On 01/25/2018 01:19 PM, David Jones wrote:
On 01/25/2018 12:59 PM, Reindl Harald wrote:
Am 25.01.2018 um 19:48 schrieb David Jones:
Since very few sites can reject on SPF fails because SPF failures are
so prevalent on legit email, I don't think this is happening in the
real world.
says who?
check_recipient_access proxy:hash:/etc/postfix/skip_spf_check.cf
permit_dnswl_client dnswl-aggregate.thelounge.net=127.0.0.5
permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
check_policy_service unix:private/spf-policy
You are excluding a ton of clients from SPF checks with that config. How
many total IPs are covered in your local dnswl-aggregate.thelounge.net
whitelist?
My policyd-spf runs from the Postfix master.cf to add headers to all
email for SA to examine.
If you are excluding hundred's of thousands of IPs in those 4 Postfix
config lines, then that's not a legitimate claim to be rejecting SPF fails.
You usually are very good with providing numbers so show us how many
rejects are happening from SPF failure out of the total volume of email.
--
David Jones