> I realized that the rules T_SPF_PERMERROR and T_SPF_TEMPERROR were never > hitting on my emails even though my Postfix log had multiple instances > of such errors, e.g. this timeout
Hmm, thats weird, they hit just fine over here... > > 2017-01-16 14:03:35-0500 [postfix] 10111.5ms ip=173.37.142.90 > h=alln-iport-3.cisco.comfrom=p...@cisco.com > to=u...@domain.com -> PREPEND Received-SPF: TempError (u...@domain.com: > temporary error in processing during lookup > of cisco.com) client-ip=173.37.142.90; envelope-from="p...@cisco.com"; > helo=alln-iport-3.cisco.com; > receiver=u...@domain.com; identity=mailfrom > > I did a bit of digging into the code and found that line 394 of the SPF > plugin > <https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_SPF.html> > checks for valid Received-SPF headers > > if ($hdr =~ > /^received-spf:\s*(pass|neutral|(?:soft)?fail|none)\b(?:.*\bidentity=(\S+?);?\b)?/i) > { > > Since /TempError/ and /PermError/ are not handled, the SPF is never > checked. Editing this regex to include them fixes the problem. > > Another aspect I find surprising is that T_SPF_HELO_PERMERROR and > T_SPF_HELO_TEMPERROR do hit regularly. My hypothesis is there is an > actual DNS lookup by the SPF module is used instead of the headers, but > I did not dig into the code enough to find out. > > Is this an issue that other people have experienced? I am using > spamassassin 3.4.1 and sa-update version svn1652181 > Are you sure you run 3.4.1? It looks like there were some changes related to temperror and permerror between 3.4.0 and 3.4.1. > -- > Olivier Coutu > >
