You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ben Wylie <sa...@benwylie.co.uk> on 2007/02/26 17:01:59 UTC
Trusted networks and SPF
All of my emails pass through an antivirus gateway which is the same
server as the mailserver and appears like this in the headers:
Received: from [127.0.0.1] by arkbb.co.uk with SMTP (HELO server.)
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.9));
Mon, 26 Feb 2007 15:41:04 +0000
Received: from d8-138.rb.vp.centurytel.net ([66.112.83.179])
by server. (NAVGW 2.5.2.12) with SMTP id M2007022615343332143
So all emails come via this trusted relay (127.0.0.1) which is also
internal.
SPF in SpamAssassin is happy to check the HELO:
[2408] dbg: spf: checking HELO (helo=d8-138.rb.vp.centurytel.net,
ip=66.112.83.179)
[2408] dbg: spf: query for /66.112.83.179/d8-138.rb.vp.centurytel.net:
result: none, comment: SPF: domain of sender d8-138.rb.vp.centurytel.net
does not designate mailers
but then refuses to do any more, as it claims not to be able to trust
the X-Envelope-From header because it has been through my AV gateway:
[2408] dbg: spf: relayed through one or more trusted relays, cannot use
header-based Envelope-From, skipping
Similarly:
[2408] dbg: spf: def_spf_whitelist_from: could not find useable envelope
sender
[2408] dbg: spf: spf_whitelist_from: could not find useable envelope sender
Is there any way that I can tell SpamAssassin to trust the
X-Envelope-From or Return-Path information in the headers as it is
merely an AV gateway and not going to change the X-Envelope-From headers?
This way I could get SPF checks on the senders as well as be able to use
SPF Whitelist From.
Thanks
Ben
Re: Trusted networks and SPF
Posted by Benny Pedersen <me...@junc.org>.
On Mon, February 26, 2007 17:01, Ben Wylie wrote:
[snip]
> Is there any way that I can tell SpamAssassin to trust the
> X-Envelope-From or Return-Path information in the headers as it is
> merely an AV gateway and not going to change the X-Envelope-From headers?
> This way I could get SPF checks on the senders as well as be able to use
> SPF Whitelist From.
perldoc Mail::SpamAssassin::Conf there you find envelope
for the internal networks / trusted networks, you should have internal cower
the wan ip of your server and local ips aswell
for trusted networks add forwarding mta ips there
--
This message was sent using 100% recycled spam mails.
Re: Trusted networks and SPF
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 2/27/2007 12:45 PM, Ben Wylie wrote:
> Daryl C. W. O'Shea wrote:
>
>> Assuming you've got your trusted_networks (and possibly
>> internal_networks) setup, you just need to add
>> "always_trust_envelope_sender 1" to your local.cf.
>
>
> Thanks for the help.
> It now gives me the error
> [3952] dbg: spf: cannot get Envelope-From, cannot use SPF
> [3952] dbg: spf: def_spf_whitelist_from: could not find useable envelope
> sender
> [3952] dbg: spf: spf_whitelist_from: could not find useable envelope sender
>
> All emails contain these headers:
> Return-Path:
> X-Envelope-From:
> X-Envelope-To:
>
> What exactly is SA looking for?
Return-Path is the optimal header for the envelope sender info.
You haven't said how you're calling SA. I'm going to guess that it's
via a milter, and these headers aren't present in the copy of the
message it is providing to SA (if this is the case it's possibly that
it's also not providing the required received header for the current hop).
If you're not using a milter, and instead calling it via an MDA or
manually after the fact, then something is really screwed up, since if
there's a Return-Path header present it's going to be used (unless it's
a null sender, in which case this is the expected behaviour).
Daryl
Re: Trusted networks and SPF
Posted by Ben Wylie <sa...@benwylie.co.uk>.
Daryl C. W. O'Shea wrote:
> Assuming you've got your trusted_networks (and possibly
> internal_networks) setup, you just need to add
> "always_trust_envelope_sender 1" to your local.cf.
Thanks for the help.
It now gives me the error
[3952] dbg: spf: cannot get Envelope-From, cannot use SPF
[3952] dbg: spf: def_spf_whitelist_from: could not find useable envelope
sender
[3952] dbg: spf: spf_whitelist_from: could not find useable envelope sender
All emails contain these headers:
Return-Path:
X-Envelope-From:
X-Envelope-To:
What exactly is SA looking for?
Thanks,
Ben
Re: Trusted networks and SPF
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Ben Wylie wrote:
> but then refuses to do any more, as it claims not to be able to trust
> the X-Envelope-From header because it has been through my AV gateway:
> [2408] dbg: spf: relayed through one or more trusted relays, cannot use
> header-based Envelope-From, skipping
>
> Similarly:
>
> [2408] dbg: spf: def_spf_whitelist_from: could not find useable envelope
> sender
> [2408] dbg: spf: spf_whitelist_from: could not find useable envelope sender
>
> Is there any way that I can tell SpamAssassin to trust the
> X-Envelope-From or Return-Path information in the headers as it is
> merely an AV gateway and not going to change the X-Envelope-From headers?
> This way I could get SPF checks on the senders as well as be able to use
> SPF Whitelist From.
Assuming you've got your trusted_networks (and possibly
internal_networks) setup, you just need to add
"always_trust_envelope_sender 1" to your local.cf.
Daryl