Re: internal/trusted again, MSA tested for SPF ?

Fri, 30 Jun 2006 13:38:27 -0700 

Radoslaw Zielinski wrote:

Daryl C. W. O'Shea <[EMAIL PROTECTED]> [30-06-2006 00:45]:

Mark Martinec wrote:



Hmm, I don't think that our own <MSA> is supposed to be tested for SPF.
It is normal?



Yeah, and correct.  Your MSA is the host responsible for sending the 
mail to your server running SA.  Your SPF record must cover the MSAs IP.


Disagreed.  Mark's MSA <-> SA+MTA distinction is a matter of internal
configuration, which does not need to be revealed to the public in a
SPF record.



SA isn't psychic.  You've got to provide it with a config that lets it 
know what's going on.  It can't just know that one untrusted host is 
your own user and another is a spam zombie.




Imagine a situation, when for $whatever_reason we need do add another
SMTP hop between MSA and SA+MTA, and this machine has only private IP
address.  Would you recommend adding a 10.x.x.x address to SPF record
too?



No that'd be incredibly silly.  Only one host can be responsible for 
originating a message, not two in a row.  Pick which one of the MTAs you 
want to assign responsibility to and configure your SA config and SPF 
records accordingly.




Looking at the options, SA could either check the IP of your MSA or the 
IP of the remote client.  Obviously checking the remote client IP is wrong.


Shouldn't check in this case.



Then configure SA so it doesn't have to do net tests for your own users. 
 Set your trusted and internal networks so that they cover all your 
hosts right up to and including the actual MUA clients themselves.



You'll have to include the IP ranges, of your clients, that you control 
for the non-roaming users.  For the roaming users your MSA will have to 
leave AUTH tokens that SA can parse in its received header (RFC 3848, 
Sendmail-style, etc).




And here is an unfortunate consequence:



 pts rule name              description

---- ---------------------- 
--------------------------------------------------

 1.2 SPF_FAIL               SPF: sender does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/why.html?
  sender=mark.martinec%40ijs.si&ip=<MSA>&receiver=<MTA>]

Yeah, fix your SPF record.


Or file a bug report.



As it stands now, Mark is treating his own users as external (just like 
any other external network) but is wanting SA to treat it differently 
than any other external network.  I don't think that's a reasonable 
request.  What exactly is the bug?



If you don't want SA to do SPF and other net checks on those relays then 
don't ask it to.



Daryl






















					Reply via email to