On Sunday, February 20, 2022 10:26:56 AM EST Alex wrote:
> Hi, I'm using the SPF policyd service recommended here some time ago.
> I hoped I could ask some questions about how it works since it doesn't
> appear to have any other direct support avenues available.
>
> I'm trying to understand the following log entry:
>
> Feb 20 10:01:59 armor policyd-spf[2466782]: prepend X-Comment: SPF
> skipped for whitelisted relay domain - client-ip=168.245.99.219;
> helo=o25.sg.marketing.agoda.global;
> envelope-from=bounces+8548506-62a0-05448=hotel.example.com@marketing.agoda.g
> lobal; receiver=
>
> None of the IPs or domains listed above are in my local whitelist, but
> the IP is listed in the SPF record for marketing.agoda.global. Is that
> what it is referring to? I tried tracing the code, but I'm not much of
> a python programmer.
>
> It appears to check the SPF record for the domain in the whitelist,
> not the sending domain. bypass_list_list is the whitelist entries in
> my config.
>
> for domain in bypass_list_list:
>res = spf.check2(ip, domain, domain,
> querytime=configData.get('Whitelist_Lookup_Time'))
>if domain_res[0] == 'Pass':
>...
>
> and if it results in "Pass", then it returns True if the domain in the
> whitelist entry, not the sending domain?
>
> Here's how I have it set up:
> policy-spf unix - n n - - spawn
> user=nobody argv=/usr/libexec/postfix/policyd-spf
>
> And the relevant info from my policyd-spf.conf:
> skip_addresses =
> 139.138.56.0/24,127.0.0.0/8,209.216.90.0/24,:::127.0.0.0/104,::1,52.128.
> 98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24 Domain_Whitelist =
> harrimanre.com,ventusnetworks.com,digi.com
That looks like it is working as documented. Here's the definition of
Domain_Whitelist:
Domain_Whitelist: List of domains whose sending IPs should be whitelisted from
SPF checks. Use this to list trusted forwarders by domain name. Client IP
addresses are tested against SPF records published by the listed domains. This
is useful for large forwarders with complex outbound infrastructures and SPF
records. This option is less scalable than the SPF IP Whitelist. An x-header
is prepended indicating the IP was whitelisted against SPF checks. This is a
trace header only. This option does nothing if the domain does not have an
SPF record. In this case use the SPF IP Whitelist described above or
Domain_Whitelist_PTR (below).
See man 5 policyd-spf.conf for additional information. If that's not what you
want to have happen, you should look at the other options that are mentioned.
https://git.launchpad.net/spf-engine/tree/policyd-spf.conf.5
Scott K
