Ricardo Kleemann writes:
Ok, thank you.As I'm trying to better understand how to properly use SPF in courier, Iwas wondering how the pythonfilter spfcheck works compared to courier's SPF.Your time is better spent understanding Courier's support. The spf pythonfilter is really only intended as an example on which someone can build a custom filter.So can someone help me understand? I'm having trouble getting Courier SPF to work.As I mentioned in a previous email, I have this configuration: opt BOFHSPFHELO=pass opt BOFHSPFMAILFROM=pass,mailfromok opt BOFHSPFFROM=pass opt BOFHSPFTRUSTME=1 Here's my spf config in DNS: americasnet.com. IN TXT "v=spf1 a mx a:email1.americasnet.com a:server1.americasnet.com a:server2.americasnet.com mx:americasnet.com ~all" But after I changed the bofh settings, my mail.log is filled with errors like this: Mar 2 11:32:27 email1 courieresmtpd: error,relay=::ffff:72.34.231.91,from=<>: 417 SPF none server1.americasnet.com: Address does not pass the Sender Policy Framework
That's because there is no TXT record for server1.americasnet.com, and you did not include "none" in the acceptable SPF policy for the HELO address.
So certainly I must have something incorrectly configured for the domain.
Removing "none" from the SPF means that you will not accept mail from domains without SPF records. You are restricting your incoming mail only to those domains that have valid SPF records. Which is likely the wrong thing to do, in this day and age.
This shouldn't be difficult to understand. SPF processing can be described in a few short paragraphs:
* There are three addresses whose SPF status is evaluated: the MAIL FROM address, the return address; the address in the From: header; and the HELO address. They correspond to the three BOFHSPF variables.
* Evaluating an SPF policy for an address produces one of the following results: none, neutral, pass, fail, softfail, error, or unknown. If the result is included in the corresponding BOFHSPF variable, the policy result is accepted. If any SPF result for any one of the three addresses produces a result that's not listed in its corresponding BOFHSPF variable, the message gets rejected.
That's it, in a nutshell. That tells you exactly what happens. Now, there are also various secondary details -- "off" disables SPF checking; "all" is an alias for all possible results, so no matter what SPF result is, it's acceptable (and gets recorded in the headers, presumably for some other mail filter to chew on); the "mailfromok" except; and a couple of others. They are described in the courier man page.
pgpF7d5nMZgAD.pgp
Description: PGP signature
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
