You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Anderson, Bill" <bi...@ded.mo.gov> on 2006/08/02 23:05:44 UTC
SPF Relay
I am seeing these lines in my debug logs:
dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
dbg: spf: no suitable relay for spf use found, skipping SPF check
Does anyone know what spamassassin considers a "suitable relay for spf
use"?
Bill Anderson
Technical Services Group
OA Information Technology Services Division
MO Dept of Economic Development
***********************
CONFIDENTIALITY STATEMENT:
This e-mail and any attachments are intended only for those to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure and unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
Re: SPF Relay
Posted by Benu <fl...@benu.widge.org>.
On Wednesday 02 August 2006 16:33, Magnus Holmgren wrote:
> On Wednesday 02 August 2006 23:05, Anderson, Bill took the opportunity to
say:
> > I am seeing these lines in my debug logs:
> >
> > dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
> > dbg: spf: no suitable relay for spf use found, skipping SPF check
> >
> > Does anyone know what spamassassin considers a "suitable relay for spf
> > use"?
>
> Yes, "first external relay, not first untrusted" (from a comment in
> SPF.pm). What this means is that the IP address and HELO string of the
> server that handed over the mail to your internal server(s) are what is
> checked. For it to work, you have to set trusted_networks and/or
> internal_networks correctly and your MXes have to add parseable Received:
> headers. If you post those we can help you out.
>
> > ***********************
> > CONFIDENTIALITY STATEMENT:
> > This e-mail and any attachments are intended only for those to which it
> > is addressed and may contain information which is privileged,
> > confidential and prohibited from disclosure and unauthorized use under
> > applicable law. If you are not the intended recipient of this e-mail, you
> > are hereby notified that any use, dissemination, or copying of this
> > e-mail or the information contained in this e-mail is strictly prohibited
> > by the sender. If you have received this transmission in error, please
> > return the material received to the sender and delete all copies from
> > your system.
>
> Aagh, blast it. http://goldmark.org/jeff/stupid-disclaimers/
I need help also, I am seeing the same messages.
In /etc/mail/spamassassin/local.cf
clear_internal_networks
trusted_networks 127.0.0.1 my.ip.adr
internal_networks 127.0.0.1
======================================
I performed the following test:
perl -MMail::SPF::Query -le 'print for Mail::SPF::Query->new(helo=>shift,
ipv4=>shift, sender=>shift)->result' ns.domain.net ip.add.res
tester@smtpd.domain.net
It returns:
none
SPF: domain of sender tester@smtpd.domain.net does not designate mailers
host.domain.net: domain of tester@smtpd.domain.net does not designate
permitted sender hosts
==============================================
A SPF Check from the internet reports:
SPF lookup of sender tester@domain.net from IP my.ip.adr:
SPF string used: v=spf2 a ip4:my.ip.adr mx:smtpd.domain.net -all
exp=getlost.domain.net.
Processing SPF string: v=spf2 a ip4:my.ip.adr mx:smtpd.domain.net -all
exp=getlost.domain.net.
Testing 'a' on IP=my.ip.adr, target domain domain.net, CIDR 32, default=PASS.
No match.
Testing 'ip4:my.ip.adr' on IP=my.ip.adr, target domain my.ip.adr, CIDR 32,
default=PASS. MATCH!
Testing 'mx:smtpd.domain.net' on IP=my.ip.adr, target domain smtpd.domain.net,
CIDR 32, default=PASS.
Testing 'all' on IP=my.ip.adr, target domain domain.net, CIDR 32,
default=FAIL.
Testing 'exp=getlost.domain.net' on IP=my.ip.adr, target domain domain.net,
CIDR 32, default=PASS.
Looking up TXT record for getlost.domain.net.
Got explanation: "Not authorized to send mail for the domain".
Result: PASS
=============================================
What do I need to change?
Thanks
Re: SPF Relay
Posted by Magnus Holmgren <ho...@lysator.liu.se>.
On Wednesday 02 August 2006 23:05, Anderson, Bill took the opportunity to say:
> I am seeing these lines in my debug logs:
>
> dbg: spf: no suitable relay for spf use found, skipping SPF-helo check
> dbg: spf: no suitable relay for spf use found, skipping SPF check
>
> Does anyone know what spamassassin considers a "suitable relay for spf
> use"?
Yes, "first external relay, not first untrusted" (from a comment in SPF.pm).
What this means is that the IP address and HELO string of the server that
handed over the mail to your internal server(s) are what is checked. For it
to work, you have to set trusted_networks and/or internal_networks correctly
and your MXes have to add parseable Received: headers. If you post those we
can help you out.
> ***********************
> CONFIDENTIALITY STATEMENT:
> This e-mail and any attachments are intended only for those to which it is
> addressed and may contain information which is privileged, confidential and
> prohibited from disclosure and unauthorized use under applicable law. If
> you are not the intended recipient of this e-mail, you are hereby notified
> that any use, dissemination, or copying of this e-mail or the information
> contained in this e-mail is strictly prohibited by the sender. If you have
> received this transmission in error, please return the material received to
> the sender and delete all copies from your system.
Aagh, blast it. http://goldmark.org/jeff/stupid-disclaimers/
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)