question re. SPF checks

[Miles Fidelman <mf...@meetinghouse.net>]

Hi Folks,

I starting to set up SPF records for the domains I manage, and have run 
into a little snag.  I hope somebody can suggest an approach:

BASIC CONFIGURATION:
Debian Sarge
Postfix (from stable - so it's a relatively old version, 2.1 I believe)
amavisd-new
spamassassin
clamav
Postfix configured with postfix-tls (SASL) but only for MD-5 
authentication of incoming SMTP

For the most part, I use the machine as a list server (Sympa) and web 
host, but I also have three email accounts on the box.

The listserver, and one of the email accounts, originate mail on the 
host (the email account, using pine) - so, for SPF purposes, the 
envelope sender is always the server, and all works just fine.

But... for the other two email accounts, mail originates from desktop 
clients (Thunderbird).  And here's the rub:
- I want to apply virus and spam checks to incoming mail, but...
- for SPF purposes, the envelope sender is now the dynamic IP of the 
desktop clients, so it's hard/impossible to put that in the SPF record
- so, mail submitted from desktop clients is getting marked as failing 
the SPF check

So... is there a way to turn off SPF checks for mail coming from 
authenticated clients, without turning off all the other checks (as, for 
example, would happen if mail was submitted via port 587)?

Thanks very much,

Miles Fidelman

Re: question re. SPF checks

[Miles Fidelman <mf...@meetinghouse.net>]

Well ok... if you want to pick nits :-)

I guess I should have said:

The listserver, and one of the email accounts, originate mail on the 
host (the email account, using pine) - so, for SPF purposes, the mail 
comes from an IP address listed in the SPF record for the domain in the 
envelop sender, and all works just fine.

But... for the other two email accounts, mail originates from desktop 
clients (Thunderbird).  And here's the rub:
- I want to apply virus and spam checks to incoming mail, but...
- for SPF purposes, the incoming mail comes from the dynamic IP of the 
desktop client, so it's hard/impossible to set up an SPF record to match 
that IP (unless one wants to pass the check for, say, all email coming 
from the broad range of IP addresses used by the local Comcast broadband 
service)
- so, mail submitted from desktop clients is getting marked as failing 
the SPF check

In any case, I've since received some answers about how to set up 
postfix to treat mail from authenticated clients differently that solves 
my problem.

Miles


Jo Rhett wrote:
> I'm sorry, but your query below does not parse.  The envelope sender 
> does not change depending on which host it arrives from when using 
> Thunderbird et al.  The host from which it arrives changes, but that's 
> not part of the envelope.
>
> And yes, you can disable anything with a network profile.  rtfm.
>
> Miles Fidelman wrote:
>> I starting to set up SPF records for the domains I manage, and have 
>> run into a little snag.  I hope somebody can suggest an approach:
>>
>> BASIC CONFIGURATION:
>> Debian Sarge
>> Postfix (from stable - so it's a relatively old version, 2.1 I believe)
>> amavisd-new
>> spamassassin
>> clamav
>> Postfix configured with postfix-tls (SASL) but only for MD-5 
>> authentication of incoming SMTP
>>
>> For the most part, I use the machine as a list server (Sympa) and web 
>> host, but I also have three email accounts on the box.
>>
>> The listserver, and one of the email accounts, originate mail on the 
>> host (the email account, using pine) - so, for SPF purposes, the 
>> envelope sender is always the server, and all works just fine.
>>
>> But... for the other two email accounts, mail originates from desktop 
>> clients (Thunderbird).  And here's the rub:
>> - I want to apply virus and spam checks to incoming mail, but...
>> - for SPF purposes, the envelope sender is now the dynamic IP of the 
>> desktop clients, so it's hard/impossible to put that in the SPF record
>> - so, mail submitted from desktop clients is getting marked as 
>> failing the SPF check
>>
>> So... is there a way to turn off SPF checks for mail coming from 
>> authenticated clients, without turning off all the other checks (as, 
>> for example, would happen if mail was submitted via port 587)?
>

Re: question re. SPF checks

[Jo Rhett <jr...@netconsonance.com>]

I'm sorry, but your query below does not parse.  The envelope sender 
does not change depending on which host it arrives from when using 
Thunderbird et al.  The host from which it arrives changes, but that's 
not part of the envelope.

And yes, you can disable anything with a network profile.  rtfm.

Miles Fidelman wrote:
> I starting to set up SPF records for the domains I manage, and have run 
> into a little snag.  I hope somebody can suggest an approach:
> 
> BASIC CONFIGURATION:
> Debian Sarge
> Postfix (from stable - so it's a relatively old version, 2.1 I believe)
> amavisd-new
> spamassassin
> clamav
> Postfix configured with postfix-tls (SASL) but only for MD-5 
> authentication of incoming SMTP
> 
> For the most part, I use the machine as a list server (Sympa) and web 
> host, but I also have three email accounts on the box.
> 
> The listserver, and one of the email accounts, originate mail on the 
> host (the email account, using pine) - so, for SPF purposes, the 
> envelope sender is always the server, and all works just fine.
> 
> But... for the other two email accounts, mail originates from desktop 
> clients (Thunderbird).  And here's the rub:
> - I want to apply virus and spam checks to incoming mail, but...
> - for SPF purposes, the envelope sender is now the dynamic IP of the 
> desktop clients, so it's hard/impossible to put that in the SPF record
> - so, mail submitted from desktop clients is getting marked as failing 
> the SPF check
> 
> So... is there a way to turn off SPF checks for mail coming from 
> authenticated clients, without turning off all the other checks (as, for 
> example, would happen if mail was submitted via port 587)?

-- 
Jo Rhett
Network/Software Engineer
Net Consonance