Roberto Lucarelli <[email protected]> wrote: > Why does the filter control directly on client ip?
Because that's how it's supposed to work. When a server that checks SPF receives a message from a connecting client, it looks at the domain name the email is alleged to have come from, looks to see if that domain publishes an SPF record. If there is an SPF record then the IP address of the client against the SPF record. The SPF record typically lists a small number of IP addresses that are allowed to send mail for that domain - and specifies that all other addresses are not permitted (the "-all" usually found at the end). It may list addresses for which the verdict is "don't really care much - ie they are neither permitted nor denied, just left to the other policies on the recipient server. There is a problem with mailing lists, and especially mail forwarders which SPF breaks. The SPF supporters know this but are big enough to just declare such normal things are "no longer allowed" and make the rest of the world follow suit. > Logically I can not enter in the SPF record all IP addresses from which I > connect during the day . Correct, and you don't need to. You need to configure your server so that clients that authenticate bypass SPF checks - I also have them bypass other checks such as greylisting and HELO hostname checks. In policyd, you should configure one (or more) policies which match SASL authenticated clients - and ensure that this policy does not check SPF, impose grelisting, or check HELO hostnames. For inbound mail, have another policy that matches clients that do not authenticate - and for this policy you *DO* check SPF, enforce greylisting, and enforce HELO name checks. That way, when your roaming user sends an email, the client authenticates, and it bypasses SPF checks - and it's address(es) don't need to be in the SPF policy. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
