Re: how to stop SPF checks from going past trusted host?

Thu, 19 Jun 2008 21:13:27 -0700 

Jo Rhett wrote:
I'm trying to figure out how to stop SPF_FAIL on messages generated on an internal rfc1918 network and routed through a trusted host. 

Host A: generates mail, origin IP 10.x.x.x

Host B: relays mail for Host A, to Host C

Host C: receives mail, marks SPF_FAIL

Host B is both in the valid SPF record, and in trusted networks.

Example:

    host A: 10.0.0.1 generates e-mail, routes via HostB

    Host B: has outside IP 64.13.143.16


    Host C: sees message from Host B, sees Host B is valid SPF sender, 
sees Host B is trusted Host


_APPARENTLY_ skips to the next Received header because B is trusted.

That is correct, SPF checks are applied to the first untrusted host. The 
question here would be if 10.x.x.x is in fact an internal, and 
presumably trusted, network, why isn't it trusted?



Also, presuming we're talking about your own domain, why aren't you 
using split DNS and declaring 10.x.x.x as a valid source in your 
internal SPF record (but not the one you expose to the outside world)




Received:     from arran.svcolo.com (arran.sc.svcolo.com 
[64.13.143.17]) by kininvie.sv.svcolo.com (8.14.1/8.14.1) with ESMTP 
id m5K2o3it016795 for <[EMAIL PROTECTED]>; Thu, 19 Jun 2008 
19:50:03 -0700 (PDT) (envelope-from [EMAIL PROTECTED])



Received:     from apc0.sv.svcolo.com (apc0.sv [10.0.0.1]) by 
arran.svcolo.com (8.13.8/8.13.4) with SMTP id m5K2o1sL002910 for 
<[EMAIL PROTECTED]>; Thu, 19 Jun 2008 19:50:02 -0700 (PDT) 
(envelope-from [EMAIL PROTECTED])



X-Spam-Status:     Yes, score=4.157 tagged_above=-10 required=4 
tests=[AWL=0.656, NORMAL_HTTP_TO_IP=0.001, SPF_FAIL=3.5



Obviously, putting 10/8 into the published SPF record makes no sense 
at all, nor does adding 10/8 to the trusted_networks.

Why do neither of those options make sense? I do both in my network, 
albeit that version SPF is only in my internal view, and I actually use 
10.xx.0.0/16 not 10/8. (I only use a /16, not the whole /8)



Is there some detail that's missing here? ie: do you have a compelling 
reason to not trust your internal hosts using 10/8?




So... how can I say "I trust Host B so much that I don't want to go 
any farther for SPF checks?"

Modify the SPF code. There's no such option at present.

























					Reply via email to