Lloyd Zusman writes:
Sam Varshavchik <[EMAIL PROTECTED]> writes:Lloyd Zusman writes:And here's some new data: the same sender has recently sent identical email to another address on my server. And although SPF fails, the messages get properly sent to the courierfilter instead of being rejected. HOWEVER, this 417/517 rejection continues to occur when the messages are sent to the original recipient. So, what's the difference between the two recipient accounts? Recipient account 1: - SPF fails - Message gets sent to courierfilter - Account has no local maildrop rules Recpient account 2: - SPF fails in the same way - Message does not get sent to courierfilter, but gets rejected with a 417 or 517 error, depending on the setting of BOFHSPFHARDERROR - Account has local maildrop rules which automatically cause messages from this sender to be whitelistedThis has no effect on SPF. If a message fails SPF checking, it gets rejected. "Whitelisting", in the context of localmailfilter, only affects content filtering. It does not affect SPF. All messages, whether their content is whitelisted from content-filtering or not, must still pass SPF checking. The only kind of "whitelisting" that applies to SPF checking is the BOFHSPFTRUSTME setting, which exempts senders with relaying privileges from SPF checking.OK. So then how can we explain the difference in behavior between messages going to recipient 1 and recipient 2, as described above? Recall that both of them are getting identical SPF failures, but that one of them properly passes the failed message to the courierfilter (as specified by the three "BOFHSPF*=all" settings), and the other one bounces the message with a 417/517 error. The messages are identical. The senders are identical. The only difference I can find so far is the presence of the localmailfilter in the account of the one that is causing the SPF failures to bounce without feeding them to courierfilter, and the lack of a localmailfilter for the other account. What could I be overlooking? What could be causing this?
If you have =all set for all three SPF settings, the message should NOT bounce with an SPF error for any reason. Setting aside that issue for the moment, if you do not have a localmailfilter installed in a particular account, that account is treated as if it has a localmailfilter that whitelists all mail addressed to it.
So at least the second part of your scenario makes sense -- mail gets whitelisted, gets past that stage, and gets handed off to courierfilter as the next step.
So the only question here is why you apparently get a 417/517 SPF error, if you supposedly set all three SPF checks to =all, that should not happen under any circumstances.
I cannot reproduce this. With my own server, and default SPF settings, I get the same SPF error that you do, with that domain with broken SPF records. If I set the SPF checks to =all, the error goes away.
The only possibibility I can think of -- and this is not documented -- is if you also set the BOFHSPF variables in the smtpaccess file for certain IP address ranges only. The settings in the smtpaccess file take precedence over the bofh file for mail originating from the corresponding IP address ranges only.
pgpj0vtELJi08.pgp
Description: PGP signature
