 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
4 messages in net.sourceforge.lists.courier-usersRe: [courier-users] SPF Issues| From | Sent On | Attachments |
|---|---|---|
| Shawn Jones | Aug 11, 2006 8:41 am | |
| Alessandro Vesely | Aug 12, 2006 1:37 am | |
| Shawn M. Jones | Aug 12, 2006 2:39 pm | |
| Alessandro Vesely | Aug 13, 2006 4:01 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: [courier-users] SPF Issues | Actions... |
|---|---|---|
| From: | Alessandro Vesely (ves...@tana.it) | |
| Date: | Aug 12, 2006 1:37:42 am | |
| List: | net.sourceforge.lists.courier-users | |
Shawn Jones wrote:
I've set the following options in /etc/courier/bofh: opt BOFHSPFHELO=all opt BOFHSPFMAILFROM=pass,neutral,none,softfail,unknown opt BOFHSPFFROM=pass,neutral,none,softfail,unknown opt BOFHSPFHARDERROR=fail,softfail opt BOFHSPFTRUSTME=1 opt BOFHSPFNOVERBOSE=1
Issue #1: Very few folks seem to pass the SPF for HELO, so I've found myself using the value 'all' for those few cases that the desired message might pass MAILFROM or FROM, but not HELO.
So have I. Probably it has never been made crystal clear that people should define TXT records for each host (probably "v=spf1 +a -all"). See http://new.openspf.org/FAQ/The_demon_question
Issue #2: Not everyone has implemented SPF (most annoyingly Yahoo mail), so I had originally set BOFHSPFMAILFROM and BOFHSPFFROM to 'pass,none,neutral'. I noted that mail forwarded from other accounts was marked as 'softfail'
What field was marked softfail? When you forward mail you must replace the MAIL FROM sender with something like SRS-original=address@my.domain. (SRS'idea is to forward any resulting bounce to original@address. Luckily Courier does not do so.)
At any rate, the internal FROM sender is considered the author and is usually left alone. That's why there is a mailfromok. (One reason one checks FROM is when MAILFROM is empty.)
I added that to the list of values. After I noticed that my mail server was denying specific legitimate mail messages from some of my mailing lists, I had to put in 'unknown' because this is how the SPF marked them and I wanted to get the messages.
I also let 'error' for both FROM fields.
By doing SPF filtering you are making a favor to the users of the domain(s) specified in those fields. In facts, you save their domain name from abuse. However, the domain owners must be smart enough to provide robust DNS servers and good TXT records. When they succeed in putting a 'fail' on an address, your server obeys. Isn't it that way?
Issue #3: If I change BOFHSPFTRUSTME from 1 to 0, the local mail agent doesn't work at all. I can't get my local log reports. I realize it is almost meaningless to run SPF on one's self, but I wanted to see if my DNS entries were being correctly interpreted. It makes sense that 127.0.0.1 would not survive a DNS TXT lookup, so I guess I shouldn't have expected this to work well.
Most clients are not SPF-aware, and don't let users configure the HELO name.