Thanks for the info. I just added "always_trust_envelope_sender 1" to my
local.cf and restarted. I then resent an email from gmail and still got
no SPF. So, that didn't solve my problem.
Am I incorrectly implimenting the standard? Do I need my TXT record to
be located at IN TXT smtp.channing-bete.com -instead of- or -in addition
to- a IN TXT channing-bete.com record?
My internal setup might be the problem. I'd appreciate a recommendation
if you have a moment... You may be able to see, based on the header I
pasted and my DNS information, that my external MX is
smtp.channing-bete.com (205.246.7.107), which is NATd by our firewall to
10.1.200.36. Mail is then routed internally to spam.channing-bete.com at
10.1.200.40 based on LDAP information (whether a given user is
interested in being filtered through SA or not). This is where
SpamAssassin is running, and where 3.0.4 used to be able to check
records. :)
Therefore, my trusted_networks is 10.1.0.0/16. Correct? Or does it not
make a difference? I've read that the gateway system *has* to be the one
that does the SPF checking... and that's not the case in my setup.
spam.channing-bete.com is one hop in from the external MX.
Honestly, I'd rather just run the former SA SPF checks on my system,
crippled or inaccurate as they were, if they're not going to work with
my configuration.
Thanks a million for the help so far.
----- Original Message -----
*From:* "Daryl C. W. O'Shea" <[EMAIL PROTECTED]>
*Sent:* 09/28/2005 8:16:53 PM -0400
*To:* Ben Lentz <[EMAIL PROTECTED]>
*Cc:* users@spamassassin.apache.org
*Subject:* SPF and Upgrade to SA 3.1
Ben Lentz wrote:
The message is sent from [EMAIL PROTECTED] to
[EMAIL PROTECTED] but shows up with no SPF information. Are
you saying that the SPF records are supposed to be published along
with the sending mail server's A record instead of with the domain?
Like if the MX for channing-bete.com was smtp.channing-bete.com, then
the SPF record should be returned from "dig smtp.channing-bete.com
txt" and not "dig channing-bete.com txt"? This seems quite off from
how gmail, yahoo, aol, microsoft, etc systems are publishing their
records.
(lots of background -- skip to the last line for the solution)
To be consistent with the proposed standard (which hasn't changed in
this respect) ANY host that sends mail should have an SPF record if
you want it to pass an SPF_HELO_* check. Further, EVERY host is
supposed to have a record if you want to publish that your 'other'
hosts shouldn't be sending mail. I wouldn't worry too much about
SPF_HELO_* checks though.
Regular SPF_* checks though, the ones that check against the
return-path address, can be a little more complicated (and are
actually a little broken in SA).
For mail from the registered domain SA works properly, and checks the
SPF record found at IN TXT domain.com. In the case of an address like
[EMAIL PROTECTED] SA (AFAIK) doesn't follow the standard and
doesn't check the SPF record which _could be_ at IN TXT
subdomain.domain.com. before checking the one at IN TXT domain.com.
Anyway... all that really applies in your case is that SA should be
(if you tell it to) checking the SPF record found at IN TXT gmail.com.
for mail from [EMAIL PROTECTED] The problem is you're not telling
it to check any SPF records (for non-helo checks).
This seemingly used to work so nicely! Can I swap back my
SpamAssassin/Plugins/SPF.pm from SA 3.0.4?
You seemingly either changed your network setup (moving your SA scan
from the first hop to the second) when upgraded to 3.1.0 or you
seemingly though it was working when it wasn't. ;)
SpamAssassin will refuse to do SPF_* checks if the mail has been
passed through internal (to your network) relays -- just in case one
of these relays might alter the return-path (fetchmail, etc.).
If you are sure that your mail relays will not alter the return-path
(most normal SMTP hops won't) you can force SA to act as you'd expect
it to by adding the following line to your local.cf file.
always_trust_envelope_sender 1
Daryl
