Re: Penalty for no/bad SPF

Thu, 25 Jan 2018 12:32:05 -0800 

On 01/25/2018 02:19 PM, Reindl Harald wrote:



Am 25.01.2018 um 20:45 schrieb David Jones:

On 01/25/2018 01:19 PM, David Jones wrote:

On 01/25/2018 12:59 PM, Reindl Harald wrote:



Am 25.01.2018 um 19:48 schrieb David Jones:

Since very few sites can reject on SPF fails because SPF failures 
are so prevalent on legit email, I don't think this is happening in 
the real world.


says who?

  check_recipient_access proxy:hash:/etc/postfix/skip_spf_check.cf
  permit_dnswl_client dnswl-aggregate.thelounge.net=127.0.0.5
  permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
  permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
  check_policy_service unix:private/spf-policy



You are excluding a ton of clients from SPF checks with that config. 
How many total IPs are covered in your local 
dnswl-aggregate.thelounge.net whitelist?



My policyd-spf runs from the Postfix master.cf to add headers to all 
email for SA to examine.



If you are excluding hundred's of thousands of IPs in those 4 Postfix 
config lines, then that's not a legitimate claim to be rejecting SPF 
fails.



that's called a smart setup which prevents false-positives and using SPF 
in the mid-stage where the spf-polidcyd for SPF_PAS does a "permit" and 
hands over to the milters to save most of the generic stuff



You usually are very good with providing numbers so show us how many 
rejects are happening from SPF failure out of the total volume of email



not much, but that's not because the whitelists but because postscreen 
filters out the majority long before smptd even get a connection


SPF_NONE which maskes it to the milters get a 0.5 penalty

current month

Connections:       215161
Postscreen WL:     20214 (9.39 %)
Delivered:         38684
Blocked:           176477
Invalid User:      858
Disallowed User:   16
Reject Postscreen: 90180
Reject Postfix:    6403
Reject Milter:     2188
Reject Temporary:  497
Greylisted:        1768
Blacklist:         89565
Pregreet:          75250
Hangup:            124674
Protocol Error:    118
Illegal Syntax:    2
SpamAssassin:      2184
Virus (Milter):    4
Virus (SA):        292
Helo:              263
Subject:           96
From:              20
Attachment:        1
Header Length:     5
Sender Regex:      1
Sender Blocked:    163
Sender Verify:     42
Sender Invalid:    61
Sender Spoofed:    46
Sender Parked:     0
Spam-TLD:          82
PTR Missing:       142
PTR Generic:       425
SPF:               155



It sounds like to a good/solid setup but I am still thinking there are a 
lot of potential SPF failures being excluded by those 4 Postfix lines.



How many mailboxes do you filter for?  Those numbers seem rather low so 
maybe a few hundred mailboxes?


--
David Jones























					Reply via email to