Shawn Jones wrote: > > I've set the following options in /etc/courier/bofh: > opt BOFHSPFHELO=all > opt BOFHSPFMAILFROM=pass,neutral,none,softfail,unknown > opt BOFHSPFFROM=pass,neutral,none,softfail,unknown > opt BOFHSPFHARDERROR=fail,softfail > opt BOFHSPFTRUSTME=1 > opt BOFHSPFNOVERBOSE=1 > > Issue #1: > Very few folks seem to pass the SPF for HELO, so I've found myself using > the value 'all' for those few cases that the desired message might pass > MAILFROM or FROM, but not HELO.
So have I. Probably it has never been made crystal clear that people should define TXT records for each host (probably "v=spf1 +a -all"). See http://new.openspf.org/FAQ/The_demon_question > Issue #2: > Not everyone has implemented SPF (most annoyingly Yahoo mail), so I had > originally set BOFHSPFMAILFROM and BOFHSPFFROM to 'pass,none,neutral'. I > noted that mail forwarded from other accounts was marked as 'softfail' What field was marked softfail? When you forward mail you must replace the MAIL FROM sender with something like [EMAIL PROTECTED] (SRS'idea is to forward any resulting bounce to [EMAIL PROTECTED] Luckily Courier does not do so.) At any rate, the internal FROM sender is considered the author and is usually left alone. That's why there is a mailfromok. (One reason one checks FROM is when MAILFROM is empty.) > I added that to the list of values. After I noticed that my mail server > was denying specific legitimate mail messages from some of my mailing > lists, I had to put in 'unknown' because this is how the SPF marked them > and I wanted to get the messages. I also let 'error' for both FROM fields. By doing SPF filtering you are making a favor to the users of the domain(s) specified in those fields. In facts, you save their domain name from abuse. However, the domain owners must be smart enough to provide robust DNS servers and good TXT records. When they succeed in putting a 'fail' on an address, your server obeys. Isn't it that way? > Issue #3: > If I change BOFHSPFTRUSTME from 1 to 0, the local mail agent doesn't work > at all. I can't get my local log reports. I realize it is almost > meaningless to run SPF on one's self, but I wanted to see if my DNS > entries were being correctly interpreted. It makes sense that 127.0.0.1 > would not survive a DNS TXT lookup, so I guess I shouldn't have expected > this to work well. Most clients are not SPF-aware, and don't let users configure the HELO name. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
