You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/11/09 21:46:00 UTC

[Bug 3962] New: SPF check fails for roaming users

http://bugzilla.spamassassin.org/show_bug.cgi?id=3962

           Summary: SPF check fails for roaming users
           Product: Spamassassin
           Version: 3.0.1
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Plugins
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: spamassassin@de-korte.org


For systems employing SPF which have 'roaming' users (connecting back to their 
'home' mailserver via SMTP AUTH), the SPF check gives a SPF_FAIL result with a 
sufficiently strict SPF record. The first hop from the roaming user to the 
home mailserver will generally not be authorized to send out e-mail on behalf 
of the SPF enabled domain. The home mailserver may still allow mail relay, as 
it can have a different means of authenticating the client. The latter is 
however lost further on and when SpamAssassin evaluates the chain of systems 
from untrusted networks, it will do so including this first hop. This is 
wrong. 
 
The correct way to evaluate SPF would be to stop processing when a system is 
found that does evaluate to anything except SPF_FAIL. From this point (which 
should be regarded as the 'injectionpoint') down to the first hop is 
irrelevant in terms of SPF. There can be several systems between the 
injectionpoint and the first hop, which use different methods of authorizing 
mail relay. SPF has no meaning there. 
 
As an example, the following "Received:" lines: 
 
Received: from localhost (localhost [127.0.0.1]) 
	by mail.de-korte.org (Postfix) with ESMTP id 52F3F60328 
	for <MU...@de-korte.org>; Wed,  3 Nov 2004 14:35:32 +0100 (CET) 
Received: from mail.de-korte.org (localhost [127.0.0.1]) 
	by localhost (AvMailGate-2.0.2-9) id 07732-0140F736; 
	Wed, 03 Nov 2004 14:35:31 +0100 
Received: from [10.0.0.2] (ip51cfcd61.direct-adsl.nl [81.207.205.97]) 
        by mail.de-korte.org (Postfix) with ESMTP id 124B160328 
        for <MU...@de-korte.org>; Wed,  3 Nov 2004 14:35:30 +0100 (CET) 
 
To keep you all from looking up the SPF record for 'de-korte.org', the 
(multihomed) system 'mail.de-korte.org' is the one and only system allowed by 
SPF to send mail on behalf of the 'de-korte.org' domain. However, the person 
on ip51cfcd61.direct-adsl.nl may connect to this system via SMTP AUTH and is 
allowed then to relay mail through that server. Yet it will give SPF_FAIL with 
SpamAssassin, as it is not in the list of trusted_networks.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.