Ben Lentz wrote:
The message is sent from [EMAIL PROTECTED] to [EMAIL PROTECTED]
but shows up with no SPF information. Are you saying that the SPF
records are supposed to be published along with the sending mail
server's A record instead of with the domain? Like if the MX for
channing-bete.com was smtp.channing-bete.com, then the SPF record should
be returned from "dig smtp.channing-bete.com txt" and not "dig
channing-bete.com txt"? This seems quite off from how gmail, yahoo, aol,
microsoft, etc systems are publishing their records.
(lots of background -- skip to the last line for the solution)
To be consistent with the proposed standard (which hasn't changed in
this respect) ANY host that sends mail should have an SPF record if you
want it to pass an SPF_HELO_* check. Further, EVERY host is supposed to
have a record if you want to publish that your 'other' hosts shouldn't
be sending mail. I wouldn't worry too much about SPF_HELO_* checks though.
Regular SPF_* checks though, the ones that check against the return-path
address, can be a little more complicated (and are actually a little
broken in SA).
For mail from the registered domain SA works properly, and checks the
SPF record found at IN TXT domain.com. In the case of an address like
[EMAIL PROTECTED] SA (AFAIK) doesn't follow the standard and
doesn't check the SPF record which _could be_ at IN TXT
subdomain.domain.com. before checking the one at IN TXT domain.com.
Anyway... all that really applies in your case is that SA should be (if
you tell it to) checking the SPF record found at IN TXT gmail.com. for
mail from [EMAIL PROTECTED] The problem is you're not telling it to
check any SPF records (for non-helo checks).
This seemingly used to work so nicely! Can I swap back my
SpamAssassin/Plugins/SPF.pm from SA 3.0.4?
You seemingly either changed your network setup (moving your SA scan
from the first hop to the second) when upgraded to 3.1.0 or you
seemingly though it was working when it wasn't. ;)
SpamAssassin will refuse to do SPF_* checks if the mail has been passed
through internal (to your network) relays -- just in case one of these
relays might alter the return-path (fetchmail, etc.).
If you are sure that your mail relays will not alter the return-path
(most normal SMTP hops won't) you can force SA to act as you'd expect it
to by adding the following line to your local.cf file.
always_trust_envelope_sender 1
Daryl
