c
On 17/04/2023 04:33, Ian Z via Exim-users wrote:
On Sun, Apr 16, 2023 at 07:11:51PM +0100, Sebastian Arcus via Exim-users wrote:
One thing I have to try and figure out is how Spamassassin does the
SPF checks. Does it look at all the Received: headers, and if at
least one of them matches one of the SPF records, then it's all
fine? Because if that's how it works, SA checks should pass even if
done on the back-end Exim server.
I don't think it would work by default. SA has a concept of "trusted"
Received headers (because, of course, in general spammers can and do
forge headers) and by default only the first is trusted, ie. the one
added by the MTA that ultimately called SA. I think there is a way to
tweak the trusted setting, but
Thank you very much for that. It would make sense - all Received:
headers before the latest one in the chain could be added by spammers
manually.
I looked it up and it seems that Exim can be told not to add a Received:
header when handling email - by configuring in the corresponding transport:
received_header_text = ""
I'm not entirely happy with the idea of interfering with the record of
message flow - but I guess it remains an option. I might just add a
custom header instead, so that I will know the message has been through
the front-end machine - for diagnostic purposes.
- configuration of SA is complex (though not as much as exim, lol)
- I don't know if that would actually change the SPF result.
I couldn't agree more. I am permanently scarred emotionally from
installing and configuring SpamAssassin for the first time - and even
after years of working with it I don't feel like I've managed to tame it :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
