Re: SPF tests and authenticated SMTP

Wed, 04 Jan 2012 16:46:12 -0800 

On Wed, 2012-01-04 at 12:51 -0800, nsayer wrote:

> I'm running a brand new installation of SA 3.3.2 with the Milter on FreeBSD
> 8.2.
> 
> Everything is going smoothly, for the most part (there seems to be one
> particular spammer who's evading SA, but whatever), but there's one little
> thing that bugs me slightly.
> 
> I use authenticated SMTP to send e-mail. The SPF records for my domain
> (kfu.com) basically say that mail must come from my mail server and nowhere
> else. However, my expectation is that my mail server should make an
> exception if (and only if) the mail is sent with SMTP AUTH.
> 
> However, such mail winds up getting SPF_FAIL in the SA report.
> 


Ummm, I know I'm still in holiday mode (at least for another 4 days
wahhhhh) but, you're not making sense, 
If they are using smtp auth, then the server is what gets the mail and
sends it, so, so long as that server is in your SPF  RR entry, then the
receiving server should only care about that.

~$ host -t spf kfu.com
kfu.com has no SPF record

It is  not the problem, but fix the above, as SPF in TXT is deprecated
and has been for years.

~$ host -t txt kfu.com
kfu.com descriptive text "v=spf1 mx -all"

As 'quack' is in the above, and so long as you are not using a smart
host, there is no reason, when sending via quack, that it should fail.



> Here's a received header example:
> 
> 
> Received: from {my laptop} ({hostname of NAT gateway it happens to be
> behind} [x.x.x.x])
>       (authenticated bits=0)
>       by quack.kfu.com (8.14.5/8.14.5) with ESMTP id q04K12lj052202
>       (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
>       for <nsa...@kfu.com>; Wed, 4 Jan 2012 12:01:05 -0800 (PST)
>       (envelope-from nsa...@kfu.com)
> 
> I assert that Mail::SPF should regard Received: headers that have the


It should only ever look at the connecting server, nothing else.

Further.. get rid of sid-milter, what an abomination, I dont think even
micro$lop use sid anymore, last time I had to look into it.
This could be your problem.

Since you're using sendmail, try  smf-spf.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to