Re: bypassing SPF check for some domains

Mon, 29 May 2006 16:16:00 -0700 

On 5/26/2006 8:58 PM, klaus thorn wrote:

Hi spamassassin crowd,

can I configure spamassassin to not do SPF check for certain
domains?
No, but if you don't want to check mail against your own SPF records you could use split views in your DNS... with your internal (or mail server facing) view omitting your SPF records. 



I assume that spf whitelisting is doing something else:
after a successfull spf check, classify the mail as ham.
Of course. Whitelisting just because an SPF record is present, alone, would be silly. ;) 



Why I want to do this:

[EMAIL PROTECTED] is sending to
[EMAIL PROTECTED] Andy is somewhere (home/office/congress)
using often changing IP addresses. To compansate for this,
he uses the server example.com to relay all mail,
(authenticating by SASL = name+password)
which is good for SPF when sending
to outsiders, because all mail gets handed out by example.com,
so outsiders will get positive results from SPF checks.
( SPF record for example.com is  v=spf1 a ~all )
But the mail to Betty does not get relayed to the outside, 
since it is delivered to Betty on the example.com server.
Thus the IP address being tested by SPF is the changing
IP address of Andy's locations' providers.

The SPF tests of Betty's spamassassin
(also on the server example.com) fails (SPF_SOFTFAIL)
and the two co-workers have troubles mailing to each other.

And there are more co-workers, some with different
dial-up IPs, providers, etc. so I could never hope
to have up-to-date SPF records containing them all.

In fact this seems to be a common case to me.
So the only solution with one server seems to
me that I tell spamassassin to not do the check
for the local domain(s).
There's always the possibility of having a seperate MSA service running on the same physical server that relays to your MX service.
Or... as long as you use one of the fine MTAs that support RFC 3848 auth tokens, or even a Sendmail like auth line, SpamAssassin 3.0.2+ will (as Magnus mentioned) extend the trust boundary to the authenticated user provided that you already have a properly configured trusted_networks configuration. 


Daryl

Reply via email to