On Tue, 2006-05-02 at 21:29, Matt Kettler wrote: > jdow wrote: > > From: "Matt Kettler" <[EMAIL PROTECTED]> > > > >> Ramprasad wrote: > >>> Hi, > >>> I am using SA 3.1.1 as a module in MailScanner. > >>> I am not able to get whitelist_from_spf working. > >>> In my local.cf I have > >>> ifplugin Mail::SpamAssassin::Plugin::SPF > >>> whitelist_from_spf [EMAIL PROTECTED] > >>> endif > >>> > >>> A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf > >>> checks are working ), but no USER_IN_SPF_WHITELIST > >>> why, do I have to do anything else ?? > >>> > >> > >> Follow-up: > >> > >> Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail > >> generated locally on darkstar.netcore.co.in will NOT pass SPF because > >> the actual IP address is 127.0.0.1, which isn't listed. SA. However, the > >> HELO string is (darkstar.netcore.co.in). That presumably resolves to one > >> of the listed IP addresses, which causes the SPF_HELO_PASS (I can't > >> resolve darkstar right now so so I cannot verify this) > >> > >> Add 127.0.0.1, and any other local IPs, to your SPF record and you > >> should be good to go. > >> > >> Personally, I do this at my work, but we use split-dns. The external > >> view doesn't see 127.0.0.1, or any internal IP addresses, but the > >> internal one (used by SA) does. > > > > Ahhmmmm, if he adds local host that would then allow ANY localhost > > in the world to authenticate with his SPF, wouldn't it? Wouldn't > > that be a bad thing? > > Only from localhost to localhost... ie: this could never happen over the > internet, but you could send yourself mail on your own mailserver, forge > his domain and have it pass SPF.
I have a related question: what about listing hosts in the 192.168 range? Would this be a bad thing? The reason I ask is that my dad's SPF record is listed as ~all for his externally-visible static IP address, but when machines internal to his network connect to send mail, they look forged since they have a 192.168 address. Suggestions? -Roger
