Am 05.01.2015 um 19:22 schrieb Derek Diget:
On Jan 5, 2015 at 18:52 +0100, Reindl Harald wrote: =>how can "SPF_HELO_PASS,SPF_NONE" fire both?Just by going off the names... The domain presented in the HELO (RFC5321.HELO) command passed the SPF check_host() test while the domain used in the mail from (RFC5321.MailFrom) command didn't have a SPF record. S1: 220 mx.example.com ESMTP C1: EHLO smtp.example.net S2: 250-mx.example.com Hello...pleased to meet you C2: MAIL FROM:<sen...@example.net> S2: 250 Sender OK C3: RCPT TO:<recipi...@example.com> S3: 250 Recipient OK C4: DATA So the SPF_HELO_PASS is testing the SPF record for smtp.example.net (line C1 above), while the SPF_NONE is testing the domain (example.net) used in the "MAIL FROM" (line C2).
so far clear, but i am in favor of *not* issue *any* positive score if the sending domain just don't have a SPF record which is the case if SPF_HELO *and* SPF_NONE both hits
@domaintechnik.at don't publish SPF regardless over what server it was sent and so i see no valid reason for a positive score of outgoing mails over host5.ssl-gesichert.at[213.145.228.32]
Remember that SPF checks both the HELO name presented as well as the domain used in the Mail From command. (Which is why "you" should have a simple "v=spf1 a -all" record for the A record of your sending systems as well as not having your sending systems HELO as your top level domain.)
nope, define IP or network ranges of the systems allowed to send and you are done, it works properly and saves dns requests or at least additional traffic (faced all sorts of troubles in the past with hostnames in SPF in case of network troubles here and there and never had a single SPF issue after switch all domains to ipv4 notation)
thelounge.net. 86400 IN TXT "v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 -all"
rhsoft.net. 86400 IN TXT "v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 ip4:62.178.103.85 ip4:85.124.176.243 -all"
signature.asc
Description: OpenPGP digital signature
