You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/11/09 21:46:00 UTC
[Bug 3962] New: SPF check fails for roaming users
http://bugzilla.spamassassin.org/show_bug.cgi?id=3962
Summary: SPF check fails for roaming users
Product: Spamassassin
Version: 3.0.1
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Plugins
AssignedTo: dev@spamassassin.apache.org
ReportedBy: spamassassin@de-korte.org
For systems employing SPF which have 'roaming' users (connecting back to their
'home' mailserver via SMTP AUTH), the SPF check gives a SPF_FAIL result with a
sufficiently strict SPF record. The first hop from the roaming user to the
home mailserver will generally not be authorized to send out e-mail on behalf
of the SPF enabled domain. The home mailserver may still allow mail relay, as
it can have a different means of authenticating the client. The latter is
however lost further on and when SpamAssassin evaluates the chain of systems
from untrusted networks, it will do so including this first hop. This is
wrong.
The correct way to evaluate SPF would be to stop processing when a system is
found that does evaluate to anything except SPF_FAIL. From this point (which
should be regarded as the 'injectionpoint') down to the first hop is
irrelevant in terms of SPF. There can be several systems between the
injectionpoint and the first hop, which use different methods of authorizing
mail relay. SPF has no meaning there.
As an example, the following "Received:" lines:
Received: from localhost (localhost [127.0.0.1])
by mail.de-korte.org (Postfix) with ESMTP id 52F3F60328
for <MU...@de-korte.org>; Wed, 3 Nov 2004 14:35:32 +0100 (CET)
Received: from mail.de-korte.org (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.2-9) id 07732-0140F736;
Wed, 03 Nov 2004 14:35:31 +0100
Received: from [10.0.0.2] (ip51cfcd61.direct-adsl.nl [81.207.205.97])
by mail.de-korte.org (Postfix) with ESMTP id 124B160328
for <MU...@de-korte.org>; Wed, 3 Nov 2004 14:35:30 +0100 (CET)
To keep you all from looking up the SPF record for 'de-korte.org', the
(multihomed) system 'mail.de-korte.org' is the one and only system allowed by
SPF to send mail on behalf of the 'de-korte.org' domain. However, the person
on ip51cfcd61.direct-adsl.nl may connect to this system via SMTP AUTH and is
allowed then to relay mail through that server. Yet it will give SPF_FAIL with
SpamAssassin, as it is not in the list of trusted_networks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.