Re: SPF rules and my domain

Wed, 09 Dec 2015 08:47:35 -0800 


Am 09.12.2015 um 17:30 schrieb Alex:

Hi,


My main problem is understanding how to build a rule to block spoofing
attempts against my own domain? Do I need to build a meta that
combines envelope FROM with SPF_FAIL?


first: spoofing protection is *only* about envelope and not about the
visible From-header (spoofing protection based on the header kills


Yes, I understand that as well, and mentioned that earlier.


second:
spoofing protection belongs in the MTA long before spamassassin

why?


Yes, I agree, and also mentioned that, but I wanted to understand the
SPF rules from within spamassassin.


* spoofing protection has *nothing* to do with SPF


What? That's exactly what SPF was designed to prevent - spoofing of
the envelope sender.



bla - i don't need SPF on a MX to know if my own envelope comes from 
outside - nobody is doing this via SPF just because it's a different 
world when someone spoofs my own domain comapred to a random message 
where the admin probably forgot a machine in his SPF



smtpd_recipient_restrictions =
  reject_unlisted_recipient
  reject_unauth_destination
  reject_non_fqdn_recipient
  reject_non_fqdn_sender
  reject_non_fqdn_helo_hostname
  reject_invalid_helo_hostname
  check_sender_access hash:/etc/postfix/spoofing_protection.cf

/etc/postfix/spoofing_protection.cf:
domain1 REJECT Sender Spoofed
domain2 REJECT Sender Spoofed
domain3 REJECT Sender Spoofed


I'm using postfix, as I mentioned, and understand I can do this, and know how.

Please help me understand why SPF_FAIL would not be triggered when an
incoming email using my domain is received by a server that is not in
my SPF record



it would be triggered but since SA is a scoring system there is no point 
let messages spoofing your own envelopes come so far that they touch the 
contentfilter



since you say "I wish I could post my domain, but I can't" you are 
*really* at your own because very few to no people have the motivation 
working with crystal balls when someone don't provide his own domain and 
the *real* SA headers of a example message





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to