http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5567
Summary: Faulty SPF_HELO_FAIL processing.
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: [EMAIL PROTECTED]
A correctly configured SPF record may look like this:
example.com "v=spf1 mx ?all"
server1.example.com "v=spf1 -all"
The above indicates that emails of the format [EMAIL PROTECTED] are
valid (when originating from the MX servers for example.com), but
emails of the format [EMAIL PROTECTED] never exist.
Spamassassin is incorrectly using the mail server SMTP greeting's
host name to query SPF records for email address domains, however, in
almost all cases, the server's host name is not an acceptable suffix
for email addresses.
In order to verify a server HELO domain via SPF - you need to
A) look up the MX servers for the MAIL FROM domain
B) consider only such servers as those that are authorized in the SPF
record for the MAIL FROM domain,
C) and check that the HELO domain is one of those MX servers.
Depending on whether or not the MAIL FROM domain's SPF record includes
A or PTR or IP4/IP6 addresses - processing in step (C) may be more
complicated.
There is no such thing as an SPF record for a mail server hostname,
only for email address domains, thus the need for the several
processing steps needed to do a verification.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
