Re: SPF_HELO_PASS,SPF_NONE

Wed, 07 Jan 2015 08:11:07 -0800 


Am 07.01.2015 um 16:27 schrieb RW:

On Wed, 07 Jan 2015 15:01:56 +0100
Reindl Harald wrote:


Am 07.01.2015 um 14:47 schrieb Matus UHLAR - fantomas:

what if there would be SPF_HELO_FAIL?


SA would not be called at all


Maybe you could disable checking SPF_HELO, but some of us don't
want that.


the question is who are "some" and who are the majority
you can even socre "SPF_HELO_SOFTFAIL" and "SPF_HELO_FAIL" *without*
end in "SPF_HELO_PASS,SPF_NONE"

meta __SPF_FULL_PASS 0
meta __SPF_RANDOM_SENDER 0
score SPF_HELO_PASS 0
score SPF_NONE 0.05
score SPF_PASS -0.05
score SPF_HELO_SOFTFAIL 0.5
score SPF_HELO_FAIL 1.5


You can _NOT_ know if SPF HELO fails before you do the test


if it fails the message get rejected before SA


Your original point was that it's technically incorrect to perform an
spf helo test in the absence of an envelope policy. And you
specifically made that point about my example involving an
SPF_HELO_FAIL.

In any case the test still has to be run for SPF_HELO_SOFTFAIL, so you
don't avoid an spf test by suppressing  SPF_HELO_PASS.



if i could change the dependencies i would do the whole test only if the 
envelope-sender has a SPF record which is already in the local resolver 
cache and that way save the test, avoid "SPF_HELO_PASS,SPF_NONE" and 
also skip the two meta-tests


"SPF_FULL_PASS" as example is impossible without a envelope policy


what i want to avoid is such envelope-independent tests giving a
message pointless positive karma


For the umpteenth time it's a nominal score to make sure that the rule
is run and can be seen in logs and headers. It's not "karma" and it
doesn't "revoke the intended little penalty for SPF_NONE" because that's
another nominal rule score. A lot of rules have nominal scores, only a
handful are negative.

When was the last time you saw a classification fail due to nominal
scores



likely not, but i can't know about every mail if it reached the 
milter-reject caused by the summary of tests



the "T_RP_MATCHES_RCVD" as it was non-testing as "RP_MATCHES_RCVD" gave 
indeed false negatives multiple times as well some DNSWL was or are too 
friendly scored





Attachment:
signature.asc

Description: OpenPGP digital signature



























					Reply via email to