> >I'm trying to understand why some domains are not whitelisted even
> >though they pass SPF and are in my local welcomelist_auth entries. I'm
> >using policyd-spf with postfix, and it appears to be adding the
> >following header:
> >
> >X-Comment: SPF skipped for whitelisted relay domain -
> >client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
> >envelope-from=re...@support.meridianlink.com; receiver=<UNKNOWN>
>
> you seem to have domain listed in whitelist policyd-spf whitelist.
> salesforce.com probably?
I figured out where it's whitelisted, but still don't understand how it works.
It's somehow referencing the postscreen access list I'm using:
postscreen_access_list =
permit_mynetworks, cidr:$config_directory/postscreen_access.cidr
In that file are cidr entries like:
13.110.208.0/21 permit
13.110.216.0/22 permit
13.110.224.0/20 permit
This file is auto-generated from my postwhite script that gathers IPs
for the "too big to fail" providers like salesforce and google and
microsoft.
which match the client IP for salesforce:
client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com
I was aware of this access list, but I wasn't aware that the policy
daemon was also using it as well as postscreen.
The problem now is that I don't know _how_ it's using it, and how to
prevent it from affecting my welcomelist_auth entries. I don't see any
reference in the code that would indicate it's somehow getting this
info from postscreen/postfix and using it when making these decisions.
The unmodified original messages also no longer pass SPF - shouldn't
they? It does still pass DKIM from the command-line, and therefore my
welcomelist_auth entry, but not when it's first received.
There was a reason I added this email to the welcomelist in the first
place. Perhaps a temporary solution would be to just remove the
postscreen access lists for now? Other ideas? Someone would like to
help me troubleshoot this? I'm thinking the fact that the IP is
whitelisted in postscreen is somehow being passed through the socket
to policyd-spf in a structure somewhere.
> >My welcomelist entry in SA for this specific email is as:
> >welcomelist_auth re...@support.meridianlink.com
>
> is this in spamassassin's local.cf ?
Yes
> >salesforce is also listed in their SPF record:
> >$ dig +short txt support.meridianlink.com
> >"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"
>
> SPF_PASS idicates that the SPF hit.
>
> however, posting full headers could help us a bit.
https://pastebin.com/TvTx6KzY
$ spamassassin --version
SpamAssassin version 4.0.0-r1889518
running on Perl version 5.32.1
