You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/07/19 05:03:47 UTC
[Bug 5567] New: Faulty SPF_HELO_FAIL processing.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5567
Summary: Faulty SPF_HELO_FAIL processing.
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: cnd@geek.net.au
A correctly configured SPF record may look like this:
example.com "v=spf1 mx ?all"
server1.example.com "v=spf1 -all"
The above indicates that emails of the format user@example.com are
valid (when originating from the MX servers for example.com), but
emails of the format user@server1.example.com never exist.
Spamassassin is incorrectly using the mail server SMTP greeting's
host name to query SPF records for email address domains, however, in
almost all cases, the server's host name is not an acceptable suffix
for email addresses.
In order to verify a server HELO domain via SPF - you need to
A) look up the MX servers for the MAIL FROM domain
B) consider only such servers as those that are authorized in the SPF
record for the MAIL FROM domain,
C) and check that the HELO domain is one of those MX servers.
Depending on whether or not the MAIL FROM domain's SPF record includes
A or PTR or IP4/IP6 addresses - processing in step (C) may be more
complicated.
There is no such thing as an SPF record for a mail server hostname,
only for email address domains, thus the need for the several
processing steps needed to do a verification.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5567] Faulty SPF_HELO_FAIL processing.
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5567
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From spamassassin@dostech.ca 2007-07-18 22:53 -------
(In reply to comment #0)
> A correctly configured SPF record may look like this:
>
> example.com "v=spf1 mx ?all"
> server1.example.com "v=spf1 -all"
>
> The above indicates that emails of the format user@example.com are
> valid (when originating from the MX servers for example.com), but
> emails of the format user@server1.example.com never exist.
Not quite accurate (emails "of the format user@server1.example.com" could
exist), but sure.
> Spamassassin is incorrectly using the mail server SMTP greeting's
> host name to query SPF records for email address domains, however, in
> almost all cases, the server's host name is not an acceptable suffix
> for email addresses.
Uh, no it is not. SA uses the mail from, found in a return-path or similar
header field value, as it should.
> In order to verify a server HELO domain via SPF - you need to
> A) look up the MX servers for the MAIL FROM domain
> B) consider only such servers as those that are authorized in the SPF
> record for the MAIL FROM domain,
> C) and check that the HELO domain is one of those MX servers.
Uh, no. Please quote the relevant sections of RFC 4408 that define such a method.
> Depending on whether or not the MAIL FROM domain's SPF record includes
> A or PTR or IP4/IP6 addresses - processing in step (C) may be more
> complicated.
>
> There is no such thing as an SPF record for a mail server hostname,
> only for email address domains, thus the need for the several
> processing steps needed to do a verification.
That's not accurate at all.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.