Sorry for bad english, i'll try to explain better the scenario because it's a bit complex and complex to explain in english
we setup a SMTP relay server to send a large amount of email for newsletter; so, i have an username, a password and an hostname that i insert in my newsletter software. RelayServer is composed by postfix, policyd, and a module for policyd that use cpan:SPF method. When i send out emails I have to choose a mailfrom (ex: [email protected]) and to use our service i must correctly setup an SPF record for domain.tld to authorize the SMTP-Relay. (hostname of smtp-relay: smtprelay.company.com, so in my TXT record of domain.tld i will add a:smtprelay.company.com, something like that: v=spf1 ip4:xxx.xxx.xxx.xxx a:smtprelay.company.com mx -all ) But several senders forget to set up SPF before sending emails; thus after first emails, Outlook inserted us in his Blacklist. My main goal is: Is there a way or how can i check *before* sending emails for a correct SPF, keep in mind that who send email is already authenticated? I'll happy if our server reject email sent out by a domain without a correct SPF. Is if this possible Best regards and have a good day! 2016-02-11 20:20 GMT+01:00 Simon Hobson <[email protected]>: > Roberto Lucarelli <[email protected]> wrote: > > > Why does the filter control directly on client ip? > > Because that's how it's supposed to work. > When a server that checks SPF receives a message from a connecting client, > it looks at the domain name the email is alleged to have come from, looks > to see if that domain publishes an SPF record. If there is an SPF record > then the IP address of the client against the SPF record. > > The SPF record typically lists a small number of IP addresses that are > allowed to send mail for that domain - and specifies that all other > addresses are not permitted (the "-all" usually found at the end). It may > list addresses for which the verdict is "don't really care much - ie they > are neither permitted nor denied, just left to the other policies on the > recipient server. > > There is a problem with mailing lists, and especially mail forwarders > which SPF breaks. The SPF supporters know this but are big enough to just > declare such normal things are "no longer allowed" and make the rest of the > world follow suit. > > > Logically I can not enter in the SPF record all IP addresses from which > I connect during the day . > > Correct, and you don't need to. You need to configure your server so that > clients that authenticate bypass SPF checks - I also have them bypass other > checks such as greylisting and HELO hostname checks. > > In policyd, you should configure one (or more) policies which match SASL > authenticated clients - and ensure that this policy does not check SPF, > impose grelisting, or check HELO hostnames. For inbound mail, have another > policy that matches clients that do not authenticate - and for this policy > you *DO* check SPF, enforce greylisting, and enforce HELO name checks. > > That way, when your roaming user sends an email, the client authenticates, > and it bypasses SPF checks - and it's address(es) don't need to be in the > SPF policy. > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org >
_______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
