Re: SPF confusion

Wed, 15 Jul 2015 13:53:04 -0700 

On Wed, 15 Jul 2015, Bowie Bailey wrote:
I am trying to use whitelist_auth to whitelist emails from staplesbilling.com. This should work, as they have an SPF record: 

$ dig staplesbilling.com txt +short
"v=spf1 a:hosts.rrdesp.com -all"
$ dig hosts.rrdesp.com a +short
162.27.43.121
162.27.247.118
162.27.247.119
162.27.247.120
162.27.247.121
162.27.43.107
162.27.43.118
162.27.43.119
162.27.43.120


But SA seems to be trying to find an SPF record for the connecting server 
rather than for the sending domain.



dbg: spf: checking to see if the message has a Received-SPF header that we 
can use

dbg: spf: using Mail::SPF for SPF checks
dbg: spf: checking HELO (helo=sr03a.SMTPNA11.rrdesp.com, ip=162.27.43.120)

dbg: spf: query for /162.27.43.120/sr03a.SMTPNA11.rrdesp.com: result: none, 
comment: , text: No applicable sender policy available
dbg: spf: already checked for Received-SPF headers, proceeding with DNS based 
checks
dbg: spf: relayed through one or more trusted relays, cannot use header-based 
Envelope-From, skipping
dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, 
skipping whitelist check
dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, 
skipping whitelist check



Why is it looking for an SPF record for rrdesp.com?  That is the sending 
server, shouldn't it be using the domain from the From or Envelope-From 
instead?  This SPF check looks backwards to me.  Am I missing something?


SPF has two uses, one to validate the sending system (SMTP HELO checks) the
other is to validate Envelope-From address permissions (SMTP "mail from:" 
checks).
(see RFC-7208 section 2.3 & 2.4)

That 'dbg: spf: checking HELO' is the first check firing up and failing.
Your SA isn't finding a source of an Envelope-From address that it thinks that
it can trust, so the second set of checks aren't even being run.
Thus with no valid SPF results, the spf/auth whitelist checks are skipped.

How is SA glued into your mail system? Is there an explicit mechanism being
used to pass the Envelope-From address into your SA?
You need to make sure that SA has a relaible way to get the Envelope-From
address for your messages.


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{























					Reply via email to