Re: Spamassassin and SPF

Mon, 10 Jul 2006 16:11:41 -0700 


On 10-Jul-06, at 5:49 PM, Daryl C. W. O'Shea wrote:
If the MSA in question is *ONLY* an MSA, you're easiest quickest fix is to just not trust it (or mark it as trusted but not internal).
If I'm understanding you correctly, I'm fairly new to this, then no, the MSA (Mail Submission Agent) is also the MTA (Mail Transfer Agent.) All mail for the domains in question are received and delivered by this one server. 

trusted_networks lists my public and private IP addresses (WAN & LAN)
internal_networks lists only private IP addresses (LAN)
I think that's how those are suppose to work. I haven't bothered to try and list the IPs where outside users may connect from since that can be anywhere.
If SA is running on that host, or it's also doing another mail function, MX or intermediate relay, etc., then describe your mail topology and we'll help you out.
Okay, this one server is running Postfix, Amavisd-new, Spamassassin, ClamAV, pretty standard stuff. This server does not relay to any other servers for mail delivery and is not a relay for any servers. Both incoming and outgoing mail is handled by Postfix which hands it off to Amavisd-new which calls Spamassassin and ClamAV to scan the message. Clean email is handed back to Postfix to complete delivery. Bad email is quarantined by Amavis-new. At least that's my understanding of how it works.
Generally, because of SPF, all users submit directly to this server and all outgoing email for the domains handled by this server are delivered directly by this server, no relays involved. Fairly simple stuff and it all works as expected except for SA. 



Daryl



This is what I'm seeing if it helps.
0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/why.html? sender=dmaguire% 40maguiremarketing.com&ip=24.42.90.104&receiver=server.pixelpointstudios .lan] 

maguiremarketing.com is hosted by the server in question.
24.42.90.104 is the IP address that he is connecting from. In this case it's the IP assigned dynamically to his router by his cable company (ISP).
Like I said the Postfix policy daemon that checks SPF correctly ignores this IP address as it represents the MUA (Mail User Agent.) I guess I'm expecting SA to know that as well but I guess it doesn't. 



--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

T: 416-247-7740
F: 416-247-7503

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to