, mail submitted from desktop clients is getting marked as failing
> the SPF check
>
> So... is there a way to turn off SPF checks for mail coming from
> authenticated clients, without turning off all the other checks (as, for
> example, would happen if mail was submitted via port 587)?
--
Jo Rhett
Network/Software Engineer
Net Consonance