Re: internal/trusted again, MSA tested for SPF ?

Thu, 29 Jun 2006 15:46:20 -0700 

Mark Martinec wrote:


As required per docs, the MTA is considered trusted and internal,
and MSA is declared trusted and NOT internal.
(both MSA and MTA are on the same IP network)

A mail from an authorized external user follows the route:
  <REMOTE>  ->  <MSA>  ->  <MTA+SA>
(I obfuscated IP addresses and host names in the log below
and replaced them with <REMOTE>, <MSA> and <MTA+SA>)

Here are the relevant sections of the log, along with my questions.

  dbg: generic: SpamAssassin version 3.1.3

  dbg: received-header: relay <MTA+SA> trusted? yes internal? yes
  dbg: received-header: relay <MSA> trusted? yes internal? no
  dbg: received-header: relay <REMOTE> trusted? no internal? no

So far so good, internal/trusted are recognized correctly.

  dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal
  dbg: dns: IPs found: full-external: <MSA>, <REMOTE>
untrusted: <REMOTE> originating: dbg: dns: only inspecting the following IPs: <MSA> 

Is it normal that our own MSA ip address is being submitted for RBL tests?
It' normal, in the sense that that's what the code says to do. I'm sure that this isn't optimal, but it works better than the way we did it before (lastuntrusted FP'd all over). 



  dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl
  dbg: dns: IPs found: full-external: <MSA>, <REMOTE>
untrusted: <REMOTE> originating: dbg: dns: only inspecting the following IPs: <REMOTE> 

Good, <REMOTE> is being tested for RBL.

  dbg: spf: checking EnvelopeFrom (helo=<MSA>, ip=<MSA>,
    [EMAIL PROTECTED])
  dbg: spf: query for [EMAIL PROTECTED]/<MSA>/<MSA>: result: fail,
    comment: Please see http://www.openspf.org/why.html?
      sender=mark.martinec%40ijs.si&ip=<MSA>&receiver=<MTA>

Hmm, I don't think that our own <MSA> is supposed to be tested for SPF.
It is normal?
Yeah, and correct. Your MSA is the host responsible for sending the mail to your server running SA. Your SPF record must cover the MSAs IP.
Looking at the options, SA could either check the IP of your MSA or the IP of the remote client. Obviously checking the remote client IP is wrong. 



And here is an unfortunate consequence:

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.2 SPF_FAIL               SPF: sender does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/why.html?
  sender=mark.martinec%40ijs.si&ip=<MSA>&receiver=<MTA>]


Yeah, fix your SPF record.


Daryl

Reply via email to