Am 09.12.2015 um 17:30 schrieb Alex:
Hi,My main problem is understanding how to build a rule to block spoofing attempts against my own domain? Do I need to build a meta that combines envelope FROM with SPF_FAIL?first: spoofing protection is *only* about envelope and not about the visible From-header (spoofing protection based on the header killsYes, I understand that as well, and mentioned that earlier.second: spoofing protection belongs in the MTA long before spamassassin why?Yes, I agree, and also mentioned that, but I wanted to understand the SPF rules from within spamassassin.* spoofing protection has *nothing* to do with SPFWhat? That's exactly what SPF was designed to prevent - spoofing of the envelope sender.
bla - i don't need SPF on a MX to know if my own envelope comes from outside - nobody is doing this via SPF just because it's a different world when someone spoofs my own domain comapred to a random message where the admin probably forgot a machine in his SPF
smtpd_recipient_restrictions = reject_unlisted_recipient reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_sender_access hash:/etc/postfix/spoofing_protection.cf /etc/postfix/spoofing_protection.cf: domain1 REJECT Sender Spoofed domain2 REJECT Sender Spoofed domain3 REJECT Sender SpoofedI'm using postfix, as I mentioned, and understand I can do this, and know how. Please help me understand why SPF_FAIL would not be triggered when an incoming email using my domain is received by a server that is not in my SPF record
it would be triggered but since SA is a scoring system there is no point let messages spoofing your own envelopes come so far that they touch the contentfilter
since you say "I wish I could post my domain, but I can't" you are *really* at your own because very few to no people have the motivation working with crystal balls when someone don't provide his own domain and the *real* SA headers of a example message
signature.asc
Description: OpenPGP digital signature