You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Xepher <an...@xepher.net> on 2006/08/15 00:45:32 UTC

SPF and SORBS problems

I've got a server configured with postfix and spamassassin. The
mailserver is the only one for the domain, and thus receives mail from
other servers, as well as letting users connect directly (with smtp
auth) to send mail. Everything works fine, EXCEPT when users send email
to each other. In those cases, the emails get tagged both by SPF_FAIL
and RCVD_IN_SORBS_DUL as those tests see the email as coming from the
user's personal IP address. I've tried

whitelist_from_spf *@xepher.net

in local.cf, but it doesn't work. Messages still get tagged with
SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there
any way to do conditional tests, such that SMTP Auth messages get
whitelisted? I don't know if there's a way in postfix to add a header
only to auth connections? All I could find for postfix was address
rewriting stuff, nothing about conditional situations like an
authenticated user.

Any help would be appreciated, as I'd really rather not disable SPF and
RBL completely.

Thanks,
	James

Re: SPF and SORBS problems

Posted by Xepher <an...@xepher.net>.

Daryl C. W. O'Shea wrote:
> See the third heading on this wiki page that tells you how to resolve 
> this specific issue:
> 
> http://wiki.apache.org/spamassassin/DynablockIssues
> 
> 
> Daryl

Thank you. That solved the problem. Upgrade to new SA and Postfix 
versions and everything plays nicely now, as postfix puts in a header 
for authentication, and SA can read it. I even get "all_trust" to fire 
on authenticated emails. Sadly I never found that page on my own, as it 
doesn't have any of the keywords I searched for. The phrase "dynablock" 
never came up in anything I was having trouble with.

Thanks again,
--James

Re: SPF and SORBS problems

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

On 8/14/2006 6:45 PM, Xepher wrote:
> I've got a server configured with postfix and spamassassin. The
> mailserver is the only one for the domain, and thus receives mail from
> other servers, as well as letting users connect directly (with smtp
> auth) to send mail. Everything works fine, EXCEPT when users send email
> to each other. In those cases, the emails get tagged both by SPF_FAIL
> and RCVD_IN_SORBS_DUL as those tests see the email as coming from the
> user's personal IP address. I've tried
> 
> whitelist_from_spf *@xepher.net
> 
> in local.cf, but it doesn't work. Messages still get tagged with
> SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there
> any way to do conditional tests, such that SMTP Auth messages get
> whitelisted? I don't know if there's a way in postfix to add a header
> only to auth connections? All I could find for postfix was address
> rewriting stuff, nothing about conditional situations like an
> authenticated user.
> 
> Any help would be appreciated, as I'd really rather not disable SPF and
> RBL completely.

See the third heading on this wiki page that tells you how to resolve 
this specific issue:

http://wiki.apache.org/spamassassin/DynablockIssues


Daryl

Re: SPF and SORBS problems

Posted by Benny Pedersen <me...@junc.org>.

On Tue, August 15, 2006 02:23, Xepher wrote:

> I tried them, and still have the exact same problem. Any other ideas?

clear_internal_networks
internal_networks 127.0.0.1
clear_trusted_networks
trusted_networks <smtp-auth-ip>
trusted_networks 127.0.0.1

save my msg with full header

and then test my msg with

spamassassin 2>&1 -D -t mymsg

you should see where the problem is then

-- 
Benny

Re: SPF and SORBS problems

Posted by Xepher <an...@xepher.net>.

Benny Pedersen wrote:
> i had the same problem once :-)
> 
> see attached
> 
> for rbl check the internal_networks and trusted_networks, spf test is disable
> on internal networks, so make sure your smtp auth ip is not listed as internal
> in your spamassassin, but it should still be in trusted_networks
> 
> when this is done it works, atleast here :-)
> 

Let me clarify, there is no "internal network" save the host itself.
This is a machine by itself on the internet, with users connecting from
various places all over the world. No ip address is trusted, except for
the mailserver itself.

The attached config had these two lines.

envelope_sender_header Return-Path
always_trust_envelope_sender 1

I tried them, and still have the exact same problem. Any other ideas?

--James

Re: SPF and SORBS problems

Posted by Benny Pedersen <me...@junc.org>.

On Tue, August 15, 2006 00:45, Xepher wrote:

> Any help would be appreciated, as I'd really rather not disable SPF and
> RBL completely.

i had the same problem once :-)

see attached

for rbl check the internal_networks and trusted_networks, spf test is disable
on internal networks, so make sure your smtp auth ip is not listed as internal
in your spamassassin, but it should still be in trusted_networks

when this is done it works, atleast here :-)

-- 
Benny