>>> On 02/10, email builder wrote: >>>> > I believe for SPF you *should* be doing the detecting at your >>>> > MTA >>>> > (mail server software) and inserting a header for >>>> > spamassassin to use: >>>> > Received-SPF. (Because SPF is supposed to use the >>>> > "envelope from", >>>> > which is not necessarily included in a header.) >>>> >>>> I see. That makes sense. Is there a wiki page suggesting solutions >>>> for this? Anyone know of tips for doing this in postfix? Or during >>>> amavis >>>> processing? >>> >>> I use postfix-policyd-spf-perl. >>> Which appears to currently be officially hosted at: >>> https://launchpad.net/postfix-policyd-spf-perl/ >> >> Thanks for that, although see my last post - do you know if the SPF tests >> only know how to look for that Received-SPF header or can use the envelope >> sender if it's present? > > If your MTA provides sufficient info for SA to determine the envelope sender > that is enough.
I agree and I've done some more research and found that Postfix adds the envelope sender as a "Return-Path" header (its pipe and virtual delivery agent at least do this). So I *do* have a header in my messages with the envelope sender. Either the SPF rules don't know how to look for "Return-Path" (which would surprise me given that it is quasi-standard and highly used) or I have some other problem. Will some rules not fire if some condition exists based on other rules? > I've been using sendmail+milter+sa for years > with SPF & DKIM rules and never had any kind of special MTA added > 'Received-SPF' header. OK, good. > One thing that -is- a factor; sa depends upon specific perl modules > for that functionality; DNS, SPF, & DKIM modules (EG Net::DNS, Mail::DKIM, > Mail::SPF ), and 'loadplugin' statements in the correct ".pre" > files. I think I forgot to reply to the hints on checking for the SPF module earlier in this thread, but I do have it installed. And the SPF plugin is loaded from init.pre (is that OK?). > Occasionally issues arise with problematic versions of those modules. > For example, search this list archive for disussions about problems caused by > buggy versions of the DNS module. > > If you execute the test: > % spamassassin --lint -D 2>&1 | grep -i -E 'spf|dkim|dns' > > [snip ...] > > If you don't see those 'plugin: loading' lines for SPF & DKIM, > then there's your problem. Either they're not installed on your system > in a way that SA can find them, wrong verions, or not invoked by > 'loadplugin' statements. Thanks that was helpful, and I did in fact find the "plugin loading" for the SPF plugin, so it's there, but I'm not getting hits on messages from Gmail which does use SPF. Hmmm any other suggestions anyone? Thanks for the excellent help so far!
