You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ben Wylie <sa...@benwylie.co.uk> on 2007/02/26 17:01:59 UTC

Trusted networks and SPF

All of my emails pass through an antivirus gateway which is the same 
server as the mailserver and appears like this in the headers:

Received: from  [127.0.0.1] by arkbb.co.uk with SMTP (HELO server.)
   (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.9)); 
Mon, 26 Feb 2007 15:41:04 +0000
Received: from d8-138.rb.vp.centurytel.net ([66.112.83.179])
  by server. (NAVGW 2.5.2.12) with SMTP id M2007022615343332143

So all emails come via this trusted relay (127.0.0.1) which is also 
internal.

SPF in SpamAssassin is happy to check the HELO:
[2408] dbg: spf: checking HELO (helo=d8-138.rb.vp.centurytel.net, 
ip=66.112.83.179)
[2408] dbg: spf: query for /66.112.83.179/d8-138.rb.vp.centurytel.net: 
result: none, comment: SPF: domain of sender d8-138.rb.vp.centurytel.net 
does not designate mailers

but then refuses to do any more, as it claims not to be able to trust 
the X-Envelope-From header because it has been through my AV gateway:
[2408] dbg: spf: relayed through one or more trusted relays, cannot use 
header-based Envelope-From, skipping

Similarly:

[2408] dbg: spf: def_spf_whitelist_from: could not find useable envelope 
sender
[2408] dbg: spf: spf_whitelist_from: could not find useable envelope sender

Is there any way that I can tell SpamAssassin to trust the 
X-Envelope-From or Return-Path information in the headers as it is 
merely an AV gateway and not going to change the X-Envelope-From headers?
This way I could get SPF checks on the senders as well as be able to use 
SPF Whitelist From.

Thanks
Ben

Re: Trusted networks and SPF

Posted by Benny Pedersen <me...@junc.org>.

On Mon, February 26, 2007 17:01, Ben Wylie wrote:

[snip]
> Is there any way that I can tell SpamAssassin to trust the
> X-Envelope-From or Return-Path information in the headers as it is
> merely an AV gateway and not going to change the X-Envelope-From headers?
> This way I could get SPF checks on the senders as well as be able to use
> SPF Whitelist From.

perldoc Mail::SpamAssassin::Conf there you find envelope

for the internal networks / trusted networks, you should have internal cower
the wan ip of your server and local ips aswell

for trusted networks add forwarding mta ips there

-- 
This message was sent using 100% recycled spam mails.

Re: Trusted networks and SPF

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

On 2/27/2007 12:45 PM, Ben Wylie wrote:
> Daryl C. W. O'Shea wrote:
> 
>> Assuming you've got your trusted_networks (and possibly 
>> internal_networks) setup, you just need to add 
>> "always_trust_envelope_sender 1" to your local.cf.
> 
> 
> Thanks for the help.
> It now gives me the error
> [3952] dbg: spf: cannot get Envelope-From, cannot use SPF
> [3952] dbg: spf: def_spf_whitelist_from: could not find useable envelope 
> sender
> [3952] dbg: spf: spf_whitelist_from: could not find useable envelope sender
> 
> All emails contain these headers:
> Return-Path:
> X-Envelope-From:
> X-Envelope-To:
> 
> What exactly is SA looking for?

Return-Path is the optimal header for the envelope sender info.

You haven't said how you're calling SA.  I'm going to guess that it's 
via a milter, and these headers aren't present in the copy of the 
message it is providing to SA (if this is the case it's possibly that 
it's also not providing the required received header for the current hop).

If you're not using a milter, and instead calling it via an MDA or 
manually after the fact, then something is really screwed up, since if 
there's a Return-Path header present it's going to be used (unless it's 
a null sender, in which case this is the expected behaviour).

Daryl

Re: Trusted networks and SPF

Posted by Ben Wylie <sa...@benwylie.co.uk>.

Daryl C. W. O'Shea wrote:
> Assuming you've got your trusted_networks (and possibly 
> internal_networks) setup, you just need to add 
> "always_trust_envelope_sender 1" to your local.cf.

Thanks for the help.
It now gives me the error
[3952] dbg: spf: cannot get Envelope-From, cannot use SPF
[3952] dbg: spf: def_spf_whitelist_from: could not find useable envelope 
sender
[3952] dbg: spf: spf_whitelist_from: could not find useable envelope sender

All emails contain these headers:
Return-Path:
X-Envelope-From:
X-Envelope-To:

What exactly is SA looking for?

Thanks,
Ben

Re: Trusted networks and SPF

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Ben Wylie wrote:

> but then refuses to do any more, as it claims not to be able to trust 
> the X-Envelope-From header because it has been through my AV gateway:
> [2408] dbg: spf: relayed through one or more trusted relays, cannot use 
> header-based Envelope-From, skipping
> 
> Similarly:
> 
> [2408] dbg: spf: def_spf_whitelist_from: could not find useable envelope 
> sender
> [2408] dbg: spf: spf_whitelist_from: could not find useable envelope sender
> 
> Is there any way that I can tell SpamAssassin to trust the 
> X-Envelope-From or Return-Path information in the headers as it is 
> merely an AV gateway and not going to change the X-Envelope-From headers?
> This way I could get SPF checks on the senders as well as be able to use 
> SPF Whitelist From.

Assuming you've got your trusted_networks (and possibly 
internal_networks) setup, you just need to add 
"always_trust_envelope_sender 1" to your local.cf.

Daryl