Hi,
I'm trying to sort out a spamassassin issue, using spamass-milter,
submitted email is failing SPF checks, as spamassassin is seeing the IP
address of the mail client and - it fails SPF as you'd expect.
I think this is due to a mis-configuration of my setup of the SMTP
submission stuff in postfix (TCP/587).
I think, but am not clear, that SASL-authenticated connections shouldn't
get run through milters? If you do this :
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Something about the milter_macro_daemon_name directive anyway? I haven't
had much luck understanding the doco for this.
So some (most!) of my users, who are using mail clients not our locally
attached webmail stuff, are getting flagged as failing SPF, when, I
don't think they should be.
What've I done wrong? Why is spamassassin seeing the IP address of the
mail client?
Thank you!
Carl
postconf -n :
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 3.6
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
myhostname = rollcage13.aboc.net.au
mynetworks = 203.6.241.0/24, 127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_sites = zen.spamhaus.org*1 bl.spamcop.net*1
bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net
dnsbl.sorbs.net dnsbl-1.uceprotect.net psbl.surriel.com bl.mailspike.net
swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtpd_milters =
unix:/var/run/clamav/clmilter.sock,unix:/var/run/spamass-milter.sock
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_cert_file =
/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/cert.pem
smtpd_tls_key_file =
/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/privkey.pem
smtpd_tls_security_level = may
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
virtual_mailbox_domains = /usr/local/etc/postfix/virtual_recipient_domains
virtual_mailbox_maps = socketmap:unix:/var/imap/socket/smmap:smmapd
virtual_transport = lmtp:unix:/var/imap/socket/lmtp
