You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Anderson, Bill" <bi...@ded.mo.gov> on 2006/08/02 23:05:44 UTC

SPF Relay

I am seeing these lines in my debug logs:

dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
dbg: spf: no suitable relay for spf use found, skipping SPF check

Does anyone know what spamassassin considers a "suitable relay for spf
use"?

Bill Anderson
Technical Services Group
OA Information Technology Services Division
MO Dept of Economic Development 
 
***********************
CONFIDENTIALITY STATEMENT: 
This e-mail and any attachments are intended only for those to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure and unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.

Re: SPF Relay

Posted by Benu <fl...@benu.widge.org>.

On Wednesday 02 August 2006 16:33, Magnus Holmgren wrote:
> On Wednesday 02 August 2006 23:05, Anderson, Bill took the opportunity to 
say:
> > I am seeing these lines in my debug logs:
> >
> > dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
> > dbg: spf: no suitable relay for spf use found, skipping SPF check
> >
> > Does anyone know what spamassassin considers a "suitable relay for spf
> > use"?
>
> Yes, "first external relay, not first untrusted" (from a comment in
> SPF.pm). What this means is that the IP address and HELO string of the
> server that handed over the mail to your internal server(s) are what is
> checked. For it to work, you have to set trusted_networks and/or
> internal_networks correctly and your MXes have to add parseable Received:
> headers. If you post those we can help you out.
>
> > ***********************
> > CONFIDENTIALITY STATEMENT:
> > This e-mail and any attachments are intended only for those to which it
> > is addressed and may contain information which is privileged,
> > confidential and prohibited from disclosure and unauthorized use under
> > applicable law. If you are not the intended recipient of this e-mail, you
> > are hereby notified that any use, dissemination, or copying of this
> > e-mail or the information contained in this e-mail is strictly prohibited
> > by the sender. If you have received this transmission in error, please
> > return the material received to the sender and delete all copies from
> > your system.
>
> Aagh, blast it. http://goldmark.org/jeff/stupid-disclaimers/

I need help also, I am seeing the same messages.

In /etc/mail/spamassassin/local.cf
clear_internal_networks
trusted_networks        127.0.0.1 my.ip.adr
internal_networks       127.0.0.1
======================================
I performed the following test:
perl -MMail::SPF::Query -le 'print for Mail::SPF::Query->new(helo=>shift, 
ipv4=>shift, sender=>shift)->result' ns.domain.net ip.add.res 
tester@smtpd.domain.net

It returns:
none
SPF: domain of sender tester@smtpd.domain.net does not designate mailers
host.domain.net: domain of tester@smtpd.domain.net does not designate 
permitted sender hosts
==============================================
A SPF Check from the internet reports:
SPF lookup of sender tester@domain.net from IP my.ip.adr:

SPF string used: v=spf2 a ip4:my.ip.adr mx:smtpd.domain.net -all 
exp=getlost.domain.net.

Processing SPF string: v=spf2 a ip4:my.ip.adr mx:smtpd.domain.net -all 
exp=getlost.domain.net.
Testing 'a' on IP=my.ip.adr, target domain domain.net, CIDR 32, default=PASS.  
No match.
Testing 'ip4:my.ip.adr' on IP=my.ip.adr, target domain my.ip.adr, CIDR 32, 
default=PASS.  MATCH!
Testing 'mx:smtpd.domain.net' on IP=my.ip.adr, target domain smtpd.domain.net, 
CIDR 32, default=PASS.  
Testing 'all' on IP=my.ip.adr, target domain domain.net, CIDR 32, 
default=FAIL.  
Testing 'exp=getlost.domain.net' on IP=my.ip.adr, target domain domain.net, 
CIDR 32, default=PASS.  
Looking up TXT record for getlost.domain.net.
Got explanation: "Not authorized to send mail for the domain".

Result: PASS
=============================================

What do I need to change?

Thanks

Re: SPF Relay

Posted by Magnus Holmgren <ho...@lysator.liu.se>.

On Wednesday 02 August 2006 23:05, Anderson, Bill took the opportunity to say:
> I am seeing these lines in my debug logs:
>
> dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
> dbg: spf: no suitable relay for spf use found, skipping SPF check
>
> Does anyone know what spamassassin considers a "suitable relay for spf
> use"?

Yes, "first external relay, not first untrusted" (from a comment in SPF.pm). 
What this means is that the IP address and HELO string of the server that 
handed over the mail to your internal server(s) are what is checked. For it 
to work, you have to set trusted_networks and/or internal_networks correctly 
and your MXes have to add parseable Received: headers. If you post those we 
can help you out.

> ***********************
> CONFIDENTIALITY STATEMENT:
> This e-mail and any attachments are intended only for those to which it is
> addressed and may contain information which is privileged, confidential and
> prohibited from disclosure and unauthorized use under applicable law. If
> you are not the intended recipient of this e-mail, you are hereby notified
> that any use, dissemination, or copying of this e-mail or the information
> contained in this e-mail is strictly prohibited by the sender. If you have
> received this transmission in error, please return the material received to
> the sender and delete all copies from your system.

Aagh, blast it. http://goldmark.org/jeff/stupid-disclaimers/

-- 
Magnus Holmgren        holmgren@lysator.liu.se
                       (No Cc of list mail needed, thanks)