Mike Jackson wrote:
I may be way off here, but it seems odd that either Postfix or SA is
treating the originating IP as an address to check against the SPF
records. I use Sendmail, with SMTP-AUTH, and the mail I send to users on
the same server does not trigger the SPF rules in SA even when the
originating IP was not specified in the SPF record. You might try using
SMTP-AUTH instead of (or alongside) POP-before-SMTP to see if it
corrects the issue, as long as your users' mail clients will support it
(and if their client doesn't support it, make them get a better mail
client).
Ideally everyone would use SMTP-AUTH, but many, many, many, many, many
sites still use POP-before-SMTP. Reasons range from the assumption that
they'll avoid support costs, all the way to "admins" that don't know how
their downloaded POP-before-SMTP script works, and are afraid to even
attempt an SMTP-AUTH implementation. Of course there's a whole bunch of
people in between.
Anyway (the reason why it works for you)... SA 3.0.2+ will automatically
extend the trust boundary to SMTP-AUTH users (if the MTA records auth
tokens in the headers). POP-before-SMTP requires use of the POPAuth
plugin since there is no data in the received headers to automatically
extend the trust boundary like with SMTP-AUTH.
Theo explained why the user's IP is checked if SA cannot determine that
the message is from a trusted user.
Daryl
- Re: SPF check wrong in SA? Daryl C. W. O'Shea
-
